Malicious computer behavior is detected automatically based on a user session. A user session comprising a sequence of process events is identified and a text-based representation is generated, wherein process events correspond to words and a sequence of words corresponds to a sentence. Subsequently, a text-based classifier classifies the session as malicious or non-malicious based on the sequence of events within the session in the text representation.