Abstract: Systems, methods, and computer program products are provided for identifying a potential malicious event. The method includes receiving a plurality of program actions comprising at least a first program action and a second program action. The first program action is initiated before the second program action. The method also includes comparing the plurality of program actions with at least one known malicious event pattern of actions. The at least one malicious event pattern of actions includes a sequence of program actions in a known malicious event. The method further includes determining a potential malicious event is occurring based on the comparison of the plurality of program actions with at least one known malicious event pattern of actions. The method still further includes determining a preventative response based on the potential malicious event.