Systems and methods for anomaly detection are described. One aspect includes defining a computing device group comprising a plurality of networked computing devices. The networked computing devices are associated with a computer network. One or more statistical parameters associated with the computing device group are calculated. A set of communication data associated with a networked computing device is received. An operating point geometric distance of the networked computing device relative to the one or more statistical parameters is computed. This operating point geometric distance is based at least in part on the set of communication data. An anomaly is detected based on the operating point geometric distance.