Certain events, such as data input operating system calls, are likely to initiate a buffer overflow attack. A timing module generates timestamps that indicate when such possible initiating events occur. The timestamp is associated with a particular process and/or thread executing on the computer. If subsequent evidence of a buffer overflow attack is detected on the computer, the timestamps are consulted to determine if a possible initiating event occurred recently. If there is a recent initiating event, a buffer overflow attack is declared. Evidence of a buffer overflow attack can include receiving a signal from the processor indicating that the processor was asked to execute an instruction residing in non-executable memory. Evidence of a buffer overflow attack can also include detecting an action on the computer that malicious software is likely to perform, such as opening a file or network connection, being performed by an instruction residing in non-executable memory.