Many anomalous network events do not manifest themselves as abrupt, easily-detectable changes in the volume of traffic at a single switch. Rather, the footprint they leave is a modification of the pattern of traffic at a number of routers in this network. Anomaly detection is then a question of whether the current traffic pattern is sufficiently divergent from "normal" traffic patterns. In this talk, I will describe a technique for sequentially constructing a sparse kernel dictionary that forms a map of network normality and illustrate how this map can be used to identify anomalous events.