Methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated by determining a tendency for a first process to access a system target, including an innate tendency of the first process to access the system target, an influence of previous events from the first process, and an influence of processes other than the first process. Kill chains are generated from the event correlation graph that characterize events in an attack path over time. A security management action is performed based on the kill chains.