A method for training a machine learning model using information pertaining to characteristics of upload activity performed at one or more client devices includes generating first training input including (i) information identifying, for each of a plurality of application categories, data categories pertaining to first amounts of data uploaded from the client device during a specified time interval. The method includes generating a first target output that indicates whether the data categories corresponding to the first amounts of data correspond to malicious or non-malicious upload activity. The method includes providing the training data to train the machine learning model on (i) a set of training inputs including the first training input, and (ii) a set of target outputs including the first target output.