Automatic retraining of machine learning models to detect DDoS attacks

What is claimed is: 1. A method comprising: monitoring, at an attack detector in a network, network traffic to detect a Distributed Denial of Service (DDoS) attack by applying one or more first-level attack detection models against one or more attributes of the network traffic; in response to detection of a DDoS attack, causing network traffic associated with the DDoS attack to be diverted to an attack mitigation device, wherein the attack mitigation device is configured to perform a mitigation action on attack traffic in the network; assessing, by the attack mitigation device, the network traffic associated with the DDoS attack using deep packet inspection and a second attack detection model; providing, by the attack mitigation device, feedback to the attack detector regarding the detected DDoS attack, wherein the feedback indicates a false positive; and refining at least one of the one or more first-level attack detection models applied by the attack detector based on the feedback. 2. The method of claim 1 wherein the feedback indicates a false negative or a false positive. 3. The method of claim 1 wherein the feedback indicates whether the attack detector incorrectly assesses the network traffic. 4. The method of claim 1 wherein refining at least one of the one or more first-level attack detection models applied by the attack detector comprises: associating one or more labels with the traffic, based on the assessment of the traffic by the attack mitigation device; and updating the at least one of the one or more first-level attack detection models using the one or more labels. 5. The method of claim 1 wherein refining at least one of the one or more first-level attack detection models applied by the attack detector comprises: determining updated parameters for at least one of the one or more first-level attack detection models, based on the assessment of the traffic; and updating the at least one of the one or more first-level attack detection models using the updated parameters. 6. The method of claim 1 , wherein the attack detector comprises a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) client. 7. The method of claim 1 , wherein the attack mitigation device is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) attack mitigator. 8. The method of claim 1 wherein the attack detector comprises an attack detection device in communication with a router. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed operable to perform a processing comprising: monitoring, using an attack detector, network traffic to detect a Distributed Denial of Service (DDoS) attack by applying one or more first-level attack detection models against one or more attributes of the network traffic; in response to detection of a DDoS attack, causing network traffic associated with the DDoS attack to be diverted to an attack mitigation device, wherein the attack mitigation device is configured to perform a mitigation action on attack traffic in the network, the mitigation action comprising: assessing the network traffic associated with the DDoS attack using deep packet inspection and a second attack detection model; receiving feedback from an attack mitigation device regarding the detected DDoS attack, wherein the feedback indicates a false positive; and refining at least one of the one or more first-level attack detection models applied by the attack detector based on the feedback. 10. The apparatus of claim 9 wherein the feedback indicates a false negative or a false positive. 11. The apparatus of claim 9 wherein the feedback indicates whether the attack detector incorrectly assesses the network traffic. 12. The apparatus of claim 9 wherein refining at least one of the one or more first-level attack detection models applied by the attack detector comprises: associating one or more labels with the traffic, based on the assessment of the traffic by the attack mitigation device; and updating the at least one of the one or more first-level attack detection models using the one or more labels. 13. The apparatus of claim 9 wherein refining at least one of the one or more first-level attack detection models applied by the attack detector comprises: determining updated parameters for at least one of the one or more first-level attack detection models, based on the assessment of the traffic; and updating the at least one of the one or more first-level attack detection models using the updated parameters. 14. The apparatus of claim 9 wherein the attack detector comprises a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) client. 15. The apparatus of claim 9 wherein the apparatus is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) attack mitigator. 16. The apparatus of claim 9 wherein the attack detector comprises an attack detection device in communication with a router. 17. A tangible, non-transitory computer-readable medium that stores program instructions configured to cause a device in a network to execute a process comprising: monitoring network traffic to detect a Distributed Denial of Service (DDoS) attack by applying one or more first-level attack detection models against one or more attributes of the network traffic; in response to detection of a DDoS attack, causing network traffic associated with the DDoS attack to be diverted to an attack mitigation device, wherein the attack mitigation device is configured to perform a mitigation action on attack traffic in the network; assessing the network traffic associated with the DDoS attack using deep packet inspection and a second attack detection model; providing feedback regarding the detected DDoS attack, wherein the feedback indicates a false positive; and refining at least one of the one or more first-level attack detection models based on the feedback. 18. The tangible, non-transitory computer-readable medium of claim 17 wherein the feedback indicates a false negative or a false positive. 19. The tangible, non-transitory computer-readable medium of claim 17 wherein the feedback indicates an incorrect assessment of the network traffic. 20. The tangible, non-transitory computer-readable medium of claim 17 wherein refining at least one of the one or more first-level attack detection models comprises: associating one or more labels with the traffic, based on the assessment of the traffic by the attack mitigation device; and updating the at least one of the one or more first-level attack detection models using the one or more labels. 21. The tangible, non-transitory computer-readable medium of claim 17 wherein refining at least one of the one or more first-level attack detection models comprises: determining updated parameters for at least one of the one or more first-level attack detection models, based on the assessment of the traffic; and updating the at least one of the one or more first-level attack detection models using the updated parameters.