Study on Malicious Code Behavior Detection Using Windows Filter Driver and API Call Sequence
As the internet environment has been developed recently, threats and damage to malicious codes are increasing day by day. Most of the damage is caused by new and variant malicious codes because of the vulnerability of Endpoint. Most of the Anti-Virus used in endpoints run on a signature basis, and as intelligence on malicious code is developed, the detection rate of existing Anti-Virus is declining. Therefore, there is a need for a technology capable of handling new and variant malicious codes in real time on the endpoint. In this paper, we present a method for analyzing behaviors of malicious code using behavioral analysis of the Windows kernel function call sequence.
KeywordsSystem security Kernel system API hooking Context based analysis Process
This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2018-2016-0-00304) supervised by the IITP (Institute for Information & communications Technology Promotion).
- 1.AhnLab: AhnLab Security Emergency Center Report, vol. 84, December 2016Google Scholar
- 2.McAfee: McAfee Labs Threat Report: Together is Power, June 2017Google Scholar
- 3.Symantec: Internet Security Threat Report, vol. 21, April 2016Google Scholar
- 5.Kang, T., Cho, J., Chung, M., Moon, J.: Malware detection via hybrid analysis for API call. J. Korea Inst. Inf. Secur. Cryptol. 17(6), 89–98 (2007)Google Scholar
- 6.Han, K.-S., Kim, I.-K., Im, E.-G.: Malware family classification method using API sequential characteristic. J. Secur. Eng. 8(2), 4 (2011)Google Scholar
- 7.Hong, M.: A study on security technology of intelligent act detection based on CPU. A master’s thesis, Hongik University Graduate School (2016)Google Scholar
- 8.Probert, D.: Architecture of the Windows Kernel, v1.0a. Microsoft Corporation, MS/HP (2008)Google Scholar