# Closest direct precedent

This paper applies deep learning to **time-series system-call traces
inside virtual machines** for malware detection — almost exactly the
framing of this project, just one layer deeper in the stack
(syscall traces vs `/proc` samples).

## What we borrowed

- **Windowing strategy.** The paper's fixed-length sliding-window
  formulation over a sequential telemetry stream is the same shape
  we use for our 10-second `/proc` windows fed to LSTM/GRU/RNN.
- **Recurrent architecture as the simple-but-strong baseline.**
  Their result that an LSTM on raw sequences beats hand-crafted
  feature classifiers on the same data is the cited justification
  for our LSTM/GRU/RNN row of the model comparison.
- **Per-VM containment posture.** Confirms our choice to run each
  episode in its own throwaway Alpine guest rather than instrumenting
  the host process directly.

## Where it differs

- Their telemetry is full **syscall traces** (much richer than
  `/proc` resource counters), which is why their numbers don't
  transfer 1-to-1 to our setup. They establish *that* this works;
  we measure how well it works on a thinner, more deployable signal.