English

Malware Detection based on API Calls: A Reproducibility Study

Cryptography and Security 2026-01-14 v1

Abstract

This study independently reproduces the malware detection methodology presented by Felli cious et al. [7], which employs order-invariant API call frequency analysis using Random Forest classification. We utilized the original public dataset (250,533 training samples, 83,511 test samples) and replicated four model variants: Unigram, Bigram, Trigram, and Combined n gram approaches. Our reproduction successfully validated all key findings, achieving F1-scores that exceeded the original results by 0.99% to 2.57% across all models at the optimal API call length of 2,500. The Unigram model achieved F1=0.8717 (original: 0.8631), confirming its ef fectiveness as a lightweight malware detector. Across three independent experimental runs with different random seeds, we observed remarkably consistent results with standard deviations be low 0.5%, demonstrating high reproducibility. This study validates the robustness and scientific rigor of the original methodology while confirming the practical viability of frequency-based API call analysis for malware detection.

Keywords

Cite

@article{arxiv.2601.08725,
  title  = {Malware Detection based on API Calls: A Reproducibility Study},
  author = {Juhani Merilehto},
  journal= {arXiv preprint arXiv:2601.08725},
  year   = {2026}
}

Comments

3 figures, 5 tables, reproducibility study

R2 v1 2026-07-01T09:03:04.514Z