A method for network intrusion detection on a network comprising a plurality of state machines for passing a plurality of network packets comprises determining frequency distributions for each transition within each state machine, determining the distributions of values of each state machine on each transition, and comparing the distributions to observed statistics in the network, and upon determining that the observed statistics are outside defined limits, detecting an anomaly.