A method for detecting malware penetrating a network by identifying anomalous communication between at least two systems of the network, carried out by a computer. For each unique combination of Source IP address and destination IP address, the method includes considering a past period, considering the network flow logs stored during said past period, calculating values of a metric based on data of the network flow logs within the past period and at a given frequency, calculating a baseline which consists in calculating an IQR of all metric values calculated during the past period, determining an outlier threshold from the baseline, considering a current period, calculating a new IQR of all metric values calculated during the current period, and classifying the communication between the two systems of the unique combination as an anomalous communication if the IQR of the current period is greater than the outlier threshold.