An Evaluation of API Calls Hooking Performance

Mohd Fadzli Marhusin; David Cornforth; Henry Larkin; Chris Lokan

doi:10.1109/CIS.2008.199

C
CIS
2008
2008 International Conference on Computational Intelligence and Security
Abstract - An Evaluation of API Calls Hooking Performance

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Mohd Fadzli Marhusin Articles by Henry Larkin Articles by Chris Lokan Articles by David Cornforth

2008 International Conference on Computational Intelligence and Security

An Evaluation of API Calls Hooking Performance

December 13-December 17

ISBN: 978-0-7695-3508-1

	ASCII Text	x
	Mohd Fadzli Marhusin, Henry Larkin, Chris Lokan, David Cornforth, "An Evaluation of API Calls Hooking Performance," 2012 Eighth International Conference on Computational Intelligence and Security, vol. 1, pp. 315-319, 2008 International Conference on Computational Intelligence and Security, 2008.

	BibTex	x
	@article{ 10.1109/CIS.2008.199, author = {Mohd Fadzli Marhusin and Henry Larkin and Chris Lokan and David Cornforth}, title = {An Evaluation of API Calls Hooking Performance}, journal ={2012 Eighth International Conference on Computational Intelligence and Security}, volume = {1}, year = {2008}, isbn = {978-0-7695-3508-1}, pages = {315-319}, doi = {http://doi.ieeecomputersociety.org/10.1109/CIS.2008.199}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - 2012 Eighth International Conference on Computational Intelligence and Security TI - An Evaluation of API Calls Hooking Performance SN - 978-0-7695-3508-1 SP315 EP319 A1 - Mohd Fadzli Marhusin, A1 - Henry Larkin, A1 - Chris Lokan, A1 - David Cornforth, PY - 2008 KW - Malicious code KW - API sequence KW - system call KW - malware detection VL - 1 JA - 2012 Eighth International Conference on Computational Intelligence and Security ER -

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CIS.2008.199

An open research question in malware detection is how to accurately and reliably distinguish a malware program from a benign one, running on the same machine. In contrast to code signatures, which are commonly used in commercial protection software, signatures derived from system calls have the potential to form the basis of a much more flexible defense mechanism. However, the performance degradation caused by monitoring systems calls could adversely impact the machine. In this paper we report our experimental experience in implementing API hooking to capture sequences of API calls. The loading time often common programs was benchmarked with three different settings: plain, computer with antivirus and computer with API hook. Results suggest that the performance of this technique is sufficient to provide a viable approach to distinguishing between benign and malware code execution.

Index Terms:

Malicious code, API sequence, system call, malware detection

Citation:

Mohd Fadzli Marhusin, Henry Larkin, Chris Lokan, David Cornforth, "An Evaluation of API Calls Hooking Performance," cis, vol. 1, pp.315-319, 2008 International Conference on Computational Intelligence and Security, 2008

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.