Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that trains a cloud traffic classifier to classify cross-application communications as malicious command and control (C2) traffic or benign cloud traffic. The training uses blocks of malicious Hypertext Transfer Protocol (HTTP) transactions targeted at a plurality of cloud applications by a plurality of clients prequalified as malicious command and control (C2) cloud traffic, and also blocks of benign HTTP transactions targeted at the plurality of cloud applications by the plurality of clients prequalified as benign cloud traffic. A cloud traffic classifier is trained on the cross-application malicious training example set and on the cross-application benign training example set by processing the blocks of the malicious and benign HTTP transactions as inputs, and generating outputs that classify the training examples as respectively malicious C2 cloud traffic or benign cloud traffic.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that detects malicious communication between a command and control (C2) cloud resource on a cloud application and malware on an infected host, using a network security system. The network security system reroutes the cloud traffic to the network security system. The incoming requests of the cloud traffic are directed to a cloud application in the plurality of cloud applications, and wherein the cloud application has a plurality of resources. The network security system analyzes the incoming requests, determines that the incoming requests are targeted at one or more malicious resources in the plurality of resources.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that classifies cloud traffic between a client and cloud application as malicious command and control (C2) cloud traffic or benign cloud traffic. A cloud traffic classifier, in communication with a network security system, is provided intercepted cloud traffic as an input, and generate an output that classifies the cloud traffic as malicious command and control (C2) cloud traffic or benign cloud traffic. The classifier may use signals such as beaconing behavior, anomalous entity, anomalous agent, anomalous username, anomalous username, anomalous agent, cat's paw behavior of the client, anomalous hostname access patterns, and/or malicious task sequence execution.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that detects malicious communication between a command and control (C2) cloud resource on a cloud application and malware on an infected host, using a network security system. The network security system reroutes the cloud traffic to the network security system. The incoming requests of the cloud traffic are directed to a cloud application in the plurality of cloud applications, and wherein the cloud application has a plurality of resources. The network security system analyzes the incoming requests, determines that the incoming requests are targeted at one or more malicious resources in the plurality of resources.

Abstract: The technology disclosed relates to a method, system, and non-transitory computer-readable media that trains a cloud traffic classifier to classify cross-application communications as malicious command and control (C2) traffic or benign cloud traffic. The training uses blocks of malicious Hypertext Transfer Protocol (HTTP) transactions targeted at a plurality of cloud applications by a plurality of clients prequalified as malicious command and control (C2) cloud traffic, and also blocks of benign HTTP transactions targeted at the plurality of cloud applications by the plurality of clients prequalified as benign cloud traffic. A cloud traffic classifier is trained on the cross-application malicious training example set and on the cross-application benign training example set by processing the blocks of the malicious and benign HTTP transactions as inputs, and generating outputs that classify the training examples as respectively malicious C2 cloud traffic or benign cloud traffic.