2019-02-262019-02-262018-02-06http://hdl.handle.net/10919/87831A computer system for distinguishing user-initiated network traffic from malware-initiated network traffic comprising at least one central processing unit (CPU) and a memory communicatively coupled to the CPU. The memory includes a program code executable by the CPU to monitor individual network events to determine for an individual network event whether the event has a legitimate root-trigger. Malware-initiated traffic is identified as an individual network event that does not have a legitimate root-trigger.application/pdfen-USPatenthttp://pimg-fpiw.uspto.gov/fdd/30/880/098/0.pdf14267422G06F21/316G06F21/32G06F21/566G06F21/57G06F2221/2133H04L63/1459888030