Need help with ember?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

558 Stars 173 Forks Other 73 Commits 7 Opened issues

Services available


Need anything else?

Contributors list

Elastic Malware Benchmark for Empowering Researchers

The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers. The EMBER2017 dataset contained features from 1.1 million PE files scanned in or before 2017 and the EMBER2018 dataset contains features from 1 million PE files scanned in or before 2018. This repository makes it easy to reproducibly train the benchmark models, extend the provided feature set, or classify new PE files with the benchmark models.

This paper describes many more details about the dataset:


The LIEF project is used to extract features from PE files included in the EMBER dataset. Raw features are extracted to JSON format and included in the publicly available dataset. Vectorized features can be produced from these raw features and saved in binary format from which they can be converted to CSV, dataframe, or any other format. This repository makes it easy to generate raw features and/or vectorized features from any PE file. Researchers can implement their own features, or even vectorize the existing features differently from the existing implementations.

The feature calculation is versioned. Feature version 1 is calculated with the LIEF library version 0.8.3. Feature version 2 includes the additional data directory feature, updated ordinal import processing, and is calculated with LIEF library version 0.9.0. We have verified under Windows and Linux that LIEF provides consistent feature representation for version 2 features using LIEF version 0.10.1.


The first EMBER dataset consisted of version 1 features calculated over samples collected in or before 2017. The second EMBER dataset release consisted of version 2 features calculated over samples collected in or before 2018. In conjunction with the second release, we also included the version 2 features from the samples collected in 2017. Combining the data from 2017 and 2018 will allow longer longitudinal studies of the evolution of features and PE file types. But different selection criteria were applied when choosing samples from 2017 and 2018. Specifically, the samples from 2018 were chosen so that the resultant training and test sets would be harder for machine learning algorithms to classify. Please beware of this inconsistancy while constructing your multi-year studies. The original paper only describes Ember 2017 (featur version 1). For a detailed information about the Ember 2018 dataset, please refer to where you can find both slides and a video talk.


Download the data here:

| Year | Feature Version | Filename | URL | sha256 | |------|-----------------|------------------------------|----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------| | 2017 | 1 | emberdataset.tar.bz2 | |

| | 2017 | 2 | emberdataset20172.tar.bz2 | |

| | 2018 | 2 | emberdataset2018_2.tar.bz2 | |


Instrall directly from git


to install the
and required files
pip install git+

This provides access to EMBER feature extaction for example. However, to use the scripts to train the model, one would instead clone the repository.

Install after cloning the EMBER repository


to install the required packages before installing
pip install -r requirements.txt
python install
conda config --add channels conda-forge
conda install --file requirements_conda.txt
python install


script simplifies the model training process. It will vectorize the ember features if necessary and then train the LightGBM model.
python [/path/to/dataset]

script will return model predictions on PE files.
python -m [/path/to/model] BINARIES

Import Usage

The raw feature data can be expanded into vectorized form on disk for model training and into metadata form. These two functions create those extra files:

import ember

Once created, that data can be read in using convenience functions:

import ember
X_train, y_train, X_test, y_test = ember.read_vectorized_features("/data/ember2018/")
metadata_dataframe = ember.read_metadata("/data/ember2018/")

Once the data is downloaded and the ember module is installed, this simple code should reproduce the benchmark ember model:

import ember
lgbm_model = ember.train_model("/data/ember2018/")

Once the model is trained, the ember module can be used to make a prediction on any input PE file:

import ember
import lightgbm as lgb
lgbm_model = lgb.Booster(model_file="/data/ember2018/ember_model_2018.txt")
putty_data = open("~/putty.exe", "rb").read()
print(ember.predict_sample(lgbm_model, putty_data))


If you use this data in a publication please cite the following paper:

H. Anderson and P. Roth, "EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models”, in ArXiv e-prints. Apr. 2018.

@ARTICLE{2018arXiv180404637A, author = {{Anderson}, H.~S. and {Roth}, P.}, title = "{EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models}", journal = {ArXiv e-prints}, archivePrefix = "arXiv", eprint = {1804.04637}, primaryClass = "cs.CR", keywords = {Computer Science - Cryptography and Security}, year = 2018, month = apr, adsurl = {}, }

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.