A method of determining that protected software is running in a virtualized environment includes obtaining a set of baseline measurements of system call timings in native operating system environments. Statistical thresholds are established based on the baseline measurements such that there is a predetermined probability that protected software running in a native environment will experience system call durations that exceed the thresholds. The protected software is analyzed and instructions are incorporated within the software such that particular system calls, demonstrated to be differentiating using the set of baseline measurements and the threshold analysis, are executed during the normal running of the protected software. The incorporated instructions are used to estimate the parameter values that are to be compared with the established statistical thresholds. Repeated comparisons of the estimates obtained during the normal running of the protected software are executed to determine whether the software is running in a virtualized environment.