Method and system to dynamically detect traffic anomalies in a network

What is claimed is: 1. A method implemented in a network, wherein the network contains network devices, wherein traffic flows transmit through a number of network devices of the network, the method comprising: dividing traffic flows of the network into a plurality of traffic aggregates, wherein each traffic aggregate contains one or more traffic flows, and wherein each traffic aggregate is an entry of a first set for monitoring; selecting one or more traffic flows within a traffic aggregate to be one entry of the first set for monitoring, wherein the one or more traffic flows are randomly selected from the traffic aggregate; and for each entry of the first set for monitoring, collecting a second set of one or more network devices from the network devices of the network to monitor the entry, wherein the network devices of the network serve as software-defined networking (SDN) switches, wherein the second set of one or more network devices processes traffic flows contained within the entry, and wherein the processing includes forwarding packets in the traffic flows according to rules in flow tables programmed by a SDN controller of the network; and selecting one network device from the second set of one or more network devices to monitor the entry for a traffic anomaly, wherein the selecting one network device from the second set of one or more network devices is at least partially based on a monitor count of the network device, and wherein the monitor count of the network device is a count of a number of entries of the first set for monitoring that the network device is assigned to monitor. 2. The method of claim 1 , wherein the selecting one network device from the second set of one or more network devices is further based on a monitor limitation of the network device. 3. The method of claim 1 , wherein the operations within are performed when there is an update of traffic flows within the network. 4. The method of claim 1 , wherein the operations within are performed upon a request, wherein the request includes at least one of: a granularity parameter for the dividing the traffic flows; and a selected traffic flows to be divided. 5. The method of claim 1 , wherein the selected network device to monitor an entry of the first set for monitoring performs anomaly detection, and wherein a traffic anomaly is detected by: sampling traffic flows within the entry of the first set for monitoring at a first sampling rate; determining that a traffic anomaly exists in the selected network device; in response to the determination that a traffic anomaly exists, increasing the first sampling rate to a second sampling rate; dividing the entry of the first set for monitoring into a first number of smaller groups; selecting a first subset of the first number of smaller groups for monitoring while assigning one or more other subsets in the first number of smaller groups to one or more other network devices; sampling the first subset of the first number of smaller group at the second sampling rate; and determining that a percentage of traffic within the first subset of the first number of smaller groups is not over a traffic percentage threshold; in response to the determination, increasing the second sampling rate to a third sampling rate; dividing the first subset of the first number of smaller group into a second number of smaller groups, and selecting a second subset of the second number of smaller groups for monitoring while assigning one or more other subsets in the second number of smaller groups to one or more other network devices; sampling the second subset of the second number of smaller group at the third sampling rate; determining that a percentage of traffic within the second subset of the second number of smaller groups is over the traffic percentage threshold; and reporting that the second subset of the second number of smaller groups for monitoring being abnormal traffic flows in response to the determination that the percentage of traffic within the second subset of the second number of smaller groups is over the traffic percentage threshold. 6. The method of claim 1 , wherein the network complies with a standard for software-defined networking (SDN). 7. The method of claim 6 , wherein the operations within are performed by the SDN controller of the network. 8. A method implemented in a software-defined networking (SDN) controller to detect traffic anomalies in a SDN network, wherein the SDN network contains network devices, wherein traffic flows transmit through the network devices, the method comprising: sampling traffic flows within an entry of a first set for monitoring at a first sampling rate, wherein the entry of the first set is monitored by a network device serving as a SDN switch that forwards packets in the traffic flows according to rules in flow tables programmed by the SDN controller; determining, by the SDN controller, that a traffic anomaly exists in the network device based on the sampling; in response to the determination that a traffic anomaly exists, increasing the first sampling rate to a second sampling rate; dividing the entry of the first set for monitoring into a first number of smaller groups; selecting a first subset of the first number of smaller groups for monitoring while assigning one or more other subsets in the first number of smaller groups to one or more other network devices; sampling the first subset of the first number of smaller groups at the second sampling rate; and determining that a percentage of traffic within the first subset of the first number of smaller groups is not over a traffic percentage threshold; in response to the determination, increasing the second sampling rate to a third sampling rate; dividing the first subset of the first number of smaller group into a second number of smaller groups, and selecting a second subset of the second number of smaller groups for monitoring while assigning one or more other subsets in the second number of smaller groups to one or more other network devices; sampling the second subset of the second number of smaller group at the third sampling rate; determining that a percentage of traffic within the second subset of the second number of smaller groups is over the traffic percentage threshold; and reporting that the second subset of the second number of smaller groups for monitoring being abnormal traffic flows in response to the determination that the percentage of traffic within the second subset of the second number of smaller groups is over the traffic percentage threshold, wherein the percentage of traffic and the traffic percentage threshold are based on an average and a deviation of traffic within the traffic flows. 9. The method of claim 8 , further comprising: sampling traffic flows at the first sampling rate within the entry of a first set for monitoring in response to the determination that a traffic anomaly does not exist. 10. The method of claim 8 , wherein the determination of the traffic anomaly is based on determining that a first deviation of traffic amount within the sampled traffic flows is over a first deviation threshold, wherein the first deviation deviates from a mean of the sampled traffic flows over a period of time. 11. The method of claim 8 , in response to the determination that the traffic anomaly exists, prior to performing increasing the sampling rate, further performing: determining that the entry of the first set for monitoring is a subset of a second entry of the first set for monitoring; and removing the entry of the first set for monitoring from the first set for monitoring in response to a determination that a second devia