The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number Xk of destinations that are common to N, N−1, N−2, . . . , 2, 1 windows is determined. Thus Xk is the number of destinations that a particular source sent packets to in k time windows. Xk is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.