Cold start mechanism to prevent compromise of automatic anomaly detection systems

What is claimed is: 1 . A method, comprising: analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model; determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; suspending, by the device, training of the unsupervised anomaly detection model, in response to determining that the supervised anomaly detection model has detected an anomaly in the network; and training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model. 2 . The method as in claim 1 , wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network, and wherein training the unsupervised anomaly detection model comprises: observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model; and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. 3 . The method as in claim 1 , further comprising: providing, by the device, an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly. 4 . The method as in claim 3 , wherein the supervisory system verifies the detected anomaly based on input data received from a user interface. 5 . The method as in claim 3 , further comprising: receiving, at the device, an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly. 6 . The method as in claim 1 , further comprising: comparing, by the device, the detected anomaly to a library of allowed anomalies. 7 . The method as in claim 6 , further comprising: suppressing, by the device, generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies. 8 . The method as in claim 6 , further comprising: providing, by the device, an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies. 9 . An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: analyze data indicative of a behavior of the network using a supervised anomaly detection model; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; suspend training of the unsupervised anomaly detection model, in response to determining that the supervised anomaly detection model has detected an anomaly in the network; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model. 10 . The apparatus as in claim 9 , wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network, and wherein the apparatus trains the unsupervised anomaly detection model by: observing network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model; and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. 11 . The apparatus as in claim 9 , wherein the process when executed is further configured to provide an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly. 12 . The apparatus as in claim 11 , wherein the process when executed is further configured to receive an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly. 13 . The apparatus as in claim 11 , wherein the process when executed is further configured to compare the detected anomaly to a library of allowed anomalies. 14 . The apparatus as in claim 13 , wherein the process when executed is further configured to suppress generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies. 15 . The apparatus as in claim 13 , wherein the process when executed is further configured to provide an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies. 16 . A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor configured to: analyze data indicative of a behavior of a network using a supervised anomaly detection model; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; suspend training of the unsupervised anomaly detection model, in response to determining that the supervised anomaly detection model has detected an anomaly in the network; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model. 17 . The tangible, non-transitory, computer-readable media as in claim 16 , wherein the process when executed is further configured to provide an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly. 18 . The tangible, non-transitory, computer-readable media as in claim 11 , wherein the process when executed is further configured to receive an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly. 19 . The tangible, non-transitory, computer-readable media as in claim 11 , wherein the process when executed is further configured to compare the detected anomaly to a library of allowed anomalies. 20 . The tangible, non-transitory, computer-readable media as in claim 13 , wherein the process when executed is further configured to suppress generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies.