A method for identifying anomalies in a group of network addresses includes building a model of the group of network addresses and identifying a network address as anomalous based on the deviation of the network address from the model. The model is built from a group of network addresses. The network addresses are input and parsed into one or more address trees. A ripeness score is maintained for each of the nodes in the address trees, based, at least in part, on the number of occurrences of the network address portion represented by the node. Nodes having respective ripeness scores within a specified range are classified as ripe nodes, and may be indicative of normal behavior, and nodes having respective ripeness scores outside the specified range of ripeness scores are classified as unripe, and may be indicative of anomalous behavior.