Method for determining real-time malicious behavior of a computer program, such as on Android systems. A first sequence of APIs from a total sequence of intercepted APIs generated by the computer program are saved and converted into vector representation and comprise inputs, together with statistical information about API's in the first sequence and APIs in the total sequence, for determining whether the behavior of the computer program constitutes abnormal behavior of the computer program.Determining uses pre-trained dataset and model in various types of machine learning.