A System for Program Execution Identification on the Microsoft Windows Platforms

Y. Xiong, Z. Liu, and H. Li (PRC)

Keywords

Program execution model, DLL replacement, DLL interception, and API calls footprint

Abstract

This paper describes a system for identification execution of programs using execution events of the programs. This system is based on a model of program execution for security purposes, and is implemented on the Microsoft Windows platforms using an operating system technique called DLL (Dynamic Linked Library) replacement. Compared to other related works, this paper has two key contributions: It describes a systematic way to retain all system DLLs made by application programs dynamically and in real-time on the Microsoft Windows platforms. It also presents a new model of program execution, in which frequencies of program execution events are considered in addition to their patterns. Our experiment data indicate improved results.

Important Links:



Go Back