There is provided a method for improving security of computer resources, including obtaining raw memory snapshots of a computer memory of one or more computing systems during runtime of identical processes relating to a predetermined application or a service; forming a map of expected memory behaviour relating to the application or the service based on the obtained raw memory snapshots; monitoring the memory behaviour of a computing system during the execution of the same application or the service; comparing the monitored memory behaviour of the computing system with the formed map of expected memory behaviour; and in the event that a deviation from the expected memory behaviour is detected based on the comparison, triggering an alert.