Cloud native virtual machine runtime protection

What is claimed is: 1. A method comprising: associating each of a plurality of discrete behaviors with one of a plurality of activities at a cloud native virtual machine (VM), wherein each of the plurality of discrete behaviors is further associated with one or more services running on the cloud native VM; identifying each activity of the plurality of activities as an interactive activity or a background activity, wherein background activities comprise activities that do not involve interaction with a user; training a machine learning model with the plurality of discrete behaviors at the cloud native VM and a corresponding plurality of indications of whether each of the plurality of discrete behaviors is associated with background activities or interactive activities in the plurality of activities as inputs to the machine learning model, wherein the machine learning model is trained to detect normal behavior based on indications of whether each of the plurality of discrete behaviors relate to normal or abnormal behavior; creating a normal behavior model for a cloud native VM based on discrete behaviors indicated as normal by the trained machine learning model, wherein the normal behavior model defines capabilities of the one or more services that indicate discrete behaviors allowed by the one or more services; and based on monitoring execution of the cloud native VM, detecting a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the one or more services that is not among the discrete behaviors defined in a capability by the normal behavior model. 2. The method of claim 1 , wherein the normal behavior model is created based further on at least one behavioral rule, wherein each behavioral rule includes at least one of an explicitly allowed behavior for one of the one or more services, and an explicitly denied behavior for one of the one or more services. 3. The method of claim 1 , wherein the plurality of discrete behaviors includes at least one of running a process, using an input argument for a process, and accessing a file path. 4. The method of claim 1 , wherein creating the normal behavior model further comprises: correlating behaviors among the plurality of discrete behaviors for the one or more services with respect to at least one of a parameter used for a process executed as part of the plurality of discrete behaviors, a socket used as part of the plurality of discrete behaviors, and a type of file created as part of the plurality of discrete behaviors; and indicating correlated discrete behaviors in capabilities for corresponding ones of the one or more services. 5. The method of claim 1 , further comprising: uploading the normal behavior model to a cloud service, wherein the normal behavior model is accessible to installations accessing the cloud service when uploaded to the cloud service. 6. The method of claim 5 , wherein the uploaded normal behavior model is manually curated for use with respect to a common service executed by at least one other cloud native VM, wherein the common service is one of the one or more services. 7. The method of claim 1 , wherein the capabilities of the one or more services comprises hierarchical structure indicating an identifier of the cloud native VM at a top level, an identifier of one of the one or more services at a sub-level, an identifier of a capability at a further sub-level, and a list of allowed behaviors at a further sub-level. 8. A non-transitory machine-readable medium having program code stored thereon, the program code comprising instructions to: associate each of a plurality of discrete behaviors with one of a plurality of activities at a cloud native virtual machine (VM), wherein each of the plurality of discrete behaviors is further associated with one or more services running on the cloud native VM; identify each activity of the plurality of activities as an interactive activity or a background activity, wherein background activities comprise activities that do not involve interaction with a user; train a machine learning model with the plurality of discrete behaviors at the cloud native VM and a corresponding plurality of indications of whether each of the plurality of discrete behaviors is associated with background activities or interactive activities in the plurality of activities as inputs to the machine learning model, wherein the machine learning model is trained to detect normal behavior based on indications of whether each of the plurality of discrete behaviors relate to normal or abnormal behavior; create a normal behavior model for a cloud native VM based on discrete behaviors indicated as normal by the trained machine learning model, wherein the normal behavior model defines capabilities one of the one or more services that indicate discrete behaviors allowed by the one or more services; and based on monitoring execution of the cloud native VM, detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the one or more services that is not among the discrete behaviors defined in a capability by the normal behavior model. 9. A system comprising: a processor; and a machine-readable medium, the machine-readable medium having instructions stored thereon that are executable by the processor to cause the system to: associate each of a plurality of discrete behaviors with one of a plurality of activities at a cloud native virtual machine (VM), wherein each of the plurality of discrete behaviors is further associated with one or more services running on the cloud native VM; identify each activity of the plurality of activities as an interactive activity or a background activity, wherein background activities comprise activities that do not involve interaction with a user; train a machine learning model with the plurality of discrete behaviors at the cloud native VM and a corresponding plurality of indications of whether each of the plurality of discrete behaviors is associated with background activities or interactive activities in the plurality of activities as inputs to the machine learning model, wherein the machine learning model is trained to detect normal behavior based on indications of whether each of the plurality of discrete behaviors relate to normal or abnormal behavior; create a normal behavior model for a cloud native VM based on discrete behaviors indicated as normal by the trained machine learning model, wherein the normal behavior model defines capabilities of the one or more services based that indicate discrete behaviors allowed by the service; and based on monitoring execution of the cloud native VM, detect a deviation from the normal behavior model, wherein the deviation is caused by at least one abnormal behavior of one of the one or more services that is not among the discrete behaviors defined in a capability for the one or more services. 10. The machine-readable medium of claim 8 , wherein the normal behavior model is created based further on at least one behavioral rule, wherein each behavioral rule includes at least one of an explicitly allowed behavior for the one or more services and an explicitly denied behavior for one of the one or more services. 11. The machine-readable medium of claim 8 , wherein the plurality of discrete behaviors includes at least one of running a process, using an input argument for a process, and accessing a file path. 12. The machine-readable medium of claim 8 , further comprising program code to: correlate behaviors among the plurality of discrete behaviors for the one or more services with respect to at least on