An introduction to the process Sophos takes towards the development of a deep learning model.When I explain to others that I am a data scientist and I build machine learning models, I tend to get blank stares. In the cybersecurity industry, the term “machine learning” is used so often, for many different reasons, that it can be hard to understand what it even means anymore. At Sophos we focus specifically on deep learning, which is an advanced form of machine learning.
The article covers a range of topics to serve as a primer on deep learning. We review the process we take towards the development of a deep learning model, including collecting large amounts of data, feature engineering of the domain, building the architecture, training the model, testing the model and evaluating the model.
Before you dig in, the first thing to understand is the concept of deep learning itself. This kind of machine learning is the most similar to the human brain because it involves many layers of neurons. This is exactly where the term ‘artificial neural network’ came from. Artificial, in this case, means that it is an imitation of a brain’s neural network.
Both a neural network in the brain and an artificial network take in an input, manipulate the input in some way and output information to other neurons. The major difference is the human brain contains approximately 100 billion neurons while an artificial neural network contains not even a fraction of that. Like other types of machine learning, deep learning uses mathematical models to learn without being explicitly programmed in the particularities of the specific problem. Using a large amount of data, we generate a general model that is able to accurately describe the data. In the case of Sophos, that data could be malware, malicious URLs or other security problems we’re trying to solve.
Since we are talking about general models that try to explain specific phenomena, we never know if our machine learning model has properly learned to predict. That is why any model that we develop is always coupled with a rigorous set of evaluations.