• DocumentCode
    1452167
  • Title

    A Native APIs Protection Mechanism in the Kernel Mode against Malicious Code

  • Author

    Sun, Hung-Min ; Wang, Hsun ; Wang, King-Hang ; Chen, Chien-Ming

  • Author_Institution
    Dept. of Comput. Sci., Nat. Tsing Hua Univ., Hsinchu, Taiwan
  • Volume
    60
  • Issue
    6
  • fYear
    2011
  • fDate
    6/1/2011 12:00:00 AM
  • Firstpage
    813
  • Lastpage
    823
  • Abstract
    As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.
  • Keywords
    application program interfaces; security of data; Windows systems; behavior-based monitor; kernel mode; native API protection mechanism; polymorphic malicious code; Computer crashes; Computers; Driver circuits; Kernel; Linux; Monitoring; API hooking; Windows API; code injection.;
  • fLanguage
    English
  • Journal_Title
    Computers, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    0018-9340
  • Type

    jour

  • DOI
    10.1109/TC.2011.46
  • Filename
    5714686
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=1452167