Abstract: A method of detecting an anomaly in a sensor network for diagnosing a network attack may include receiving a data set comprising a plurality of vector-valued measurements from a plurality of sensors, and decomposing the data set into a low-rank component L and a sparse component S using an Augmented Lagrange Multiplier (ALM) method. In one embodiment, at least one of L or S can be determined using an exact minimizer of a Lagrangian in the ALM method, L can represent patterns that occur in a relatively large number of the plurality of sensors, and S can represent patterns that occur in a relatively small number of the plurality of sensors. The method may also include ascertaining, using the computer system, the anomaly in the data set based on the patterns in the sparse component S.