Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery

A computer system for distinguishing user-initiated network traffic from malware-initiated network traffic comprising at least one central processing unit (CPU) and a memory communicatively coupled to the CPU. The memory includes a program code executable by the CPU to monitor individual network events to determine for an individual network event whether the event has a legitimate root-trigger. Malware-initiated traffic is identified as an individual network event that does not have a legitimate root-trigger.