US 11,057,420 B2
Detection of malware and malicious applications
David McGrew, Poolesville, MD (US); Andrew Zawadowskiy, Hollis, NH (US); Donovan O'Hara, Acton, MA (US); Saravanan Radhakrishnan, Bangalore (IN); Tomas Pevny, Modrany (CZ); and Daniel G. Wing, Truckee, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Mar. 29, 2019, as Appl. No. 16/370,853.
Application 16/370,853 is a continuation of application No. 14/820,265, filed on Aug. 6, 2015, granted, now 10,305,928.
Prior Publication US 2019/0230095 A1, Jul. 25, 2019
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01)
CPC H04L 63/145 (2013.01) [H04L 63/1408 (2013.01); H04L 63/166 (2013.01); H04L 69/16 (2013.01); H04L 2463/121 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A computer-implemented method comprising:
receiving, at a network infrastructure device, an encrypted flow comprising a plurality of packets, the plurality of packets comprising a first set of packets and a second set of packets that is received after the first set of packets;
identifying, at the network infrastructure device, a first datagram comprising the first set of packets and a second datagram comprising the second set of packets, the first datagram being associated with a first message and the second datagram being associated with a second message, wherein each packet of the first set of packets is received within a threshold amount of time of receipt of a preceding packet of the first set of packets, and wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets;
determining, at the network infrastructure device, a sequence of datagram lengths and times for the first datagram and the second datagram within the encrypted flow based on an arrival time of the first sets of packets and the second set of packets; and
sending, from the network infrastructure device, the sequence of datagram lengths and times to a collector device,
wherein, upon receiving the sequence of datagram lengths and times, the collector device identifies a sequence of lengths and times that is nearest to the received sequence of datagram lengths and times as an application associated with the received sequence of datagram lengths and times, determines whether the application is malicious, and upon determining that the application is malicious, sends an alert signal to an administrator, and
wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the malicious application or information regarding the flow.