A Proposal to Detect Computer Worms (Malicious Codes) Using Data Mining Classification Algorithms

Abstract

Malicious software (malware) performs a malicious function that compromising acomputer system’s security. Many methods have been developed to improve the securityof the computer system resources, among them the use of firewall, encryption, andIntrusion Detection System (IDS). IDS can detect newly unrecognized attack attempt andraising an early alarm to inform the system about this suspicious intrusion attempt. Thispaper proposed a hybrid IDS for detection intrusion, especially malware, withconsidering network packet and host features. The hybrid IDS designed using DataMining (DM) classification methods that for its ability to detect new, previously unseenintrusions accurately and automatically. It uses both anomaly and misuse detectiontechniques using two DM classifiers (Interactive Dichotomizer 3 (ID3) classifier andNaïve Bayesian (NB) Classifier) to verify the validity of the proposed system in term ofaccuracy rate. A proposed HybD dataset used in training and testing the hybrid IDS.Feature selection is used to consider the intrinsic features in classification decision, thisaccomplished by using three different measures: Association rules (AR) method, ReliefFmeasure, and Gain Ratio (GR) measure. NB classifier with AR method given the mostaccurate classification results (99%) with false positive (FP) rate (0%) and false negative(FN) rate (1%).