Computer networks are often plagued by malware such as worms that use the resources of network processing devices without the knowledge and permission of the owner. Worms are computer programs that self-replicate by sending network packets to unguarded elements of the network. This type of malware is often used for identity theft and financial fraud, and thus poses a threat to users of the Internet and to businesses that have an online presence. Different approaches have been proposed and implemented for identifying and preventing further spread of such malware. These include signature-based methods, traffic anomaly methods, and so-called honey-spot techniques. The signature-based techniques are largely ineffective since it is very easy for worms to change signatures to avoid detection and remedial action, and these methods are ineffective against zero-day attacks. So-called stealth worms minimize the number of packets sent (e.g., only a few packets per week) in attempting to identify targets. These worms send scan packets at a very slow rate to hosts that show network activity, and sophisticated stealth worms often employ reconnaissance scans targeting hosts and servers with specific weaknesses that the worm can exploit. This type of malware is difficult to reliably identify using traffic anomaly methods because the rate of scanning packets is very low compared to normal traffic in a network. Consequently, the signal-to-noise ratio is very low in the case of stealth worms, as the signal rate of the worm's scanning packets is small compared to the noise level of the normal network traffic. Moreover, advanced stealth worms adjust the transmission rate of scanning packets based on actual network traffic, thereby reducing the chances of detection by traffic anomaly analysis. As a result, a stealth worm that maintains a SNR of less than 0.01% is virtually impossible to detect by traffic anomaly analysis without generating many false positives. The cost of false detections is high, particularly where the network takes automatic actions upon detecting possible infections. As a result, stealth worm detection has thusfar been difficult using conventional signature or traffic anomaly analysis methods. Accordingly, there remains a need for improved detection methods and systems to identify compromised hosts on a network for remedial steps to be taken to reduce the damaging effects of worms and other malware.