The eXecute Only Memory (XOM) used for protecting systems from unauthorized foreign codes does not completely protect workstations against attackers tampering with the memory using code encryption and integrity verification methods. To address this problem, an architectural technique called Runtime Monitoring of Malicious Code in a Network (RUNMAC) was designed to detect program flow anomalies associated with such malicious codes. This was achieved by verifying program code at the hash block (similar to basic block) level by pre-computing the hash functions that generates Hashed Message Authentication Codes (HMAC) for each hash block verifiable during program execution in memory. To achieve protection against automated attack tools, Elliptic Curve (EC) based Multi-signcryption was used to generate the 128-bit HMAC needed to protect network workstations against memory replay attacks. Furthermore, a 16-entry read buffer was used to eliminate and correct all XOM related problems with computation latency of 20 cycles. RUNMAC was implemented on Java Development Kit under the platform of ASP.Net framework. To evaluate the performance impact of RUNMAC as against XOM, five integer benchmark simulations were carried out by adjusting memory values on RUNMAC and XOM. The result showed that encryption unit in XOM degrades performance by increasing the memory access latency. The performance result showed that RUNMAC used average of 6.4s to detect unauthorized foreign codes as against 11.0s that is common with XOM on the benchmark programs, which was reduced to less than 5s by increasing the hash size of the instruction cache. With the evaluated results, RUNMAC demonstrated an improved precision through several program test codes. This showed that RUNMAC can detect flow anomalies that are common with XOM architecture and protect against unauthorized codes using a new layer of defence concurrently with existing security tools.