US 10,893,058 B1
Malware detection and alerting for network connected devices based on traffic flow analysis on local network
Jim Casaburi, Rancho Palos Verdes, CA (US); and Steven P. Stockman, Plattsmouth, NE (US)
Assigned to NORTONLIFELOCK, INC., Tempe, AZ (US)
Filed by NortonLifeLock Inc., Tempe, AZ (US)
Filed on Dec. 18, 2014, as Appl. No. 14/575,759.
Int. Cl. H04L 29/06 (2006.01)
CPC H04L 63/1408 (2013.01) [H04L 63/14 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for detecting a presence of a malware application on a computing device, the method comprising:
identifying at least a first computing device and a second computing device present on a local network segment of a computing network, wherein at least one of the first computing device and the second computing device is associated with a device type known to not provide malware detection capabilities;
monitoring, on the local network segment, at least a first traffic flow initiated between the first computing device and the second computing device on the local network segment;
generating, from the first traffic flow, a signature characterizing the first traffic flow based on at least one of a time or frequency parameter of the first traffic flow; and
determining, based on the signature, whether the malware application is predicted to be present on the at least one of the first computing device and the second computing device by comparing the signature to a plurality of malware signatures, wherein each of the plurality of malware signatures corresponds to another signature generated for another traffic flow from another computing device matching the device type of the at least one of the first computing device and the second computing device after being compromised by the malware application.