With the increasing of new malicious software attacks, the host-based malware detection methods cannot always detect the latest unknown malware. Intrusion detection system does not focus on malware detection, whereas the behavior-based detection methods still have some difficulties in being deployed in the network layer. This paper presents a malware detection method based on network behavior evidence chains. The proposed new method will detect the specific network behavior characteristics on three different stages as connection establishment, operating control, and connection maintenance. Then a final detection decision will be concluded according to the results detected in the different stages before. A system prototype is implemented to proof concept the proposed malware detection methods. Copyright © 2014 John Wiley & Sons, Ltd.