Abstract: A system and method for unsupervised detection of system anomalies in a network, including one or more network elements, a flow collector configured to collect instances of network data from the one or more network elements, a historical dataset database configured to store the instances of network data, a historical dataset pattern extractor configured to analyze the instances of network data and produce a historical behavioral pattern for each of the instances of network data, and a flow stream processor configured to analyze instances of network data in real time, produce a current behavioral pattern for each of the instances of network data, compare the current behavioral pattern to a corresponding historical behavioral pattern, and detect an anomaly based on the comparison between the current behavioral pattern and the corresponding historical behavioral pattern.