An Evaluation of API Calls Hooking Performance

An open research question in malware detection is how to accurately and reliably distinguish a malware program from a benign one, running on the same machine. In contrast to code signatures, which are commonly used in commercial protection software, signatures derived from system calls have the pote...

Full description

Saved in:
Bibliographic Details
Main Authors: Marhusin, M.F., Larkin, H., Lokan, C., Cornforth, D.
Format: Conference Proceeding
Language:English
Subjects:
API sequence
Australia
Computational intelligence
Computer performance
Computerized monitoring
Condition monitoring
Degradation
Intrusion detection
Malicious code
malware detection
Operating systems
Protection
Security
system call
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:An open research question in malware detection is how to accurately and reliably distinguish a malware program from a benign one, running on the same machine. In contrast to code signatures, which are commonly used in commercial protection software, signatures derived from system calls have the potential to form the basis of a much more flexible defense mechanism. However, the performance degradation caused by monitoring systems calls could adversely impact the machine. In this paper we report our experimental experience in implementing API hooking to capture sequences of API calls. The loading time often common programs was benchmarked with three different settings: plain, computer with antivirus and computer with API hook. Results suggest that the performance of this technique is sufficient to provide a viable approach to distinguishing between benign and malware code execution.
DOI:10.1109/CIS.2008.199