Policy-based detection of anomalous control and data flow paths in an application program

Having described our invention, what we claim is as follows: 1. A method for detecting anomalous behavior of an application program, comprising: receiving trace data generated from multiple invocations of the application program; based at least in part on the received trace data, building a baseline provenance graph that models a normal control flow or data flow in the application program, and that identifies any path within a control flow or data flow that involves sensitive data or computation, wherein at least one edge in the baseline provenance graph has at least one or more first confidence values associated with a probability of that edge being traversed; during runtime execution of the application program against a policy, wherein the policy is one of: a security policy, a compliance policy and a network policy, receiving log data; using the received log data to assign second confidence values to at least one of the control or data flows with respect to the policy; and identifying that the at least one edge is anomalous by comparing the assigned second confidence values with the at least one or more first confidence values, the edge identified as anomalous representing the anomalous behavior; and responsive to detecting the anomalous behavior, taking a further corrective action. 2. The method as described in claim 1 further including building a program execution provenance graph associated with the policy and that includes the control or data flows and their assigned confidence values. 3. The method as described in claim 2 wherein the program execution provenance graph is built using machine learning. 4. The method as described in claim 3 further including adjusting a confidence value assigned to a given control or data flow based on the machine learning. 5. The method as described in claim 1 wherein the baseline provenance graph comprises a control flow graph, and a data flow graph. 6. The method as described in claim 2 further including reporting an application program behavior anomaly identified from the program execution provenance graph. 7. An apparatus for detecting anomalous behavior of an application program, comprising: a processor; computer memory holding computer program instructions executed by the processor, the computer program configured to: receive trace data generated from multiple invocations of the application program; based at least in part on the received trace data, build a baseline provenance graph that models a normal control flow or data flow in the application program, and that identifies any path within a control flow or data flow that involves sensitive data or computation, wherein at least one edge in the baseline provenance graph has at least one or more first confidence values associated with a probability of that edge being traversed; during runtime execution of the application program against a policy, wherein the policy is one of: a security policy, a compliance policy and a network policy, receive log data; use the received log data to assign second confidence values to at least one of the control or data flows with respect to the policy; and identify that the at least one edge is anomalous by comparing the assigned second confidence values with the at least one or more first confidence values, the edge identified as anomalous representing the anomalous behavior; and responsive to detecting the anomalous behavior, take a further corrective action. 8. The apparatus as described in claim 7 wherein the computer program instructions are further configured to build a program execution provenance graph associated with the policy and that includes the control or data flows and their assigned confidence values. 9. The apparatus as described in claim 8 wherein the program execution provenance graph is built using machine learning. 10. The apparatus as described in claim 9 wherein the computer program instructions are further configured to adjust a confidence value assigned to a given control or data flow based on the machine learning. 11. The apparatus as described in claim 7 wherein the baseline provenance graph comprises a control flow graph, and a data flow graph. 12. The apparatus as described in claim 8 wherein the computer program instructions are further configured to report an application program behavior anomaly identified from the program execution provenance graph. 13. A computer program product in a non-transitory computer readable medium for use in a data processing system for detecting anomalous behavior of an application program the computer program product holding computer program instructions that, when executed by the data processing system, are configured to: receive trace data generated from multiple invocations of the application program; based at least in part on the received trace data, build a baseline provenance graph that models a normal control flow or data flow in the application program, and that identifies any path within a control flow or data flow that involves sensitive data or computation, wherein at least one edge in the baseline provenance graph has at least one or more first confidence values associated with a probability of that edge being traversed; during runtime execution of the application program against a policy, wherein the policy is one of: a security policy, a compliance policy and a network policy, receive log data; use the received log data to assign second confidence values to at least one of the control or data flows with respect to the policy; identify that the at least one edge is anomalous by comparing the assigned second confidence values with the at least one or more first confidence values, the edge identified as anomalous representing the anomalous behavior; and responsive to detecting the anomalous behavior, take a further corrective action. 14. The computer program product as described in claim 13 wherein the computer program instructions are further configured to build a program execution provenance graph associated with the policy and that includes the control or data flows and their assigned confidence values. 15. The computer program product as described in claim 14 wherein the program execution provenance graph is built using machine learning. 16. The computer program product as described in claim 15 wherein the computer program instructions are further configured to adjust a confidence value assigned to a given control or data flow based on the machine learning. 17. The computer program product as described in claim 13 wherein the baseline provenance graph comprises a control flow graph, and a data flow graph. 18. The computer program product as described in claim 14 wherein the computer program instructions are further configured to report an application program behavior anomaly identified from the program execution provenance graph.