Inline control flow monitor with enforcement

What is claimed is: 1 . A method for monitoring a computing system, comprising: determining a learned control flow directed graph for a process executed on a computing system, the learned control flow directed graph representing a valid sequence of transitions or a valid number of transitions for a process executed on the computing system that were observed in a monitoring phase; determining an intercepted system call during execution of the process; determining a predetermined sequence of transitions or predetermined number of transitions leading to the intercepted system call; determining a validity for execution of the processes based at least in part on a comparison of the valid sequence of transitions or a valid number of transitions and the predetermined sequence of transitions or predetermined number of transitions; and causing the computing system to perform an action based at least in part on the validity. 2 . The method of claim 1 , wherein determining the system call comprises: capturing, via a central processing unit (CPU) of the computing system, telemetry associated with the process; and maintaining, in memory of the computing system, a predetermined number of batches of the telemetry. 3 . The method of claim 2 , wherein determining the predetermined number of transitions comprises determining transitions included in the predetermined number of batches of the telemetry. 4 . The method of claim 2 , wherein determining the validity of the predetermined number of transitions comprises decoding the telemetry to determine transitions and comparing the transitions against the learned control flow directed graph. 5 . The method of claim 1 , wherein the action comprises determining an error in response to determining that at least one of the predetermined number of transitions is invalid based on the at least one of the predetermined number of transitions not being included in the learned control flow directed graph. 6 . The method of claim 1 , wherein the action comprises performing the intercepted system call in response to determining that the predetermined number of transitions are included in the learned control flow directed graph. 7 . The method of claim 1 , wherein determining the learned control flow directed graph comprises observing execution of the process until at least a threshold percentage of code associated with the process is observed. 8 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: determining a learned control flow directed graph for a process executed on a computing system, the learned control flow directed graph representing a valid sequence of transitions or a valid number of transitions for a process executed on the computing system that were observed in a monitoring phase; determining an intercepted system call during execution of the process; determining a predetermined sequence of transitions or predetermined number of transitions leading to the intercepted system call; determining a validity for execution of the processes based at least in part on a comparison of the valid sequence of transitions or a valid number of transitions and the predetermined sequence of transitions or predetermined number of transitions; and causing the computing system to perform an action based at least in part on the validity. 9 . The system of claim 8 , wherein determining the predetermined number of transitions leading to the intercepted system call comprises determining a risk score associated with the intercepted system call, and wherein the predetermined number of transitions is based at least in part on the risk score. 10 . The system of claim 8 , the operations further comprising storing a predetermined number of recent batches of telemetry in a memory of the system, and wherein determining the predetermined number of transitions is based at least in part on processing the telemetry to identify transitions from the telemetry. 11 . The system of claim 10 , wherein determining the validity of the predetermined number of transitions comprises decoding the telemetry to determine transitions and comparing the transitions against the learned control flow directed graph. 12 . The system of claim 8 , wherein determining the validity for the predetermined number of transitions comprises identifying the predetermined number of transitions within the learned control flow directed graph. 13 . The system of claim 12 , wherein in response to one or more of the predetermined number of transitions not being within the learned control flow directed graph, the action comprises generating an error and preventing execution of the system call. 14 . The system of claim 8 , wherein determining the learned control flow directed graph comprises observing execution of the process until at least a threshold percentage of code associated with the process is observed. 15 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to: determine a learned control flow directed graph for a process executed on a computing system, the learned control flow directed graph representing a valid sequence of transitions or a valid number of transitions for a process executed on the computing system that were observed in a monitoring phase; determine an intercepted system call during execution of the process; determine a predetermined sequence of transitions or predetermined number of transitions leading to the intercepted system call; determine a validity for execution of the processes based at least in part on a comparison of the valid sequence of transitions or a valid number of transitions and the predetermined sequence of transitions or predetermined number of transitions; and cause the computing system to perform an action based at least in part on the validity. 16 . The one or more non-transitory computer-readable media of claim 15 , the instructions comprising further instructions that, when executed by the one or more processors, cause the one or more processors to additionally: store a predetermined number of recent batches of telemetry in a memory of the system, and wherein the instructions to determine the predetermined number of transitions is based at least in part on processing the telemetry to identify transitions from the telemetry. 17 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions to determine the validity for the predetermined number of transitions comprises identifying the predetermined number of transitions within the learned control flow directed graph. 18 . The one or more non-transitory computer-readable media of claim 17 , wherein in response to one or more of the predetermined number of transitions not being within the learned control flow directed graph, the action comprises generating an error and preventing execution of the intercepted system call. 19 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions to determine the predetermined number of transitions leading to the intercepted system call comprises determining a risk score associated with the intercepted system call, and wherein the predetermined number of transitions is based at least in part on the risk score.