A computer-implemented method (and apparatus) includes receiving input data comprising bipartite graph data in a format of source MAC (Machine Access Code) data versus destination IP (Internet Protocol) data and timestamp information. The input bipartite graph data is provided into a first processing to detect malicious beaconing activities using a lockstep detection method on the input bipartite graph data to detect possible synchronized attacks against a targeted infrastructure. The input bipartite graph data is also provided into a second processing, the second processing initially converting the bipartite graph data into a co-occurrence graph format that indicates in a graph format how devices in the targeted infrastructure communicate with different external destination servers over time. The second processing detects malicious beaconing activities by analyzing data exchanges with the external destination servers to detect anomalies.