Malware Detection based on API Calls: A Reproducibility Study
Abstract
This study independently reproduces the malware detection methodology presented by Felli cious et al. [7], which employs order-invariant API call frequency analysis using Random Forest classification. We utilized the original public dataset (250,533 training samples, 83,511 test samples) and replicated four model variants: Unigram, Bigram, Trigram, and Combined n gram approaches. Our reproduction successfully validated all key findings, achieving F1-scores that exceeded the original results by 0.99% to 2.57% across all models at the optimal API call length of 2,500. The Unigram model achieved F1=0.8717 (original: 0.8631), confirming its ef fectiveness as a lightweight malware detector. Across three independent experimental runs with different random seeds, we observed remarkably consistent results with standard deviations be low 0.5%, demonstrating high reproducibility. This study validates the robustness and scientific rigor of the original methodology while confirming the practical viability of frequency-based API call analysis for malware detection.
Cite
@article{arxiv.2601.08725,
title = {Malware Detection based on API Calls: A Reproducibility Study},
author = {Juhani Merilehto},
journal= {arXiv preprint arXiv:2601.08725},
year = {2026}
}
Comments
3 figures, 5 tables, reproducibility study