Abstract
The volume of malware detected annually is increasing exponentially, and malware programs are written in such a way that they can often escape detection tools. Some are can even modify themselves and alter their appearance for each infection. Thus, for malware detection, it is important to analyze malware behavior, and application programming interface (API) call sequences and operational code (opcode) sequences usefully reflect the behavior of malware. Moreover, a hidden Markov model (HMM) is a robust learning model for malware detection. In this work, we therefore compared API call sequences and opcode sequences using the HMM learning model. The results showed that learning in API call sequences is more accurate than that of opcode sequences. We conclude that API call sequences are therefore better for malware detection.