Identifying malicious code execution of executing subject code of a software enclave of a processing system follows a process that includes monitoring performance characteristics of the processing system attributed to execution of the subject code of the software enclave. The monitoring produces performance data, which is stored to a relational database. The process applies a classification model to the stored performance data to obtain an output, and, based on the output of the classification model, identifies anomalous behavior in the execution of the subject code and determines a confidence level that the anomalous behavior exhibits malicious activity. Based on the confidence level exceeding a threshold, the process determines that the executing subject code is malicious and initiates halting of the execution of the subject code.