The disclosed embodiments relate to a system that performs an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system. During operation, the system determines arrival times for incoming packets at a node in the networked computer system. Next, the system determines inter-arrival times between the incoming packets from the arrival times. The system then determines a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times. Finally, upon detecting a change in a slope of the MCF, the system generates an alarm to indicate that a malicious remote user may be generating some of the incoming packets.