Network anomaly detection

What is claimed is: 1. A non-transitory computer storage medium encoded with instructions that, when executed by a one or more computers, cause the one or more computers to perform operations comprising: accessing, by one or more computers, a model of expected network activity for one or more subnets represented by a network map that includes a plurality of edges that each represent a communications path between two nodes from a plurality of network nodes, where each subnet in the one or more subnets comprises at least one network node from the plurality of network nodes and at least one edge from the plurality of edges; obtaining, by at least one of the one or more computers, one or more data packets indicating network activity over at least one of the edges and between two of the plurality of network nodes during a time period; using the model of expected network activity and the one or more data packets, determining, by at least one of the one or more computers for at least one of the one or more subnets, a subnet anomaly score that represents a probability that at least one of the one or more data packets indicating the network activity, during the time period, across an edge connected to a network node, both included in the respective subnet, is anomalous; and determining, by at least one of the one or more computers, an action using the subnet anomaly score. 2. The computer storage medium of claim 1 , wherein determining the action using the subnet anomaly score comprises: determining, for a specific subnet in the one or more subnets, whether the respective subnet anomaly score satisfies a threshold anomaly score; and determining the action using a result of the determination whether the respective subnet anomaly score satisfies the threshold anomaly score. 3. The computer storage medium of claim 2 , wherein determining the action comprises determining to perform at least one of disconnecting the specific subnet from another network, restricting inbound or outbound bandwidth for the specific subnet, preventing the specific subnet from sending or receiving particular types of network traffic, creating a computer implemented network rule for the specific subnet, silently discarding at least a portion of the one or more data packets for the network traffic corresponding to the specific subnet, or transitioning an application executing on the network node included in the specific subnet to a second network node included in a second subnet. 4. The computer storage medium of claim 2 , wherein determining the action comprises determining to send an event message that identifies the specific subnet upon determining that the respective subnet anomaly score satisfies the threshold anomaly score. 5. The computer storage medium of claim 1 , wherein the network map represents only one subnet. 6. The computer storage medium of claim 1 , wherein the network map represents two or more subnets. 7. The computer storage medium of claim 1 , wherein determining, for at least one of the one or more subnets, the subnet anomaly score comprises: for each subnet included in the one or more subnets: determining the network nodes from the plurality of network nodes that are included in the respective subnet; determining, for each of the network nodes that are included in the respective subnet, a node anomaly score using the model of expected network activity and at least one of the one or more data packets; and combining the node anomaly scores for the network nodes that are included in the respective subnet to generate the subnet anomaly score for the respective subnet. 8. The computer storage medium of claim 1 , wherein determining, for at least one of the one or more subnets, the subnet anomaly score comprises: for each subnet included in the one or more subnets: determining the edges from the plurality of edges that are included in the respective subnet; determining, for each of the edges that are included in the respective subnet, an edge anomaly score using the model of expected network activity and at least one of the one or more data packets; and combining the edge anomaly scores for the edges that are included in the respective subnet to generate the subnet anomaly score for the respective subnet. 9. A system comprising one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: accessing, by one or more computers, a model of expected network activity for one or more subnets represented by a network map that includes a plurality of edges that each represent a communications path between two nodes from a plurality of network nodes, where each subnet in the one or more subnets comprises at least one network node from the plurality of network nodes and at least one edge from the plurality of edges; obtaining, by at least one of the one or more computers, one or more data packets indicating network activity over at least one of the edges and between two of the plurality of network nodes during a time period; using the model of expected network activity and the one or more data packets, determining, by at least one of the one or more computers for at least one of the one or more subnets, a subnet anomaly score that represents a probability that at least one of the one or more data packets indicating the network activity, during the time period, across an edge connected to a network node, both included in the respective subnet, is anomalous; and determining, by at least one of the one or more computers, an action using the subnet anomaly score. 10. The system of claim 9 , wherein determining the action using the subnet anomaly score comprises: determining, for a specific subnet in the one or more subnets, whether the respective subnet anomaly score satisfies a threshold anomaly score; and determining the action using a result of the determination whether the respective subnet anomaly score satisfies the threshold anomaly score. 11. The system of claim 10 , wherein determining the action comprises determining to perform at least one of disconnecting the specific subnet from another network, restricting inbound or outbound bandwidth for the specific subnet, preventing the specific subnet from sending or receiving particular types of network traffic, creating a computer implemented network rule for the specific subnet, silently discarding at least a portion of the one or more data packets for the network traffic corresponding to the specific subnet, or transitioning an application executing on the network node included in the specific subnet to a second network node included in a second subnet. 12. The system of claim 10 , wherein determining the action comprises determining to send an event message that identifies the specific subnet upon determining that the respective subnet anomaly score satisfies the threshold anomaly score. 13. The system of claim 9 , wherein the network map represents only one subnet. 14. The system of claim 9 , wherein the network map represents two or more subnets. 15. The system of claim 9 , wherein determining, for at least one of the one or more subnets, the subnet anomaly score comprises: for each subnet included in the one or more subnets: determining the network nodes from the plurality of network nodes that are included in the respective subnet; determining, for each of the network nodes that are included in the respective subnet, a node anomaly score using the model of expected network activity and at least one of the one or more data packe