Skip to content

Network Profiling In Cybersecurity: Facts To Note


In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning. Networks, servers, and hosts all exhibit typical behaviour for a given point in time. Network and device understanding network profiling in cybersecurity
Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current. It should not include network performance data that is no longer part of normal functioning.
For example, rises in-network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data. However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be.
A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date.
This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.


Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data. Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise. Deviations in network behavior are difficult to detect if normal behavior is not known.


Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics. Because organizations can make different demands on there networks depending on the time of day or day of the year, network baselining should be carried out over an extended period. The figure displays some questions to ask when establishing a network baseline.


Image is a cloud. At the top, left corner of the image is a textbox connected to the cloud that is labelled Session Duration. The textbox contains the question: What is the average time between the establishment of a data flow and it’s termination? At the top right corner of the image is a textbox connected to the cloud that is labelled Total Throughput.
The textbox contains the question: What is the average amount of data passing from a given source to a given destination in a given period of time? At the bottom left corner of the image is a textbox connected to the cloud that is labelled Port used.
The textbox contains the question: What is the list of acceptable TCP or UDP processes that are available to accept data? At the bottom right corner of the image is a textbox connected to the cloud that is labelled Critical asset address space. The textbox contains the question: What is the IP address space of critical assets owned by the organization?


Elements of a Network Profile

The table lists important elements of the network profile.
Network Profile Element Description
Session duration This is the time between the establishment of a data flow and it’s termination.
Total throughput This is the amount of data passing from a given source to a given destination in a given period of time.
Ports used This is a list of TCP or UDP processes that are available to accept data.
Critical asset address space These are the IP addresses or the logical location of essential systems or data.
In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior. Malware can use unusual ports that may not be typically seen during normal network operation.
Host-to-host traffic is another important metric. Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network.


Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE) is another valuable indicator. Knowing how individual users typically use the network leads to detection of potential compromise of user accounts.
A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.

Server Profiling

Server profiling is used to establish the accepted operating state of servers. A server profile is a security baseline for a given server. It establishes the network, user, and application parameters that are accepted for a specific server.


In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network. From there, various operating and usage parameters can be defined and documented.
The table lists elements of a server profile.
Server Profile Element Description
Listening ports These are the TCP and UDP daemons and ports that are normally allowed to be open on the server.
Logged in users and accounts These are the parameters defining user access and behaviour.
Service accounts These are the definitions of the type of service that an application is allowed to run.
Software environment These are the tasks, processes, and applications that are permitted to run on the server.

Network Anomaly Detection

Network behaviour is described by a large amount of diverse data such as the features of a packet flow, features of the packets themselves, and telemetry from multiple sources. One approach to the detection of network attacks is the analysis of this diverse, unstructured data using Big Data analytics techniques. This is known as network behaviour analysis (NBA).


This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time. Significant deviations can be indicators of compromise. In addition, network behaviour can be analyzed for known network behaviours that indicate compromise.


Anomaly detection can recognize network traffic caused by worm activity that exhibits scanning behaviour. Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.
The figure illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.

For example, the cybersecurity analyst could provide the following values:

  • X = 5
  • Y = 100
  • Z = 30
  • N = 500

Now, the algorithm can be interpreted as: Every 5th minute, get a sampling of 1/100th of the flows during second 30. If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing. This is a simple example of using a traffic profile to identify the potential for data loss.


In addition to statistical and behavioural approaches to anomaly detection is rule-based anomaly detection. Rule-based detection analyzes decoded packets for attacks based on pre-defined patterns.

Network Vulnerability Testing

Most organizations connect to public networks in some way due to the need to access the internet. These organizations must also provide internet-facing services of various types to the public. Because of the vast number of potential vulnerabilities, and the fact that new vulnerabilities can be created within an organization network and it’s internet-facing services, periodic security testing is essential.


The table lists various types of tests that can be performed.
Term Description
Risk Analysis
  • This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization.
  • Risk analysis includes an assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.
Vulnerability Assessment
  • This test employs software to scan internet-facing servers and internal networks for various types of vulnerabilities.
  • These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc.
  • Tools for vulnerability assessment include the open-source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and FireEye Mandiant services.
  • Vulnerability assessment includes, but goes beyond, port scanning.
Penetration Testing
  • This type of test uses authorized simulated attacks to test the strength of network security.
  • Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors.
  • A series of exploits are used to test the security of those assets.
  • Simulated exploit software tools are frequently used.
  • Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit.
  • An individual penetration test is often known as a pen test.
  • Metasploit is a tool used in penetration testing.
  • CORE Impact offers penetration testing software and services.
The table lists examples of activities and tools that are used in vulnerability testing.
Activity Description Tools
Risk analysis Individuals conduct a comprehensive analysis of the impacts of attacks on core company assets and functioning Internal or external consultants, risk management frameworks
Vulnerability Assessment Patch management, host scans, port scanning, other vulnerability scans and services OpenVas, Microsoft Baseline Analyzer, Nessus, Qualys, Nmap
Penetration Testing Use of hacking techniques and tools to penetrate network defences and identify the depth of potential penetration Metasploit, CORE Impact, ethical hackers
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNAIJA Is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy

Leave a Reply

Your email address will not be published. Required fields are marked *