Title :
An Evaluation of API Calls Hooking Performance
Author :
Marhusin, Mohd Fadzli ; Larkin, Henry ; Lokan, Chris ; Cornforth, David
Author_Institution :
Australian Defence Force Acad., Univ. of New South Wales, ACT, Australia
Abstract :
An open research question in malware detection is how to accurately and reliably distinguish a malware program from a benign one, running on the same machine. In contrast to code signatures, which are commonly used in commercial protection software, signatures derived from system calls have the potential to form the basis of a much more flexible defense mechanism. However, the performance degradation caused by monitoring systems calls could adversely impact the machine. In this paper we report our experimental experience in implementing API hooking to capture sequences of API calls. The loading time often common programs was benchmarked with three different settings: plain, computer with antivirus and computer with API hook. Results suggest that the performance of this technique is sufficient to provide a viable approach to distinguishing between benign and malware code execution.
Keywords :
application program interfaces; digital signatures; invasive software; system monitoring; API calls; code signatures; flexible defense mechanism; hooking performance; malware code execution; malware detection; Australia; Computational intelligence; Computer performance; Computerized monitoring; Condition monitoring; Degradation; Intrusion detection; Operating systems; Protection; Security; API sequence; Malicious code; malware detection; system call;
Conference_Titel :
Computational Intelligence and Security, 2008. CIS '08. International Conference on
Conference_Location :
Suzhou
Print_ISBN :
978-0-7695-3508-1
DOI :
10.1109/CIS.2008.199
