This work proposes an anomaly detection framework that tracks the network operation at device-model level within an Internet Service Provider (ISP). On a daily basis, the framework tracks and analyzes the time series of each device-model. Some key features for time series patterns are derived in this process and Extended Isolation Forest, an unsupervised tree ensemble machine learning algorithm, is applied to these features for anomaly detection. In comparison to conventional anomaly detection systems, the proposed framework does not require prior definitions of normal patterns and conducts both horizontal (i.e., a device-model compared to its own historical pattern) and vertical (i.e., a device-model compared to the patterns of all devices) comparisons among the device-models. These features contribute to an accurate and practical anomaly detection framework for industry implementation. The framework proposed in this paper has been deployed in an internal website within the ISP and has been proven an accurate source of anomalous network operation report.