We have often seen how malware families evolve over time: the malware authors add new features, change the order of functions, modify some strings or add random useless code. They do all that to evade detection. In a similar way, computer science students that copy homework will change variable and function names, rephrase comments or even replace some small portions of the code. In both cases, the essence remains the same and it is easy for one to see it, by comparing two samples or two source codes. The challenge however, is to automatically find groups of similar items in a large collection. Our research shows that we can apply the same techniques in order to cluster new malicious samples into malware families and detect plagiarized students work. The paper proposes a novel approach for computing the similarity between two items, based not only on their features, but also based on the frequencies of those features in a given population. The new similarity function was tested in a clustering algorithm and it proved better than other approaches. Also, the nature of the method allows it to be used in other document classification tasks.