Spyware Detection Using Data Mining for Windows Portable Executable Files

Abstract

Malware represents a significant problem that threatens the security of computer systems. Spyware is one of the recent types of malware that represents a serious threat to confidentiality. The traditional approaches using signature-based to detect spyware programs fails in detecting new and unknown spyware. Many of the malware detection techniques which work well in detecting malware are not investigated in terms of spyware detection. In this research, we investigate the spyware detection by using data mining techniques based on mining Application Programming Interface (API) calls. 2084 spyware and 1065 benign windows Portable Executable (PE) file samples were collected from the Internet in order to create binary data set. API call statically extracted from binary file, then generate a set of features and features selection was performed, these features are then used to train a classifier. We evaluated a variety of classification algorithms, including Random forest, Naïve Bayes (NB), K−Nearest Neighbor (kNN), JRip, J48 decision trees, and support vector machines (SVMs). The accuracy and the area under ROC curve are used for the evaluation of classifier performance. The results show that we achieved an overall accuracy of 98.09% with an area under the ROC curve of 0.995.