The goal of the Application Characterization project was to develop a methodology for dynamically characterizing applications by observing their interaction with the system.    In order to detect clandestine functionality, a profile of a “standard” application of a specific type is needed.  For this project, the profile of an application was created by monitoring the frequency of calls made to different functions within the Microsoft Windows operating system.  A profile was then created using the relative frequencies of the calls made to each individual function and each category of function.  Averages were taken across applications of a certain type, such as text editors, to develop a profile of a typical application of each type.  The detector measures the Euclidean distance between the metrics measured from unknown applications and the various models.  As a proof of concept, we used the detector to detect spyware embedded in common text editors.