Traditionally, security software may depend on the ability to widely monitor system activity. This may be particularly important for behavioral analysis methods for detecting malicious activity. One useful component of this monitoring may include monitoring the flow of software execution. For example, security software may monitor execution flow in order to determine if code involved in handling a monitored operation is trusted and expected to be involved in the handling of the operation. However, traditional methodologies for monitoring software execution flow have generally exhibited various limitations.
For example, the ability to monitor the flow of software execution is often limited. For instance, in particular versions of operating systems, the use of interface hooking may be prohibited in the kernel. Additionally, in another example, there may be a performance impact of applying a necessary level of monitoring in order to assemble an execution flow profile. There is thus a need for addressing these and/or other issues associated with the prior art.