A method and an apparatus is provided that is efficient in detecting network virus and worms while using only the layer-4 information that is easily extracted from core routers and also be scalable when layer-7 information is available. Entropy analysis is used to identify anomalous activity at the flow level. Thereafter, only the contents of suspicious flows are analyzed with fingerprinting extraction. By doing so, the present invention brings together the characteristics of being deployable for real-time high data to rate links and the efficiency and reliability of content fingerprinting techniques.