Systems and methods for causation analysis of network anomalies in a network include detecting an alarm condition at a network device, the alarm condition pertaining to an anomaly or increase in a traffic condition such as packet loss. A dominant key is identified in each of one or more key types which contributed to the alarm condition, the key types including dimensions of traffic flow. Two or more dominant keys of two or more key types are aggregated and clustered to determine a combination of dominant keys which contributed to the alarm condition. A dominant traffic flow comprising the combination of dominant keys which contributed to the alarm condition is identified based on the aggregation and clustering. Malware or security threats can be identified from detecting a dominant source IP address or host which contributed to a predominant number of packet drops or retransmissions at ports of the network.