Various exemplary embodiments relate to a method of detecting anomalies in network traffic. The method includes: receiving a plurality of accounting reports from an application assurance device, the accounting reports indicating a metric of network performance; aggregating the metric from a plurality of accounting reports to determine a plurality of aggregated metrics corresponding to a plurality of intervals; storing the aggregated metrics in a database in association with the corresponding plurality of intervals; determining a rolling baseline for a current time period based on metrics of intervals corresponding to a primary partition and a sub-partition; comparing a metric for a current time period to the rolling baseline; and determining that an anomaly is occurring if the metric for the current time period differs from the rolling baseline by more than a pre-defined threshold.