Devices, methods and instructions encoded on computer readable medium are provided herein for implementation of classification techniques in order to determine if an unknown executable file is malware. In accordance with one example method, an unknown executable file comprising a sequence of operation codes (opcodes) is received. Based on the operation codes of the unknown executable, a subset of executable files in a training set is identified in which each of the files in the subset have the same beginning sequence of operation codes as the unknown executable. After the subset is identified, a feature set extracted from the unknown executable file is compared to one or more feature sets extracted from each of executable files in the identified subset. A determination is made, based on the feature set comparison, whether the unknown executable file is malware.