The document presents a study on the detection of malicious executables using rule-based classification algorithms JRip, PART, and Ridor, focusing on their accuracy in classifying threats from a dataset of malware. The results indicate that PART performed the best in terms of rule generation and classification accuracy, followed by JRip and Ridor. Future work includes extending the dataset and improving the classification model to predict the severity of threats more effectively.

1. Detection Of Malicious
Executable Using Rule Based
Classification Algorithms
Presented by : Aakanksha Jain
M.Tech Scholar at MDS University
Ajmer Rajasthan
04/07/18 ICITKM-2017

2. Presentation Outline
 Brief Introduction
 Introduction of Classification algorithm
 Literature Survey
 Methodology and Implementation
 Analysis of Result
 Contribution
 Conclusion and Future Work
04/07/18 ICITKM-2017

3. Brief Introduction:
04/07/18 ICITKM-2017
 The work in this paper deals with statistical mining of
Malicious-Executable dataset collected from various
antivirus log-files and other sources.
 Further classifications of malicious code as per their
impact on user's system & distinguishes threats on
the muse in their connected severity.
 Implementation of the algorithms JRIP ,PART and
RIDOR in additional economical manner to acquire a
level of accuracy to the classification results.

4.  Jrip Algorithm
• Jrip is also known as RIPPER (Repeated Incremental
Pruning to Produce Error Reduction).
• Jrip Classifier divides the dataset into classes and
generated rules includes all attribute of the class and
same process with all classes
04/07/18 ICITKM-2017
 Part Algorithm
• PART is refined method of rule generation, after rule
generation entire tree generated, the best tree is
selected and its leaves are translated into rules.
• It support all type of classes like Binary and Nominal
class

5. 04/07/18 ICITKM-2017
 Ridor Algorithm
Ridor algorithm directly extracts best rules from the
provided dataset.
•The Ridor algorithm completes its process in following
phases:
a) Growth. b) Pruning. c) Optimization. d) Selection.
•Growth: Greedy addition of attributes in generated rules.
•Pruning: Algorithmic rule permits pruning of attribute
sequences.
•Optimization: Improvement stage optimizes every rule.
•Selection: Final optimized rules are selected.

6. Literature Survey
 In Base paper author present automated system that
performs dynamic analysis on new samples in order to
decide if they are malicious or not.
 The dynamic analysis focuses on the file system
operations, that will be used as features for training a
Support Vector Machine.
 This machine-driven analysis is enough ready
to notice whether or not a file is infected or not infected.
 The planned classifier will discover previously undiscover
ed malware. However, it cannot discriminate between
safe and malicious threat files.
04/07/18 ICITKM-2017

7. IMPLEMENTATION
1. Implementation using JRIP:
04/07/18 ICITKM-2017

8. 2. Implementation using PART:
04/07/18 ICITKM-2017

9. 3. Implementation using Ridor:
04/07/18 ICITKM-2017

10. Result Analysis
Algorithm Correctly Classified
Instances (%)
Incorrectly Classified
Instances (%)
Kappa statistic Mean absolute
error
Root mean
squared error
Relative
absolute error
(%)
Root relative squared error
JRIP 82.20 17.8 0.6888 0.1509 0.314 37.65 70.30
PART 87.43 12.56 0.7848 0.1179 0.256 29.41 57.26
RIDOR 75.39 24.60 0.5644 0.164 0.405 40.92 90.54
04/07/18 ICITKM-2017
Table 1: Summary of Result
Algorithm TP Rate FP Rate Precision Recall F-Measure ROC Area No. of Rules Time taken to
build model
JRIP 0.96 0.22 0.84 0.96 0.87 0.88 13 0.7sec
PART 0.99 0.12 0.91 0.99 0.94 0.98v 14v 0.5sec
RIDOR 0.97 0.31 0.79 0.97 0.87 0.84 7 0.2sec v
Table 2: Detail Accuracy of result by class

11. Continue..
04/07/18 ICITKM-2017
Fig 1: Graphical Representation of Results of Jrip, Part and Ridor Algorithm.

12. Continue..
04/07/18 ICITKM-2017
Fig 2: Comparison of algorithm on basis of Measurement factors

13. Contribution
• Our strategy performs well on chosen dataset of
malicious threats; on the premise of this experiment we
will extend the scale of info, a module can be created.
• The proposed module will generate set of rules after
processing given dataset of threats detected which were
detected In last decades, these rules can be used to
create virus signatures to be used to predict malicious
threat samples in real-time.
• Model will be able to observe malicious behavior,
intrusive advertisements, spying tools, phishing activities,
and speedy replication of bound code in addition.
04/07/18 ICITKM-2017

14. Conclusion & Future Work
o Here in work model in order to predict the severity of
threats JRIP manufacture thirteen rules and PART
manufacture fourteen policies and RIDOR manufacture
seven policies.
o Thus in term of rule generation, PART represents the
most effective result.
o Assessment on basis of consequences element of PART
produce higher effects than JRIP and RIDOR in the time
period of roc area included and range of regulations.
o Our Next Motive is Prediction of severity results are as
follows:
04/07/18 ICITKM-2017

15. Continue..
 If the class is malware is that the threat in ten times;
 if the decision of threat is backdoor_ffbm is consistently
hazarding.
 Severity may well be regular except class is virus i.e.
severity may well be each moderate and danger and if
decision = adwareaunps then severity could be
moderate.
o As elite methodology perform well on the chosen dataset
of malicious threats, in future we will extend the scale of
information.
o Together with multiple networks knowledge log, a
module can be retrace using this concept of bringing
these 3 algorithm for analysis purpose.
04/07/18 ICITKM-2017

16. Resources
 C. developers, “Cuckoo sandbox - open source automated malwareanalysis,” 2016.
[Online]. Available: https://media.blackhat.com/us-
13/US-13-Bremer-Mo-Malware-Mo-Problems-Cuckoo-Sandbox-WP.pdf
 “Malware Classification Using Filesystem Footprints” George Cabau, Magda Buhu ,
CiprianOpris¸a Bitdefender Technical University of Cluj-Napoca {gcabau, math,
coprisa} @bitdefender.com 978-1-4673-8692-0/16/$31.00 c 2016 IEEE.
 J. Stewart, "Behavioural malware analysis using Sandnets," Computer Fraud &
Security, vol. 2006, no.Issue, pp. 4-6, December 2006.
 Hengli Zhao, Ming Xu, Ning Zhong, Jingjing Yao, and Q. Ho, "Malicious Executables
Classification
Based on Behavioral Factor Analysis," presented at the 2010 International
Conference on e-Education, e-Business, e-Management and e-Learning, Sanya,
China, 2010
 “A Comparative Study of Classification Techniques for Intrusion Detection”,
HimadriChauhan, Vipin Kumar, SumitPundir and Emmanuel S. Pilli DePARTment of
Computer Science and Engineering Graphic Era University Dehradun India978-0-
7695-5066-4/13 $26.00 © 2013 IEEE DOI 10.1109/ISCBI.2013.16
04/07/18 ICITKM-2017

17. Thanks
ICITKM-201704/07/18
Any Questions?
Email ID: JAIN1994AAKANKSHA@GMAIL.COM