Detecting network activity from sampled network metadata

What is claimed is: 1. A device comprising: processing circuitry; a memory including instructions that when executed by the processing circuitry cause the processing circuitry to perform operations, the operations comprising: performing deep packet inspection on deep network information of network traffic, including a packet transmitted via a computer network, resulting in network metadata; sampling the network metadata to include data of a subset of the packets associated with the network metadata resulting in sampled network metadata; providing the sampled network metadata to a recurrent neural network (RNN) trained (i) on labeled sampled network metadata and the deep network information and (ii) to generate a classification based on only the sampled network metadata, the classification indicating whether the network traffic associated with the sampled network metadata is malicious; generating, by an analyzer and based on the classification for the sampled network metadata, an action, the action indicating an operation to mitigate malicious traffic associated with the sampled network metadata; and performing the action. 2. The device of claim 1 , wherein the RNN is trained further based on contents of the packet and the label is an actual classification associated with the contents of the packet and associated sampled network metadata. 3. The device of claim 2 , wherein the actual classification is determined using the deep packet inspection. 4. The device of claim 2 , wherein the actual classification includes one of a user authentication, a device authentication, a database query, file transfer, data streaming, or a malicious action. 5. The device of claim 1 , wherein the RNN includes a bi-directional long short term memory (LSTM) NN. 6. The device of claim 1 , wherein the sampled network metadata is of network traffic provided over layer three of the computer network. 7. The device of claim 1 , wherein the device is a router, switch, firewall, or client device. 8. A method comprising performing, by processing circuitry, deep packet inspection on deep network information of network traffic, including a packet transmitted via a computer network, resulting in network metadata; sampling the network metadata to include data of a subset of the packets associated with the network metadata resulting in the sampled network metadata; providing, by the processing circuitry, the sampled network metadata to a recurrent neural network (RNN) trained (i) on labeled sampled network metadata and the deep network information and the deep network information and (ii) to generate a classification based on only the sampled network metadata, the classification indicating whether the network traffic associated with the sampled network metadata is malicious; generating, by an analyzer and based on the classification for the sampled network metadata, an action, the action indicating an operation to mitigate malicious traffic associated with the sampled network metadata; and performing the action. 9. The method of claim 8 , wherein the RNN is trained further based on contents of the packet and the label is an actual classification associated with the contents of the packet and associated sampled network metadata. 10. The method of claim 9 , wherein the actual classification is determined using the deep packet inspection. 11. The method of claim 9 , wherein the actual classification includes one of a user authentication, a device authentication, a database query, file transfer, data streaming, or a malicious action. 12. The method of claim 8 , wherein the RNN includes a bi-directional long short term memory (LSTM) NN. 13. The method of claim 8 , wherein the sampled network metadata is of network traffic provided over layer three of the computer network. 14. A non-transitory machine-readable medium including instructions that, when executed by a machine, cause the machine to perform operations comprising: performing deep packet inspection on deep network information of network traffic, including a packet transmitted via a computer network, resulting in network metadata; sampling the network metadata to include data of a subset of the packets associated with the network metadata resulting in the sampled network metadata; providing the sampled network metadata to a recurrent neural network (RNN) trained (i) on labeled sampled network metadata and (ii) to generate a classification based on only the sampled network metadata, the classification indicating whether the network traffic associated with the sampled network metadata is malicious; generating, by an analyzer and based on the classification for the sampled network metadata, an action, the action indicating an operation to mitigate malicious traffic associated with the sampled network metadata; and performing the action. 15. The non-transitory machine-readable medium of claim 14 , wherein the RNN is trained further based on contents of the packet and the label is an actual classification associated with the contents of the packet and associated sampled network metadata. 16. The non-transitory machine-readable medium of claim 15 , wherein the actual classification is determined using the deep packet inspection. 17. The non-transitory machine-readable medium of claim 14 , wherein the RNN includes a bi-directional long short term memory (LSTM) NN.