AMICO - Accurate Behavior-Based Detection of Malware Downloads
Python C Other
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


AMICO is a malware download classification tool that can be deployed in large networks. It reconstructs executable files (e.g., EXE, DLL, DMG, APK, JAR, etc.) from the network traffic and determines if they are malicious or not based on their provenance information.

To classify a file download event, AMICO looks at who is downloading what and from where, rather than analyzing the content of the downloaded files.

For more technical information, please refer to this ESORICS 2013 research paper

Code: The latest code, which reconstructs and classifies file dumps other than Windows PE executables, is in the dev branch (the older_code branch contains the original code dedicated to reconstructing only Windows PE files).

For more information on how to use and deploy AMICO, please go through the Wiki pages. This is an initial release of the system and we will keep refining the code and documentation. Please open a new Issue if you experience any problems.

You can also visit our AMICO-Security Blog.


Please refer to our project's Wiki for detailed information about system requirements, setup, and deployment guidelines.


If you have any questions, please post a message on our AMICO-security forum.

If you are deploying AMICO in a large university-like campus network and would like to share your experience or know more about our own deployment, please contact us privately at (perdisci [-at-]


The code under the "older_code" branch is released under BSD license. Please refer to the COPYING file under that branch for details.


  • [01/17/2017] Written some guidelines on how to install pf_ring and ZC drivers
  • [01/11/2016] Enabled submission of file types other than EXE to VirusTotal (in the experimental branch only).
  • [04/29/2015] Improved experimental branch code, and tested capture and classification of APKs and JARs in a large network.
  • [03/27/2015] All code in the master branch has been released under BSD license.
  • [03/27/2015] Moved all project files from GoogleCode to GitHub.
  • [01/14/2015] Added some documentation about syslog reports format.
  • [11/20/2014] Added experimental code for supporting file formats other than Windows PE (see svn/branches/experimental). We can currently extract most JAR, APK, DMG, ZIP, RAR, PDF files, and even some Microsoft Office documents. Limitations: the feature extraction and provenance classifier currently treat all file types the same way; we are performing more research to see if the behavior-based detection approach used by AMICO can still work well even with non-executable files.
  • [11/08/2014] We have created the AMICO-Security Blog, where we discuss malware campaign discoveries and other related topics.
  • [10/09/2014] Quick steps for tuning packet capture and drastically reduce packet loss.
  • [10/03/2014] Added a brief example of how AMICO can be deployed in a network.
  • [09/15/2014] We recently fixed a number of rarely-triggered bugs and improved general code quality and stability.
  • [09/13/2014] In the Wiki, you can now find more information about the pe_dump component of AMICO.
  • [08/26/2014] We successfully built a PF_RING-aware version of AMICO (see how we did it)