These sound really interesting if we have expertise to model the cybersecurity world in a series of complex differential equations. And I don't know if the rigidity of such equations for physical/biological systems can generalize into cyber domains like this that are behavioural. Behaviours usually seem too complex and dynamic to model.

The idea here focuses a lot on memory retention of past events which I think can be approached in two ways:

1. At the level of the EDR itself: just like Dinil already suggested, instead of simply checking a threshold of maliciousness, we can monitor the gradient as well to effectively raise signals with an increasing maliciousness of event sequences. The idea of aggregated events across boots or even distributed analysis across similar clients also fit into this scenario

2. At the ML level using such architectures as LSTMs, attention layers, memory based graph networks, etc.

We may need to use both approaches here