Ground truth evaluation for voting optimization

What is claimed is: 1. A method, comprising: providing, by a supervisory computer network device, computer network attack observations from a first computer network device in a computer network to a user interface device regarding a potential computer network attack detected by the first computer network device; receiving, at the supervisory computer network device, a confirmation from the user interface device that confirms that a particular computer network attack observation from the first computer network device indicates that the potential computer network attack was detected correctly by the first computer network device; in response to receiving the confirmation that a potential computer network attack was detected correctly, providing, by the supervisory computer network device, computer network attack observations from one or more other computer network devices in the computer network to the user interface device; receiving, at the supervisory computer network device, one or more confirmations from the user interface device that confirms that the computer network attack observations from the one or more other computer network devices are related to the computer network attack observations from the first computer network device; and identifying, by the supervisory computer network device, the one or more other computer network devices to act as potential voters for the first computer network device in a voting-based network attack detection mechanism based on the computer network attack observations from the first computer network device and the one or more other computer network devices being related to each other. 2. The method as in claim 1 , wherein the computer network attack observations from the first computer network device are provided to the user interface device in response to the first computer network device detecting the potential computer network attack using a machine learning classifier. 3. The method as in claim 2 , wherein the computer network attack observations by the first computer network device are provided to the user interface device based in part on a determination that the first computer network device did not use a vote to detect the potential computer network attack. 4. The method as in claim 1 , further comprising: providing a request to the one or more other computer network devices for the computer network attack observations by the one or more other computer network devices. 5. The method as in claim 1 , wherein the first computer network device determines an optimized voting strategy based on the identified one or more potential voters. 6. A method comprising: detecting, at a computer network device, a potential computer network attack based on observations by the computer network device regarding the computer network; providing, by the computer network device, the observations to a user interface device; receiving, at the computer network device, a confirmation via the user interface device that the computer network attack was detected correctly; and receiving, at the computer network device, data indicative of a set of one or more other computer network devices to act as eligible voters for the computer network device, wherein the eligible voters are identified by a supervisory computer network device when computer network attack observations from the one or more other computer network devices are related to the computer network attack observations of the computer network device; and optimizing, by the computer network device, a voting-based attack detection mechanism using the set of one or more eligible voters. 7. The method as in claim 6 , wherein optimizing the voting-based attack detection mechanism comprises: selecting an optimal set of voters from among the set of one or more eligible voters; and determining an optimal voting threshold for the set of voters to confirm a computer network attack detected by the computer network device. 8. The method as in claim 6 , wherein the set of one or more other computer network devices is selected based on a determination that the one or more computer network devices were able to observe the computer network attack. 9. The method as in claim 8 , wherein the one or more other computer network devices were determined to be able to observe the computer network attack by providing observations from the one or more computer network devices to the user interface device. 10. The method as in claim 6 , further comprising: receiving a request from the user interface device for observations regarding a computer network attack detected by a second computer network device; and providing the requested observations to the user interface device. 11. The method as in claim 6 , wherein the set of one or more other computer network devices is selected based on a determination that the eligible voters are able to detect the computer network attack using the observations from the computer network device. 12. An apparatus, comprising: one or more network interfaces to communicate with a computer network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: provide computer network attack observations from a first computer network device in the computer network to a user interface device regarding a potential computer network attack detected by the first computer network device; receive a confirmation from the user interface device that confirms that a particular computer attack observation from the first computer network device indicates that the potential computer network attack was detected correctly by the first computer network device; in response to receiving the confirmation that a potential computer network attack was detected correctly, provide computer network attack observations from one or more other computer network devices in the computer network to the user interface device; receive one or more confirmations from the user interface device that confirms that the computer network attack observations from the one or more other computer network devices are related to the computer network attack observations from the first computer network device; and identify the one or more other computer network devices as potential voters for the first computer network device in a voting-based network attack detection mechanism based on the computer network attack observations from the first computer network device and the one or more other computer network devices being related to each other, wherein the apparatus is a supervisory computer network device. 13. The apparatus as in claim 12 , wherein the computer network attack observations from the first computer network device are provided to the user interface device in response to the first computer network device detecting the potential computer network attack using a machine learning classifier. 14. The apparatus as in claim 13 , wherein the computer network attack observations by the first computer network device are provided to the user interface device based in part on a determination that the first computer network device did not use a vote to detect the potential computer network attack. 15. The apparatus as in claim 12 , wherein the process when executed is further operable to: provide a request to the one or more other computer network devices for the computer network attack observations by the one or more other computer network devices. 16. The apparatus as in claim 12 , wherein the first computer