This document discusses techniques for malware detection using data mining. It begins by defining the problem of malware as one of the most serious issues faced on the internet. It then discusses types of malware like viruses, worms, trojans, and rootkits. It describes how rootkits can hide themselves and their activities. The document outlines static and dynamic analysis methods for malware detection and describes signature-based and behavior-based detection techniques. It shows results from using the Weka tool achieving over 97% success in rootkit detection. Advanced techniques discussed include n-grams and analyzing API/system calls.

1. Malware Detection Using Data Mining
Techniques
Guided by,
Prof. R.K. Chavan
Presented by,
Karwande Akash N.

2. PROBLEM DEFINITION
 One the most important and most serious problems is the internet
world is faced with existence of malwares.
 According to studies conducted in this field, we have concluded that
80 percent of damages to systems have been from malwares and only
20 percent of it has been from other factors.
 However, unfortunately, most of the works has been on the 20% and
the malwares have received less attention and thus we're facing many
security problems every day.

3. These attack are usually done to computer networks of sensitive agencies such as
security entities, banks, economic centers, information storage centers, computer
networks.

4. Types Of Malwares
Computer programs which have a destructive content and applied to systems from invader, are called
malware and the systems on which this program are applied is called victim system .
Malwares are classified into several kinds based on behavior or attack methods.
 Virus
 Worm
 Trojan Horse
 Logic Bomb
 Backdoors
 Rootkit

5. Rootkit
Rootkit is a malware that has the ability to hide itself and its activities
on the target system. Rootkits can hide themselves from users through
the following methods:
 Rootkit integrate its malicious codes with operating system codes which are at
low-levels
 Rootkit transfers its malicious codes into healthy processes and by doing so, it
can use the memory that and do its malicious programs.

6. Analysis to Detect Malware
Static Analysis
Software analysis without execution, is called static analysis which without
running the program, investigates the code and can detect malicious code and put it
in one of the available groups based on different learning methods .
In the static method, binary codes are checked and viruses are detected based on
different learning methods. In fact this is the key part of static method.
It is observed that extracting binary codes is a relatively complex work.

7. Dynamic Analysis
Program analyzing, while it is running, is called dynamic analysis which also
referred to as behaviors analyzing and include software running and watching its
behavior, system interaction and its effects on host system.
Dynamic analysis method need to run polluted files in a virtual environment like a
virtual machine, a simulator, sand box, etc to analyze it in virtual environment.
Checking recalled functions.
Following the flow of information.
Following the order of running functions.
But unfortunately this method is too slow as real time detectors on the end
host and often need virtual machine technology.

8. Malware Detection Techniques
Signature- Based Detection
The main goal of this method is to extract the unique bytes
sequence of codes as the signature. Searching for a signature in the
suspicious files is a part of the task .
Usage of encrypted model in cryptography has led to neutralize the
signature based method which makes these encrypted malwares
undetectable through this method.
In order to overcome these problems, the behavior based method is
used.

9. Behavior-Based Detection
 Behavioral parameters include many factors such as source or
destination of malware, kinds of attachments and other statistical
properties.
 Dynamic behaviors are directly used in evaluating the damage to the
system and also help us to detect and classify new malwares.
 Malware clustering based on dynamic analysis is based on running
the malware in a real controlled environment.

10. Analysis of Results

11.  The advantages of this method include its high success rate in
malwares detection because it is directly in contact with malware
binary codes.
 Above figure shows a graph of data mining operation results using
Weka tool on database. As shown above, the success rate of this
method in rootkit detection is more than 97% which is a remarkable
rate.

12. Advanced Malware Detection Techniques
N-Grams
API/System calls

13. n-Grams-based file signature for malware
detection
 Substrings of a larger string with a length n.
 For example, the string “MALWARE”, can be segmented into
several 4-grams: “MALW”, “ALWA”, “LWAR”, “WARE” and so on.
 On the top, N-grams is used for malware analysis by an IBM
research group in 1994. They proposed a method to automatically
extract signatures for the malware. Still, there was no experimental
results in their research.

14.  Once the set is chosen, we extract n-grams for every file in that set
that will act as the file signature.
 System can classify any unknown instance as malware or benign
software.
 (amount of malware instances) - (amount of benign instances)>=
parameter d, as shown in the following formula:
MW(K)−GW(K)>=d
K - nearest neighbors and d is the parameter d.
 Keep low value of false positive ratio; with a high value of d.

16. Thank You