Detection of Spyware by Mining Executable Files

Document type: Conference Papers
Peer reviewed: Yes
Full text:
Author(s): Raja Khurram Shahzad, Syed Imran Haider, Niklas Lavesson
Title: Detection of Spyware by Mining Executable Files
Conference name: The Fifth International Conference on Availability, Reliability and Security (ARES 2010)
Year: 2010
Pagination: 295-302
Publisher: IEEE Computer Society
City: Krakow
URI/DOI: 10.1109/ARES.2010.105
ISI number: 000278197800042
Organization: Blekinge Institute of Technology
Department: School of Computing (Sektionen för datavetenskap och kommunikation)
School of Computing S-371 79 Karlskrona
+46 455 38 50 00
Authors e-mail:,,
Language: English
Abstract: Spyware represents a serious threat to confidentiality
since it may result in loss of control over private data for
computer users. This type of software might collect the data and
send it to a third party without informed user consent.
Traditionally two approaches have been presented for the
purpose of spyware detection: Signature-based Detection and
Heuristic-based Detection. These approaches perform well
against known Spyware but have not been proven to be
successful at detecting new spyware. This paper presents a
Spyware detection approach by using Data Mining (DM)
technologies. Our approach is inspired by DM-based malicious
code detectors, which are known to work well for detecting
viruses and similar software. However, this type of detector has
not been investigated in terms of how well it is able to detect
spyware. We extract binary features, called n-grams, from both
spyware and legitimate software and apply five different
supervised learning algorithms to train classifiers that are able to
classify unknown binaries by analyzing extracted n-grams. The
experimental results suggest that our method is successful even
when the training data is scarce.
Subject: Computer Science\Artificial Intelligence
Computer Science\Electronic security
Keywords: Spyware Detection, Data Mining, Malicious Code, Feature Extraction