A method for detecting unknown malicious code is provided. A data set is created, which is a collection of files that includes a first subset with malicious code and a second subset with benign code files, whereas the malicious and benign files are identified by an antivirus program. Subsequently, all files are parsed and a set of top features of all-n grams of the files is selected and reduced by using features selection methods. After determining the optimal number of features, they will be used as training and test sets.