A method of detecting network worms include the following steps: (1)
Profiling the TCP connection information collected from the protected
network, quantifying the plurality of statuses contained in the TCP
connection information; (2) Clustering the connection profiles to
discover all the anomaly clusters that are specified by the condition
composing of several adaptive thresholds; (3) Correlating the anomaly
clusters to result in a new cluster graph or to extend an existing
cluster graph; (4) Issuing a security incident about the worm propagation
according to the propagation condition that also composes of several
adaptive thresholds; and (5) Keeping and maintaining the status of the
cluster graphs.