Detection and analysis of seasonal network patterns for anomaly detection

What is claimed is: 1. A method, comprising: determining, by a device in a network, cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data, wherein the activity level clusters are representative of levels of activity between particular hosts in the network; using, by the device, the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network by using a machine learning-based (ML-based) classification function that models how a plurality of samples of traffic data of the network is assigned to the levels of activity between the particular hosts in the network using at least one regression, wherein the predicted seasonal activity is based on a plurality of intervals of periods of time indicative of stable behavior in the particular subset of traffic; determining, by the device, an activity level for new traffic data regarding the particular subset of traffic in the network; and detecting, by the device, a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity. 2. The method as in claim 1 , wherein using the cluster assignments to predict seasonal activity for the particular subset of traffic in the network comprises: generating, by the device, the ML-based classification function; and using the ML-based classification function to determine whether samples for the particular subset of traffic in the network exhibit a seasonal pattern. 3. The method as in claim 2 , wherein generating the ML-based classification function comprises: performing, by the device, regression on the cluster assignments and the plurality of samples in the traffic data over a set of time intervals. 4. The method as in claim 2 , wherein using the ML-based classification function to determine whether samples for the particular subset of traffic in the network exhibit a seasonal pattern comprises: using, by the device, the ML-based classification function to classify a set of samples for the particular subset of traffic according to their activity levels; and determining, by the device, that the set of samples exhibit a seasonal pattern based on a difference between the classified set of samples and the corresponding cluster assignments for the classified set of samples being below a predefined threshold. 5. The method as in claim 4 , further comprising: adjusting, by the device, the predefined threshold based on feedback regarding network anomalies detected by the device. 6. The method as in claim 1 , wherein the particular subset of the traffic is associated with a particular host node in the network, and wherein the one or more measures of traffic activity in the traffic data comprise a number of packets or bytes of traffic associated with the host node. 7. The method as in claim 1 , further comprising: evaluating, by the device, a quality metric associated with one of the cluster assignments to determine whether the traffic data associated with the cluster assignment is unimodal; and, in response, determining, by the device, that the traffic data associated with the cluster assignment is not seasonal. 8. The method as in claim 1 , wherein the activity level clusters comprise a low activity cluster and a high activity cluster. 9. The method as in claim 1 , wherein the device is an edge router. 10. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: determine cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data, wherein the activity level clusters are representative of levels of activity between particular hosts in the network; use the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network by using a machine learning-based (ML-based) classification function that models how a plurality of samples of traffic data of the network is assigned to the levels of activity between the particular hosts in the network using at least one regression, wherein the predicted seasonal activity is based on a plurality of intervals of periods of time indicative of stable behavior in the particular subset of traffic; determine an activity level for new traffic data regarding the particular subset of traffic in the network; and detect a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity. 11. The apparatus as in claim 10 , wherein the apparatus uses the cluster assignments to predict seasonal activity for the particular subset of traffic in the network by: generating the ML-based classification function; and using the ML-based classification function to determine whether samples for the particular subset of traffic in the network exhibit a seasonal pattern. 12. The apparatus as in claim 11 , wherein the apparatus generates the ML-based classification function by performing regression on the cluster assignments and the plurality of samples in the traffic data over a set of time intervals. 13. The apparatus as in claim 11 , wherein the apparatus uses the ML-based classification function to determine whether samples for the particular subset of traffic in the network exhibit a seasonal pattern by: using the ML-based classification function to classify a set of samples for the particular subset of traffic according to their activity levels; and determining that the set of samples exhibit a seasonal pattern based on a difference between the classified set of samples and the corresponding cluster assignments for the classified set of samples being below a predefined threshold. 14. The apparatus as in claim 13 , wherein the process when executed is further operable to: adjust the predefined threshold based on feedback regarding network anomalies detected by the apparatus. 15. The apparatus as in claim 10 , wherein the particular subset of the traffic is associated with a particular host node in the network, and wherein the one or more measures of traffic activity in the traffic data comprise a number of packets or bytes of traffic associated with the host node. 16. The apparatus as in claim 10 , wherein the process when executed is further operable to: evaluate a quality metric associated with one of the cluster assignments to determine whether the traffic data associated with the cluster assignment is unimodal; and, in response, determine that the traffic data associated with the cluster assignment is not seasonal. 17. The apparatus as in claim 10 , wherein the activity level clusters comprise a low activity cluster and a high activity cluster. 18. The apparatus as in claim 10 , wherein the apparatus is an edge router. 19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: determining cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data, wherein the activity level clusters are representative of levels of activity between particular hosts in the network; using the cluster