Signature creation for unknown attacks

What is claimed is: 1. A method, comprising: generating, by a device in a network, an expected traffic model, wherein a training set of data used to train a machine learning attack detector is also used to generate the expected traffic model, and the expected traffic model represents an overall set of behaviors for which the machine learning attack detector has already been trained; transmitting, by the device, the expected traffic model to one or more nodes in the network, the expected traffic model used by the one or more nodes to identify an observed traffic behavior that was not present in the training set of data used to train machine learning attack detector, wherein the expected traffic model triggers the machine learning attack detector to analyze the observed traffic behavior when the observed traffic behavior is expected, and wherein the expected traffic model triggers the one or more nodes to prevent the machine learning attack detector from analyzing the observed traffic behavior when the observed traffic behavior is unexpected; receiving, at the device, an unexpected behavior notification from a particular node of the one or more nodes, wherein the particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior at the particular node that results in the observed traffic behavior being unexpected by the expected traffic model; and updating, by the device, the machine learning attack detector to account for the observed traffic behavior. 2. The method as in claim 1 , further comprising: training, by the device, the machine learning attack detector using the training set of data; and deploying, by the device, the machine learning attack detector to the one or more nodes. 3. The method as in claim 1 , further comprising: providing, by the device, the observed traffic behavior to a user interface device; and receiving, at the device, a label for the observed traffic behavior from the user interface device, wherein the machine learning attack detector is updated using the received label. 4. The method as in claim 3 , wherein the label indicates that the observed traffic behavior corresponds to a new attack type or corresponds to a new form of a known attack type. 5. The method as in claim 1 , further comprising: updating, by the device, the expected traffic model using the observed traffic behavior. 6. The method as in claim 1 , further comprising: providing, by the device, the observed traffic to a deep packet inspector; and receiving, at the device, a label for the observed traffic behavior from the deep packet inspector, wherein the machine learning attack detector is updated using the received label. 7. The method as in claim 1 , further comprising: correlating, by the device, a decrease in network performance with the observed traffic behavior; generating, by the device, a new label for the observed traffic behavior; and updating, by the device, the machine learning attack detector using the new label. 8. The method as in claim 1 , further comprising: deploying, by the device, the updated machine learning attack detector to the one or more nodes. 9. The method as in claim 1 , further comprising: receiving, at the device and from a network node, a rejection notification for the expected traffic model, wherein the rejection notification is generated based on the expected traffic model being incompatible with an attack detector executed by the network node. 10. The method as in claim 1 , wherein the expected traffic model comprises a statistical model of the training set of data. 11. A method, comprising: receiving, at a node in a network, an expected traffic model, wherein the expected traffic model represents an overall set of behaviors for which a machine learning attack detector has already been trained and a training set of data used to train the machine learning attack detector executed by the node is used to generated the expected traffic model, the expected traffic model used by the node to identify an observed traffic behavior that was not present in the training set of data used to train the machine learning attack detector, wherein the expected traffic model triggers the machine learning attack detector to analyze the observed traffic behavior when the observed traffic behavior is expected, and wherein the expected traffic model triggers the node to prevent the machine learning attack detector from analyzing the observed traffic behavior when the observed traffic behavior is unexpected; observing, by the node, a traffic behavior of traffic through the network; determining, by the node, that the observed traffic behavior is an unexpected traffic behavior by comparing the observed traffic behavior to the expected traffic model; upon determining that the observed traffic behavior is unexpected, preventing, by the node, the machine learning attack detector from analyzing the unexpected traffic behavior; and sending, by the node, an unexpected behavior notification that identifies the unexpected traffic behavior. 12. The method as in claim 11 , wherein the expected traffic model is received via a message that identifies the machine learning attack detector, includes parameters of the expected traffic model, and includes an anomaly score threshold to be used by the apparatus when determining whether the observed traffic behavior is an unexpected traffic behavior. 13. The method as in claim 11 , wherein the expected traffic model comprises a statistical model of the training set of data. 14. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: generate an expected traffic model, wherein a training set of data used to train a machine learning attack detector is also used to generate the expected traffic model, and the expected traffic model represents an overall set of behaviors for which the machine learning attack detector has already been trained, wherein the expected traffic model triggers the machine learning attack detector to analyze an observed traffic behavior when the observed traffic behavior is expected, and wherein the expected traffic model triggers the apparatus to prevent the machine learning attack detector from analyzing the observed traffic behavior when the observed traffic behavior is unexpected; transmit the expected traffic model to one or more nodes in the network, the expected traffic model used by the one or more nodes to identify the observed traffic behavior that was not present in the training set of data used to train the machine learning attack detector; receive an unexpected behavior notification from a particular node of the one or more nodes, wherein the particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the particular node that results in the observed traffic behavior being unexpected by the expected model; and update the machine learning attack detector to account for the observed traffic behavior. 15. The apparatus as in claim 14 , wherein the process when executed is further operable to: train the machine learning attack detector using the training set of data; and deploy the machine learning attack detector to the one or more nodes, wherein the one or more nodes are configured to prevent the machine learning attack detector from analyzing a traffic behavior th