Abstract: Various embodiments provide a system, method, and device for applying a C2 machine learning-based detection framework. The method incudes (i) generating a fuzzing based on a C2 machine-learning detection model using a large learning model for performing profile-based seed generation; and (ii) detecting C2 traffic using the C2 machine learning detection model.

Abstract: Techniques for intrusion prevention based on infection chains are disclosed. In some embodiments, a system, a process, and/or a computer program product for intrusion prevention based on infection chains includes monitoring network traffic at a security platform; prefiltering the monitored network traffic at the security platform to select a subset of the network traffic to perform further analysis using a plurality of signatures based on infection chains; and determining whether a plurality of sessions in the network traffic is associated with advanced persistent threat (APT) attack traffic activity based on a match with at least one of the plurality of signatures based on the infection chains.

Abstract: A system, method, and device for detecting Command and Control (C2) traffic is disclosed. The method includes (i) converting, by one or more processors, a header for network traffic to a header representation having a smaller dimensionality than the header, (ii) querying a classifier based at least in part on the header representation to obtain a traffic classification, (iii) automatically detecting C2 traffic based at least in part on the traffic classification, and (iv) handling the network traffic based at least in part on the traffic classification.

Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.