US Patent 10430581 Computer telemetry analysis

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry to detect anomalous activity. One of the methods includes accessing data describing a telemetry tree that includes a plurality of nodes and edges; querying, for each of the edges in the telemetry tree using at least one value for the edge from a number of values, historical telemetry data that quantifies an anomaly score for each value to determine whether a relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship; and performing an action using a result of the querying of the historical telemetry data that indicates whether one of the anomaly scores indicates that the relationship indicated by the edge in the telemetry tree represents a potentially malicious relationship.