Automatic malicious code homology judgment method and system based on calling habits

The invention discloses an automatic malicious code homology judgment method and system based on WinAPI calling habits. The method includes the steps that according to a malicious code sample set of a certain writer, a WinAPI calling habit model of the writer is built, and a homology judgment threshold value is selected; according to the WinAPI calling habit model and the homology judgment threshold value, whether a sample to be detected is homologous or not is judged. Compared with a manual homology judgment mode, the homology judgment efficiency is greatly improved on the premise of keeping high accuracy, and the judgment method is suitable for the scene that multiple samples of the writer are known, other malicious codes written by the writer are concentrated in a mass sample set or detected on line in real time. In addition, it is indicated through comparison experiments that compared with a malicious code family judgment mode, the automatic malicious code homology judgment method has the capacity of homology judgment across families.