Online anomaly detection of vector embeddings

What is claimed is: 1. A method performed by an anomaly detection system for detecting an anomaly in a network device, the method comprising: receiving, by at least one processor of the anomaly detection system, two or more initial flow vectors, wherein the two or more initial flow vectors are based on a behavioral model of the network device generated based on processing a plurality of records associated with the network device, and wherein the two or more initial flow vectors are stored in a memory; generating, by at the least one processor of the anomaly detection system and based on the two or more initial flow vectors, a flow vector corresponding to the network device, wherein the flow vector is stored in the memory; determining, by the at least one processor of the anomaly detection system, a plurality of similarity values between the flow vector and a plurality of flow clusters associated with the network device; determining, by the at least one processor of the anomaly detection system, a maximum similarity value as a maximum of the plurality of similarity values; comparing, by the at least one processor of the anomaly detection system, the maximum similarity value to a threshold; in response to the maximum similarity value being equal to or greater than the threshold, updating, by the at least one computer processor of the anomaly detection system, a flow cluster associated with the maximum similarity value by combining the flow cluster associated with the maximum similarity value with the flow vector, wherein the updated flow cluster is stored in the memory for subsequent anomaly detection; and in response to the maximum similarity value being less than the threshold: detecting the anomaly in the network device; generating an alert message based on the detected anomaly; and generating a new flow cluster based on the flow vector, wherein the new flow cluster is stored in the memory for the subsequent anomaly detection. 2. The method of claim 1 , wherein the combining the flow cluster associated with the maximum similarity value with the flow vector comprises: determining an exponentially weighted moving average between the flow vector and the flow cluster associated with the maximum similarity value; and updating a timestamp associated with the flow cluster associated with the maximum similarity value, wherein the updated timestamp indicates a time that the flow cluster associated with the maximum similarity value is updated. 3. The method of claim 1 , further comprising associating a timestamp with the new flow cluster, the timestamp indicating a time that the new flow cluster is generated. 4. The method of claim 1 , wherein the determining the plurality of similarity values comprises applying a cosine similarity measure to the plurality of similarity values. 5. The method of claim 1 , wherein: the receiving the two or more initial flow vectors further comprises: receiving a first initial flow vector corresponding to a first flow associated with the network device; and receiving a second initial flow vector corresponding to a second flow associated with the network device, and the generating the flow vector further comprises: determining a similarity value between the first initial flow vector and the second initial flow vector; comparing the similarity value to a similarity threshold; and in response to the similarity value being equal to or greater than the similarity threshold, generating the flow vector. 6. The method of claim 5 , wherein the generating the flow vector comprises creating a weighted average of the first initial flow vector and the second initial flow vector. 7. The method of claim 5 , wherein the first and second initial flow vectors are stored in contiguous memory spaces in the memory. 8. The method of claim 1 , further comprising: receiving the threshold used for detecting the anomaly in the network device. 9. The method of claim 1 , further comprising: dynamically updating the threshold based on at least one of a flow associated with the network device or a behavior of the network device. 10. A method performed by an anomaly detection system, comprising: receiving, by at least one processor of the anomaly detection system, two or more initial flow vectors, wherein the two or more initial flow vectors are based on a behavioral model of a network device generated based on processing a plurality of records associated with the network device, and wherein the two or more initial flow vectors are stored in a memory; generating, by the at least one processor of the anomaly detection system and based on the two or more initial flow vectors, a network flow associated with the network device, wherein the network flow is stored in the memory; determining, by the at least one processor of the anomaly detection system, a plurality of similarity values between the network flow and a plurality of flow clusters associated with the network device; determining, by the at least one processor of the anomaly detection system, a maximum similarity value as a maximum of the plurality of similarity values; comparing, by the at least one processor of the anomaly detection system, the maximum similarity value to a threshold; determining, by the at least one processor of the anomaly detection system and based on the comparing and at a flow level, whether the network flow indicates an anomaly in a behavior of the network device; in response to determining that the network flow indicates the anomaly in the behavior of the network device: generating an alert message based on the anomaly, wherein the alert message comprises at least one or more of information associated with the network device with the anomaly, information associated with the network flow that triggered the anomaly, information about a flow vector, or information associated with a flow cluster associated with the maximum similarity value; and generating a new flow cluster based on the received network flow, wherein the new flow cluster is stored in the memory for subsequent anomaly detection; and in response to determining that the network flow does not indicate the anomaly in the behavior of the network device, updating one of the plurality of flow clusters by combining the one of the plurality of flow clusters with a flow vector associated with the network flow, wherein the updated one of the plurality of flow clusters is stored in the memory for the subsequent anomaly detection. 11. The method of claim 10 , further comprising: updating a timestamp associated with the updated flow cluster, wherein the updated timestamp indicates a time that the one of the plurality of flow clusters is updated. 12. The method of claim 10 , further comprising: associating a timestamp with the new flow cluster, the timestamp indicating a time that the new flow cluster is generated. 13. A system, comprising: a memory; and at least one processor coupled to the memory and configured to: receive two or more initial flow vectors, wherein the two or more initial flow vectors are based on a behavioral model of a network device generated based on processing a plurality of records associated with the network device, and wherein the two or more initial flow vectors are stored in the memory; generate, by the at least one processor and based on the two or more initial flow vectors, a flow vector associated with the network device, wherein the flow vector is stored in the memory; determine a plurality of similarity values between the flow vector associated with the network device and a plurality of flow clusters associated with the network device; determine a maxim