US Patent 11973774 Multi-stage anomaly detection for process chains in multi-host environments

A multi-stage anomaly detector analyzes an anomalous process chain in real time and rapidly determines whether the process chain is indicative of a cyber threat on an endpoint computing device in a multi-host environment. The multi-stage anomaly detector is used in an analyzer module configured within a host endpoint agent on that device. The analyzer module generates an anomaly score to correlate a likelihood that the cyber threat detected is harmful to that device. The multi-stage anomaly detector includes multiple stages of anomaly detectors including a first stage, a second stage, and a third stage of the anomaly detectors. Each stage generates its own anomaly score to produce at least one rapidly determined anomaly score as well as one thoroughly determined anomaly score. Each anomaly score is generated from various computational processes and factors different from the computational processes and factors of the other stages of anomaly detectors.