Offloading anomaly detection from server to host

We claim: 1. A method for detecting anomalous behavior of machines executing on a particular host computer that is one of a set of host computers in a network, the method comprising: on the particular host computer: collecting and storing attributes relating to data flows associated with a set of one or more machines executing on the particular host computer; analyzing the stored attributes to detect an anomalous behavior with at least one particular data flow associated with at least one machine executing on the particular host computer; storing an indication of the anomalous behavior; and providing the stored attributes and anomalous-behavior indication to a server for further analysis, wherein the server analyzes anomalous-behavior indications received from a plurality of host computers based on the host computers analyzing attributes of data flows associated with machines executing on the host computers to detect anomalous behaviors. 2. The method of claim 1 , wherein the stored attributes analyzed to detect the anomalous behavior comprise contextual attributes that are not layers 2, 3 and 4 data flow header values, wherein the anomalous-behavior indication is provided to the server as a contextual attribute of the particular data flow. 3. The method of claim 2 , wherein the contextual attributes comprise L7 data flow header values. 4. The method of claim 2 , wherein the contextual attributes comprise non-flow header value attributes. 5. The method of claim 2 , wherein analyzing the stored attributes comprises analyzing at least a subset of the collected contextual attributes to detect the anomalous behavior. 6. The method of claim 5 , wherein: collecting attributes comprises generating statistics regarding the data flows; and analyzing the stored attributes further comprises analyzing the generated statistics to detect the anomalous behavior. 7. The method of claim 2 , wherein: the stored attributes further comprise statistics generated at the particular host computer regarding the data flows; and analyzing the stored attributes comprises analyzing the generated statistics to detect the anomalous behavior. 8. The method of claim 7 , wherein detecting an anomalous behavior comprises determining that a value for a particular statistic attribute generated for the particular data flow has deviated from a stored value for the particular statistic attribute. 9. The method of claim 8 , wherein: the stored value for the statistic attribute is a mean value, and; the stored statistic attribute further comprises a standard deviation for the particular statistic attribute; and the standard deviation is also used to detect the anomalous behavior. 10. The method of claim 9 , wherein the statistic attribute is a round trip time. 11. The method of claim 1 , wherein analyzing the stored attributes comprises analyzing contextual attributes collected from a deep packet inspection agent on the particular host computer to detect the anomalous behavior. 12. The method of claim 1 , wherein detecting an anomalous behavior comprises detecting that a port associated with the particular data flow does not match a port expected based on an application associated with the particular data flow. 13. The method of claim 1 , wherein storing the indication of the anomalous behavior comprises storing a contextual attribute associated with the particular data flow that is a flag bit that indicates that an anomalous behavior has been detected. 14. The method of claim 1 , wherein storing the indication of the anomalous behavior comprises storing a contextual attribute associated with the particular data flow that is a value that indicates a particular type of anomalous behavior. 15. The method of claim 1 further comprising taking an action on the particular host computer based on the detected anomalous behavior. 16. The method of claim 1 further comprising making a recommendation based on the detected anomalous behavior. 17. The method of claim 16 , wherein the recommendation is to generate a new firewall rule to block the particular data flow in the future. 18. A non-transitory machine-readable medium storing a program which when executed by at least one processing unit of a host computer that is one of a set of host computers in a network detects anomalous behavior of machines executing on the particular host computer, the program comprising sets of instructions for: collecting and storing attributes relating to data flows associated with a set of one or more machines executing on the particular host computer; analyzing the stored attributes to detect an anomalous behavior with at least one particular data flow associated with at least one machine executing on the particular host computer; storing an indication of the anomalous behavior; and providing the stored attributes and anomalous-behavior indication to a server for further analysis, wherein the server analyzes anomalous-behavior indications received from a plurality of host computers based on the host computers analyzing attributes of data flows associated with machines executing on the host computers to detect anomalous behaviors. 19. The non-transitory machine-readable medium of claim 18 , wherein the stored attributes analyzed to detect the anomalous behavior comprise contextual attributes that are not layers 2, 3 and 4 data flow header values, wherein the anomalous-behavior indication is provided to the server as a contextual attribute of the particular data flow. 20. The non-transitory machine-readable medium of claim 18 , wherein the program further comprises a set of instructions for taking an action on the particular host computer based on the detected anomalous behavior.