Identifying which processes, tasks, and applications are running on a system is important to network security. Whilst malicious entities may attempt to disguise their activities, a good knowledge of what ordinarily runs on the system will help to identify malware. 

If there is direct access to the running machine, the task manager can be used to identify what is running on the system (Task Manager on Windows, System Monitor in Linux, or Activity Monitor in macOS). In an SSH (command-line only) session, the Windows tasklist command and ps -e on Linux and macOS can achieve similar functionality.

In some distributed models (for example, Citrix), unified application monitoring tools may be included, which allow the aggregation of this information and its communication back to a (semi) remote monitor.

If direct access is not possible (or is unwarranted), the system can still determine information about running applications from the network traffic. Port numbers and protocols can hint at the kind of application that is being run, albeit only a general hint. Mechanisms such as Network-Based Application Recognition (NBAR), which uses deep packet inspection, can identify the layer-seven information and give better insight into the source application. This is particularly useful for BYOD environments if monitoring software cannot be implemented by the systems administrators.