To detect malicious activities, there are pattern matching, blacklists, behavioral analysis, and event correlation. However, those existing approaches have several problems. For instance:- Unknown threats and sophisticated attacks could circumvent those solutions.- Some of those require huge resources.This talk will cover how to solve those issues above and how we detect unknown malicious activities from typical logs of devices which are not dedicated for attack detection such as proxies, firewalls and so on.1. C2 Server DetectionWe discover malware which periodically communicates with C2 servers such as Bots/RATs from zero-knowledge. In order to achieve this, we generate over two-million communication patterns by enumerating C2-ish communication patterns with a generator script. And we use Convolutional Neural Networks by converting common logs into "virtual images" by mapping count of communications, sent/received bytes with chronological order.We will show you that our models are able to detect various C2 communications of unknown (it means unlearned) malware samples which come from actual incidents such as PlugX, RedLeaves/himawari, xxmm, Asruex, ursnif/gozi, Vawtrak, and so on.2. Exploit Kit DetectionStable detection of Exploit Kits (EKs) is difficult because EKs' URLs and contents keep being changed frequently. However we found effective EK detection from zero-knowledge.The method is able to detect unknown (it also means unlearned) EKs from standard proxy logs, by recognizing emulated content-type sequences of EKs (e.g. html -> swf -> octet-stream) with Recurrent Neural Networks. The sequences are deeply related to behavior of EKs, therefore attackers cannot change those easily.We will show you our models which are trained with 300 thousands EK-like content-type sequences, are able to detect 14 kinds of EKs such as Rig, Nebula, Terror, Sundown, KaiXin and so on.