Techniques are described for detecting anomalous behavior in program execution. In one example, a method includes logging occurrence of one or more key run time events during execution of a program. Each key run time event has a corresponding key run time event data structure associated with the program, and logging includes storing records associated with the key run time events, wherein each record is based on the key run time event data structure associated with the key run time event. The method further includes analyzing the records to determine if a current pattern of key run time events associated with the program during execution matches an expected pattern of key run time events and generating a security alert if the current pattern of key run time events does not match the expected pattern of key run time events for the program.