Study on Malicious Code Behavior Detection Using Windows Filter Driver and API Call Sequence

  • Kangsik Shin
  • Yoojae WonEmail author
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 474)


As the internet environment has been developed recently, threats and damage to malicious codes are increasing day by day. Most of the damage is caused by new and variant malicious codes because of the vulnerability of Endpoint. Most of the Anti-Virus used in endpoints run on a signature basis, and as intelligence on malicious code is developed, the detection rate of existing Anti-Virus is declining. Therefore, there is a need for a technology capable of handling new and variant malicious codes in real time on the endpoint. In this paper, we present a method for analyzing behaviors of malicious code using behavioral analysis of the Windows kernel function call sequence.


System security Kernel system API hooking Context based analysis Process 



This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2018-2016-0-00304) supervised by the IITP (Institute for Information & communications Technology Promotion).


  1. 1.
    AhnLab: AhnLab Security Emergency Center Report, vol. 84, December 2016Google Scholar
  2. 2.
    McAfee: McAfee Labs Threat Report: Together is Power, June 2017Google Scholar
  3. 3.
    Symantec: Internet Security Threat Report, vol. 21, April 2016Google Scholar
  4. 4.
    Han, S.-W., Lee, S.-J.: Packed PE file detection for malware forensics. KIPS Trans. PartC 16(5), 555–562 (2009)CrossRefGoogle Scholar
  5. 5.
    Kang, T., Cho, J., Chung, M., Moon, J.: Malware detection via hybrid analysis for API call. J. Korea Inst. Inf. Secur. Cryptol. 17(6), 89–98 (2007)Google Scholar
  6. 6.
    Han, K.-S., Kim, I.-K., Im, E.-G.: Malware family classification method using API sequential characteristic. J. Secur. Eng. 8(2), 4 (2011)Google Scholar
  7. 7.
    Hong, M.: A study on security technology of intelligent act detection based on CPU. A master’s thesis, Hongik University Graduate School (2016)Google Scholar
  8. 8.
    Probert, D.: Architecture of the Windows Kernel, v1.0a. Microsoft Corporation, MS/HP (2008)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Department of Computer Science EngineeringChungnam National UniversityDaejeonSouth Korea

Personalised recommendations