Methods, apparatus, and processor-readable storage media for evaluating cyber attacker behavior using machine learning to identify anomalies are provided herein. An example method includes obtaining, based on events associated with changes in one or more of a registry and a computer process, baseline models comprising a user context representing normal behavior for a first subset of features associated with the events with respect to a given user, an inverse context that represents normal behavior for at least one feature with respect to a particular value of one or more features in the first subset, and a global context representing a behavior of the features across the plurality of users; detecting a new event attributable to the given user; calculating a score for the new event using one or more of the baseline models; and determining that the new event is an anomaly in response to the score satisfying a threshold.