A method for encoding computer processes for malicious program detection. The method includes the steps of (a) randomly sampling a trace of system calls collected over a predetermined interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; (g) obtaining clusters of compact representations from one or more malicious program-free computers; and (h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison.