Enterprise networks are found in a variety of businesses, government agencies, academic institutions, and other organizations in which computer resources are shared and interconnected. These networks are susceptible to malware such as worms that use the resources of network processing devices without the knowledge and permission of the owner. Such malware can spread to different network hosts in the enterprise through a process of self-replication in which an infected host computer sends network packets to other enterprise hosts connected to the network, sometimes referred to as scanning packets. Signature-based techniques have been developed along with traffic anomaly methods to help identify malware infected hosts for remedial action. Signature-based methods are generally ineffective since it is very easy for worms to change signatures to avoid detection and remedial action, and do not guard against zero-day attacks. Slow scanning malware, sometimes called stealth worms, operate by sending only a few scanning packets in a given time period and advanced stealth worms adjust the transmission rate of scanning packets based on actual network traffic to avoid detection by traffic anomaly analysis. Advanced stealth worms such as Storm malware use sophisticated scanning techniques and distributed scanning within an enterprise to avoid being detected. This type of slow distributed scanning malware, once replicated on two or more hosts in an enterprise, will divide the enterprise network address space among the infected hosts, and each will target different subsets of the network with scanning packets. In this manner, each infected host may only scan a small number of neighbor hosts, thereby further avoiding detection by existing techniques. Consequently, slow scanning malware and distributed and/or slow scanning malware presents news challenges and conventional malware detection techniques are largely ineffective for identifying enterprise network hosts infected with these malicious programs.