In one embodiment, a device in a network analyzes local network data regarding a portion of the network that is local to the device using a first anomaly detection model. The device analyzes the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the device. The device compares outputs of the first and second anomaly detection models. The device identifies the local network data as peculiar, in response to the first anomaly detection model determining the local network data to be normal and the second anomaly detection model determining the local network data to be anomalous.