Control flow integrity monitoring for applications running on platforms

What is claimed is: 1 . A method for monitoring cloud-native workloads of a computing system, comprising: performing an observation phase for observing execution of processes on the computing system, the processes including the cloud-native workloads; determining, during the observation phase, telemetry representing execution of the processes; generating a control flow directed graph based on the telemetry; based at least in part on determining completion of the observation phase, performing, by a cloud-based agent, a monitoring phase based at least in part on the control flow directed graph; monitoring, by the cloud-based agent, transfers of instruction pointers at the computing system; and determining, by the cloud-based agent, an invalid transfer based at least in part on the control flow directed graph. 2 . The method of claim 1 , wherein determining completion of the observation phase based at least in part on the control flow directed graph representing at least a threshold of application processes. 3 . The method of claim 1 , wherein generating the control flow directed graph is based on observed transfers during the observation phase, wherein the observed transfers during the observation phase are considered valid transfers. 4 . The method of claim 1 , wherein performing the observation phase comprises determining a predetermined observation time window to observe transitions by an application or a predetermined code percentage to observe. 5 . The method of claim 1 , further comprising reporting the invalid transfer to a security operations center or a cloud-based system. 6 . The method of claim 1 , wherein the telemetry comprises central processing unit (CPU) telemetry, and wherein generating the control flow directed graph comprises normalizing the CPU telemetry into a control flow directed graph representation. 7 . The method of claim 6 , wherein the monitoring phase is performed using cloud-based agent executing on a hardware device of the computing system and wherein determining the invalid transfer is based at least in part on identifying an instruction sequence in the CPU telemetry that is not present in the control flow directed graph. 8 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: performing an observation phase for observing execution of processes by the one or more processors, the processes including cloud-native workloads executing on one or more virtual machines; determining telemetry, during the observation phase, representing execution of the processes; generating a control flow directed graph based on the telemetry; based on determining completion of the observation phase, performing a monitoring phase of the processes based at least in part on the control flow directed graph; monitoring transfers of instruction pointers by the one or more processors; and determining an invalid transfer based at least in part on the control flow directed graph and the transfers of instruction pointers. 9 . The system of claim 8 , wherein determining the invalid transfer comprises: determining a transfer of an instruction pointer; comparing the transfer against the control flow directed graph; determining the transfer is not present in the control flow directed graph; and determining the transfer is the invalid transfer. 10 . The system of claim 8 , wherein performing the monitoring phase comprises determining completion of the observation phase based at least in part on the control flow directed graph representing at least a threshold of application processes. 11 . The system of claim 8 , wherein generating the control flow directed graph is based on observed transfers during the observation phase, wherein the observed transfers during the observation phase are considered valid transfers. 12 . The system of claim 8 , wherein the cloud-native workloads further execute on a are a computing device. 13 . The system of claim 8 , wherein determining the invalid transfer comprises inputting the transfers of instruction pointers into a machine learning model trained to identify invalid transfers based at least in part on transfers included in the control flow directed graph. 14 . The system of claim 8 , further comprising reporting the invalid transfer to a cloud-based system for monitoring one or more computing systems. 15 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors of a cloud-based system, cause the one or more processors to: perform an observation phase for observing execution of processes by the one or more processors, the processes including one or more cloud-native workloads; determine telemetry, during the observation phase, representing execution of the processes; generate a control flow directed graph based on the telemetry; and convey the control flow directed graph to a computing device for monitoring, by a cloud-based agent, execution of processes by the computing device based at least in part on the control flow directed graph. 16 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions to generate the control flow directed graph comprise further instructions to determine completion of the observation phase based at least in part on the control flow directed graph representing at least a threshold portion of application processes. 17 . The one or more non-transitory computer-readable media of claim 15 , wherein generating the control flow directed graph is based on observed transfers during the observation phase, wherein the observed transfers during the observation phase are considered valid transfers. 18 . The one or more non-transitory computer-readable media of claim 15 , wherein performing the observation phase comprises determining a predetermined observation time window to observe transitions by an application or a predetermined code percentage to observe. 19 . The one or more non-transitory computer-readable media of claim 15 , wherein the telemetry comprises central processing unit (CPU) telemetry, and wherein generating the control flow directed graph comprises normalizing the CPU telemetry into a control flow directed graph representation. 20 . The one or more non-transitory computer-readable media of claim 15 , wherein determining the telemetry comprises determining whether the processes are running on the computing device or within a virtual machine.