![Virtual machine platform](https://kumkoniak.com/89.jpg)
![virtual machine platform virtual machine platform](https://securityonline.info/wp-content/uploads/2018/07/DjAtIFQXoAATK89.jpg)
Nodes S2, S3 are connected with an edge labeled C. In the resulting graph in Figure 1(b) nodes corresponding to calls S1, S2 are connected with the directed edge C. For example, calls S1, S2 in Figure 1(a) have a common parameter C. The graph can be built from the stream of system calls. Each vertex is corresponding to a system call, and any two vertices are connected by an edge if they share a parameter. In order to determine the behavior and specifically the anomalous behavior changes, a vertex-edge labeled graph model is proposed that allows us to capture the normal structure of operations over OS objects. Monitoring system calls along with parameters provides a system-wide view of behavior. The request to OS is issued by invoking a system call with desired parameters. For a program to sense or modify the environment a request to kernel must be issued. Windows OS organizes the environment using OS objects: file, memory section, thread, mutex, etc.
![Virtual machine platform](https://kumkoniak.com/89.jpg)