Self organizing learning topologies

What is claimed is: 1. A method comprising: generating, by a networking device at an edge of a network, a first set of feature vectors using information regarding one or more characteristics of host devices in the network; forming, by the networking device, the host devices into device clusters dynamically based on the first set of feature vectors; generating, by the networking device, a second set of feature vectors using information regarding traffic associated with the device clusters; modeling, by the networking device, interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors; and adjusting, by the networking device, the device clusters in response to feedback from a supervisory device regarding one or more anomalies detected by the one or more anomaly detection models. 2. The method as in claim 1 , further comprising: reporting, by the networking device, the device clusters to a supervisory device. 3. The method as in claim 1 , further comprising: receiving, at the networking device, a clustering policy from a supervisory device, wherein the networking device forms the device clusters based in part on the received clustering policy. 4. The method as in claim 1 , wherein a particular host device belongs to a plurality of device clusters. 5. The method as in claim 1 , further comprising: adjusting, by the networking device, the device clusters based on a time function. 6. The method as in claim 1 , further comprising: adjusting, by the networking device, the device clusters based on a change in the first set of feature vectors that corresponds to a behavioral change of one or more of the host devices. 7. The method as in claim 1 , further comprising: reporting, by the networking device, edge identifiers to a supervisory device, wherein a particular edge identifier represents an interaction between two or more of the device clusters, wherein the supervisory device is configured to use the edge identifiers to select a set of edges expected to exhibit similar behaviors; and providing, by the networking device, information regarding one or more of the anomaly detection models to the supervisory device based on the set of edges selected by the supervisory device, wherein the supervisory device is configured to use the information regarding the one or more of the anomaly detection models to provide a measure of confidence in the models. 8. The method as in claim 1 , wherein the networking device is a router at the edge of the network, and wherein the characteristics of a particular host device comprise one or more of: a location of the particular host device, an application executed by the particular host device, or a device configuration of the particular host device. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: generate a first set of feature vectors using information regarding one or more characteristics of host devices in the network; form the host devices into device clusters dynamically based on the first set of feature vectors; generate a second set of feature vectors using information regarding traffic associated with the device clusters; and model interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors adjust the device clusters based on one or more of: a time function, a change in the first set of feature vectors that corresponds to a behavioral change of one or more of the host devices, or feedback from a supervisory device regarding one or more anomalies detected by the one or more anomaly detection models. 10. The apparatus as in claim 9 , wherein the first set of feature vectors differs from the second set of feature vectors. 11. The apparatus as in claim 9 , wherein the process when executed is further operable to: report edge identifiers to a supervisory device, wherein a particular edge identifier represents an interaction between two or more of the device clusters, wherein the supervisory device is configured to use the edge identifiers to select a set of edges expected to exhibit similar behaviors; and provide information regarding one or more of the anomaly detection models to the supervisory device based on the set of edges selected by the supervisory device, wherein the supervisory device is configured to use the information regarding the one or more of the anomaly detection models to provide a measure of confidence in the models. 12. The apparatus as in claim 9 , wherein the apparatus is a router at an edge of the network, and wherein the characteristics of a particular host device comprise one or more of: a location of the particular host device, an application executed by the particular host device, or a device configuration of the particular host device. 13. A tangible, non-transitory, computer-readable medium storing program instructions that, when executed by a device in a network perform a process comprising: generating a first set of feature vectors using information regarding one or more characteristics of host devices in the network; forming the host devices into device clusters dynamically based on the first set of feature vectors; generating a second set of feature vectors using information regarding traffic associated with the device clusters; modeling interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors; and adjusting the device clusters in response to feedback from a supervisory device regarding one or more anomalies detected by the one or more anomaly detection models. 14. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the first set of feature vectors differs from the second set of feature vectors. 15. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the process further comprises: reporting edge identifiers to a supervisory device, wherein a particular edge identifier represents an interaction between two or more of the device clusters, wherein the supervisory device is configured to use the edge identifiers to select a set of edges expected to exhibit similar behaviors; and providing information regarding one or more of the anomaly detection models to the supervisory device based on the set of edges selected by the supervisory device, wherein the supervisory device is configured to use the information regarding the one or more of the anomaly detection models to provide a measure of confidence in the models. 16. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the characteristics of a particular host device comprise one or more of: a location of the particular host device, an application executed by the particular host device, or a device configuration of the particular host device.