Title :
Implementation of program behavior anomaly detection and protection using hook technology
Author :
Shen Jianfang ; Cheng Lianglun ; Fu Xiufen
Author_Institution :
Fac. of Comput., Guangdong Univ. of Technol., Guangzhou
Abstract :
Windows is an operating system based on message which is built on event - driven mechanism. Hook is one of surveillance point of message processing mechanism in Windows system. In this paper using Windows kernel technology, using Hook Service Table to replace Native´s API, detect process and thread behavior, and realize detection and protection of registry and file and process. A program behavior anomaly detection and protection system is designed and implemented in Windows operating system. Hook and some key techniques of Hook are introduced, system frame and key technology of this system. At last, the experimental result validated the feasibility and availability of this system.
Keywords :
operating system kernels; security of data; Hook Service Table; Hook technology; Windows kernel technology; Windows operating system; Windows system; anomaly detection; anomaly protection; message processing; program behavior; registry detection; registry protection; surveillance point; Automation; Kernel; Mobile communication; Mobile computing; Monitoring; Operating systems; Protection; Surveillance; Viruses (medical); Hook and Hook API; kernel; process and thread; system service;
Conference_Titel :
Communications and Mobile Computing, 2009. CMC '09. WRI International Conference on
Conference_Location :
Yunnan
Print_ISBN :
978-0-7695-3501-2
DOI :
10.1109/CMC.2009.225
