Reconstructing network activity from sampled network data using archetypal analysis

What is claimed is: 1. A system for reconstructing network activity, the system comprising: one or more processors; and one or more memory devices that store program code configured to be executed by the one or more processors, the program code comprising: a network activity monitor configured to monitor network activity of a plurality of network entities; a feature determiner configured to obtain a set of features for each network entity in the plurality of network entities based on the monitoring; a vertex determiner configured to determine a number of vertices to describe the sets of features in a multidimensional space; a usage pattern assignor configured to assign a different usage pattern to each of the vertices, wherein the usage pattern assignor automatically assigns the different usage patterns to the vertices or assigns the different usage patterns to the vertices based on a user input; and a network activity reconstructor configured to obtain at least a subset of the features in the set of features for a particular network entity, and to represent the particular network entity based at least on the usage patterns and the subset of the features in the set of features for the particular network entity. 2. The system of claim 1 , wherein at least one feature in the set of features for each network entity in the plurality of network entities is determined by aggregating a type of network activity over a period of time. 3. The system of claim 1 , wherein the vertices define a convex hull that describes the sets of features in the multidimensional space. 4. The system of claim 1 , wherein the different usage patterns assigned to the vertices include one or more of: a port scanning activity; a web crawler or indexer; a web server; a connection initiator; a login activity; a remote desktop protocol activity; a denial of service attack; or a file transfer activity. 5. The system of claim 1 , wherein the number of vertices is determined based, at least in part, on a degree of variance between the sets of features and the number of vertices. 6. The system of claim 1 , further comprising a network modifier configured to: alter at least one aspect of the network based at least on the representation of the particular network entity by at least one of: blocking network traffic to or from a node of the network; or filtering network traffic to or from the node. 7. The system of claim 1 , wherein the network activity reconstructor is configured to represent the particular network entity as a combination of a plurality of the usage patterns. 8. The system of claim 1 , wherein the monitored network activity of the plurality of network entities comprises a sampling of network data. 9. A system for reconstructing network activity, the system comprising: one or more processors; and one or more memory devices that store program code configured to be executed by the one or more processors, the program code comprising: a feature determiner configured to obtain a set of usage patterns for a network that describes sets of features for each of a plurality of network entities, each usage pattern in the set of usage patterns corresponding to a different vertex in a multidimensional space; and a network activity reconstructor configured to: obtain at least a subset of the features in the set of features for a particular network entity, and represent the particular network entity as a weighted combination of the usage patterns based on the at least the subset of the features in the set of features for the particular network entity. 10. The system of claim 9 , further comprising a network analyzer configured to perform analytics for the network based at least on the representation of the particular network entity. 11. The system of claim 10 , further comprising a network modifier configured to detect a network anomaly based at least on the performed analytics. 12. The system of claim 11 , wherein the network modifier is further configured to: perform an action based at least on the detected network anomaly, the action including one or more of: altering at least one aspect of the network; or generating a notification corresponding to the detected anomaly. 13. The system of claim 9 , wherein the set of usage patterns define a convex hull that describes the sets of features in the multidimensional space. 14. The system of claim 9 , wherein the set of usage patterns includes one or more of: a port scanning activity; a web crawler or indexer; a web server; a connection initiator; a login activity; a remote desktop protocol activity; a denial of service attack; or a file transfer activity. 15. A computer-readable memory device having program code recorded thereon that when executed by at least one processor causes the at least one processor to perform a method comprising: obtaining a set of usage patterns for a network that describes sets of features for each of a plurality of network entities, each usage pattern in the set of usage patterns corresponding to a different vertex in a multidimensional space; obtaining at least a subset of the features in the set of features for a particular network entity; and representing the particular network entity as a weighted combination of the usage patterns based on the at least the subset of the features in the set of features for the particular network entity. 16. The computer-readable memory device of claim 15 , wherein the method further comprises: performing analytics for the network based at least on the representation of the particular network entity. 17. The computer-readable memory device of claim 16 , wherein the method further comprises: detecting a network anomaly based at least on the performed analytics. 18. The computer-readable memory device of claim 17 , wherein the method further comprises: performing an action based at least on the detected network anomaly, the action including one or more of: altering at least one aspect of the network; or generating a notification corresponding to the detected anomaly. 19. The computer-readable memory device of claim 15 , wherein the set of usage patterns define a convex hull that describes the sets of features in the multidimensional space. 20. The computer-readable memory device of claim 15 , wherein the set of usage patterns includes one or more of: a port scanning activity; a web crawler or indexer; a web server; a connection initiator; a login activity; a remote desktop protocol activity; a denial of service attack; or a file transfer activity.