Run-time monitoring is a powerful approach for dy- namically detecting faults or malicious activity of software systems. However, there are often two obsta- cles to the implementation of this approach in prac- tice: (1) that developing correct and/or faulty be- havioral patterns can be a difficult, labor-intensive process, and (2) that use of such pattern-monitoring must provide rapid turn-around or response time. We present a novel data structure, called extended action graph, and associated algorithms to overcome these drawbacks. At its core, our technique relies on ef- fectively identifying and caching specifications from (correct/faulty) patterns learnt via machine-learning algorithm. We describe the design and implementa- tion of our technique and show its practical applicabil- ity in the domain of security monitoring of sendmail software.