A method for network intrusion detection on a network comprising a
plurality of state machines for passing a plurality of network packets
comprises determining frequency distributions for each transition within
each state machine, determining the distributions of values of each state
machine on each transition, and comparing the distributions to observed
statistics in the network, and upon determining that the observed
statistics are outside defined limits, detecting an anomaly.