Through file-system listeners (monitoring): Detect access to system files by programs that are not signed by Microsoft (vendor/publisher ID).
Registry listener: Detect changes (writing) made to keys in the Windows system registry at system reserved (system specific) registry paths (keys) by executable files not signed by Microsoft bound to processes initiated by applications that are signed by Microsoft.
Process (task) monitoring: Look for processes started by applications signed by Microsoft to which applications not signed by Microsoft have (at some point) been bounded (embedded/linked etc) and that have thus changed their regular behaviour (profiled earlier, before the introduction of the malicious entity into the system).
Resource hogging: Detect abnormal resource usage (CPU/RAM/VM) by processes of unconfirmed application's publisher (signed in the executable file) credibility over a long period of time.
There are other information that you can acquire by combining data from any two or more of the aforementioned methods and performing some statistical analysis, finding common correlations between them; and at run-time, measuring distance (deviation) from these established common and expected (predicted/predictable) behaviours.
Thank you all for the help. Let me read through and the papers. Am currently pursuing my Masters in computer Security . Doing research on detecting behaviour of malware using data mining approaches. I would really appreciate your help on how best i can go on with it. Thank you all again.