A method executable via operation of configured processing circuitry to identify applications by remote monitoring may include initiating remote communication with a target device through an access point, the access point providing network access to the target device, providing a series of ping messages to the target device via the access point to determine a delay signature of an application running on the target device, comparing the delay signature of the application to a plurality of malware traffic signatures stored in a malware traffic signature library, and determining a matching score between the delay signature of the application and at least some of the malware traffic signatures.