A host intrusion prevention system for windows operating systems

Abstract

We propose an intrusion prevention system called WHIPS that controls, entirely in kernel mode, the invocation of the critical system calls for the Windows OS security. WHIPS is implemented as a kernel driver, also called kernel module, by using kernel structures of the Windows OS. It is integrated without requiring changes to either the kernel data structures or to the kernel algorithms. WHIPS is also transparent to the application processes that continue to work correctly without source code changes or recompilation. A working prototype has been implemented as a kernel extension and it is applicable to all the Windows NT family OS, e.g. Windows 2000/XP/2003. The WHIPS first contribution is to apply the system call interposition technique to the Windows OS, which is not open source. It is not straightforward to apply this technique to Windows OS, also because Windows kernel structures are hidden from the developer, and furthermore, its kernel documentation is poor. © Springer-Verlag Berlin Heidelberg 2004.