Intrusion resilient applications

The invention claimed is: 1. A method comprising: receiving notification of an intrusion event in relation to an application from an intrusion detection system; accessing state data in relation to a state of the application prior to the intrusion event, the state data having been stored on the basis of a change of state of the application; accessing a policy to be applied to the state data in response to the intrusion event; modifying the state data on the basis of the policy to minimize future intrusions; and restoring the application on the basis of the modified state data. 2. The method of claim 1 , wherein modifying the state data on the basis of the policy comprises applying mitigation actions to the application in response to an intrusion event. 3. The method of claim 2 , comprising receiving data specifying characteristics of the intrusion event. 4. The method of claim 3 , wherein the mitigation actions to be applied to the application are determined on the basis of the characteristics of the intrusion event. 5. The method of claim 2 , wherein mitigation actions comprise: disabling features of the application, preventing access to data utilised by the application, disabling processes executed by the application and enabling additional safety checks in the application. 6. The method of claim 1 comprising: determining a change of state of the application; and storing state data in response to the change of state of the application. 7. The method of claim 6 , comprising, ceasing storage of state data in response to changes of state of the application, in response to receipt of notification of an intrusion event. 8. The method of claim 6 , wherein changes of state of the application are determined on the basis of an evaluation of a source code of the application. 9. An apparatus for restoring an application executing on a computing system, the apparatus comprising: a state data storage arranged to store state data in cooperation with the application, on the basis of changes of states of the application during execution; an intrusion detection system arranged to monitor the application for anomalous activity; and a state restoration component communicatively coupled to the intrusion detection system and state data storage, arranged to: receive notification of an intrusion event from the intrusion detection system; access state data corresponding to a state of the application prior to the intrusion event; apply mitigation actions to the state data to minimize future intrusions; and restore the application on the basis of the state data and mitigation actions. 10. The apparatus of claim 9 , wherein the state restoration component is arranged to access a threat mitigation policy specifying mitigation actions to apply based on characteristics of the intrusion event. 11. The apparatus of claim 9 , wherein the intrusion detection system is arranged to perform: control flow integrity monitoring, anti-virus scanning, execution of stack cookies. 12. The apparatus of claim 9 , comprising a state uploading component, arranged to: determine a change of state of the application; and communicate state data to the state data storage in response to the change of state of the application. 13. The apparatus of claim 9 , wherein the state restoration component is arranged to prevent processing of state data subsequent to a detection of an intrusion event. 14. The apparatus of claim 12 , wherein the state uploading component is implemented as an application programming interface in conjunction with the application. 15. A non-transitory machine-readable storage medium encoded with instructions executable by a processor, to: detect an intrusion event relating to a process; determine state data corresponding to previous states of the process prior to the intrusion event; generate modified state data by applying mitigation actions in response to the intrusion event to minimize future intrusions; and restore the process on the basis of the modified state data.