Automated semantic modeling of system events

A method to detect anomalous behavior in an execution environment. A set of system events captured from a monitored computing system are received. Using the received system events, a model is then trained using machine learning. The model is trained to automatically extract one or more features for the received set of system events, wherein a system event feature is determined by a semantic analysis and represents a semantic relationship between or among a grouping of system events that are observed to co-occur in an observation sample. An observation sample is associated with an operating scenario that has occurred in the execution environment. Once trained, and using the features, the model is used to detect anomalous behavior. As an optimization, prior to training, the set of system events are pre-processed into a reduced set of system events. The modeler may comprise a component of a malware detection system.