An intrusion detection device (61) for monitoring one or more target devices and detecting malicious software operating on one of the one or more target devices. The intrusion detection device has an interface arrangement (61, 10) comprising one or more interfaces (6110) for receiving inward bound traffic destined for the one or more target devices and outward bound traffic originating from the one or more target devices. The intrusion detection device (61) also includes categorization means (6140) for categorizing incoming service requests destined for one of the one or more target devices as either harmless or potentially suspicious; monitoring means (6150) operable, in respect of each incoming service request identified as being potentially suspicious, to monitor the behavior of the associated target device for behavior indicative of the target device operating as a proxy server; and a notifier (6160) for generating a notification in the event that the monitored behavior is indicative of the device acting as a proxy server.