Networks are all different, carrying variable amounts of data in variable numbers and lengths of a session. If we, as cybersecurity operators, work on the assumption that having an infected host is an exception rather than the usual status of the network, the ability to detect anomalous traffic will help to detect an attack in progress. Network profiling is used to establish the normal pattern of behavior for a network. 

There are a number of different metrics that should be collected during network profiling. In this section, we will identify the elements that are useful for network profiling, looking at the technologies that can facilitate collection, and know what to look for in each metric.

Network profiles should be collected periodically to stay relevant, but consideration should also be given to temporal variation, whether daily (for example, lunchtime with peak traffic, compared with overnight), weekly (for example, weekends), or seasonal (for example, holiday shopping/summer vacations, and so on). A company's usage may also vary over time, with periods of growth perhaps associated with increased user and traffic volume. 

Cisco's 210–255 specifically identifies four features to be considered during network profiling. These are discussed separately in the following sections.