The kernel of the modern operating system fails to ensure the authenticity of a running process while servicing a system call. Verifying the origin and integrity of a system call is an important security issue in terms of ensuring the proper functioning of an end-system. The conventional process identification parameters such as process identifier, process names and the executable flow exercised by the operating system are not reliable. As a result, a stealthy malware may mimic other processes to carry out many computer crimes, thus compromising the end-system. In this paper, we present a novel idea in which system call invocations made by a malicious application are verified during runtime in Windows operating system. To ensure the authenticity of a process while servicing a system call, we propose a behavior-based mechanism, namely, the process authentication mechanism (PAM), for combating malicious code attacks that verifies the identity of each suspected process before being serviced by the kernel. The simulation and performance evaluation results confirm that our mechanism can effectively block all malicious samples that directly invoke system services in the kernel mode. PAM incurs no more than two percent overhead and helps to strengthen the overall system security.

现代操作系统的内核无法在为系统调用提供服务的同时确保正在运行的进程的真实性。就确保终端系统正常运行而言，验证系统调用的起源和完整性是一个重要的安全问题。常规的进程标识参数（例如进程标识符，进程名称和操作系统执行的可执行流）不可靠。结果，隐形的恶意软件可能会模仿其他进程来实施许多计算机犯罪，从而损害了端系统。在本文中，我们提出了一个新颖的想法，其中可以在Windows操作系统的运行时期间验证由恶意应用程序进行的系统调用。为了确保在处理系统调用时流程的真实性，我们提出了一种基于行为的机制，即 进程认证机制（PAM），用于抵抗恶意代码攻击，该攻击在内核提供服务之前先验证每个可疑进程的身份。仿真和性能评估结果证实，我们的机制可以有效地阻止所有在内核模式下直接调用系统服务的恶意样本。PAM产生的开销不超过百分之二，有助于增强整体系统安全性。