Worms search for targets by means of service requests, and anomalous service requests give indication of worm propagation. A worm detection system that uses positive selection algorithm to characterize normal service requests with self-strings is proposed. Bloom filters are used to represent hosts’ self-strings and monitor the network for suspicious service requests. On the basis of worm properties, the discovered suspicious service requests are correlated in the form of binary trees, and a non-parametric CUSUM (cumulative sum) algorithm is used to monitor the anomaly value of binary trees so as to detect worm propagation timely and accurately. Experimental results of the GTNetS (Georgia Tech Network Simulation) platform show that the proposed system is effective to detect worms, and the system’s influence on normal network traffic is minor.