Malicious code prevention in kernel mode

As the window system are affected by the malicious code, the vulnerability on the system are more. The behavior based monitoring is used to avoid the polymorphic malicious code. Signature based detection system or fixing these vulnerabilities are not the efficient method. Thus the behavior based monitoring is used to avoid malicious code in window system. Some of them hook high level system APIs to detect the suspicious behavior of the code. Thus this cannot detect malicious code that directly invokes the native APIs. Thus a security scheme is used, that hooks native APIs in the kernel mode. It provides authentication of the system service caller in the kernel mode. So it prevents the malicious code calling native API directly. To provide extra authentication the dispatch ID is scrambled. For the scrambling to take place first the dispatch ID is distinguished as local ID and remote ID and then the filter is used to find the legitimate user. Next the scrambling is done with that legitimate user ID. The unscrambling is done to get the original dispatch ID only if it is a legitimate user. It introduces an average eight percent computation overhead into the system.