Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The practice of collecting and analyzing behavioral data to build a baseline of normal activity for users, devices, or networks to detect anomalies.
Profiling Definition: The practice of collecting and analyzing behavioral data to build a baseline of normal activity for users, devices, or networks to detect anomalies.
Profiling is the practice of collecting and analyzing data about a user, device, network, or entity to build a model of its characteristics and normal behavior. In cybersecurity, profiling establishes a baseline of expected activity so that deviations can be flagged as potential threats, and it also identifies and categorizes devices for access and monitoring decisions.
Profiling works by aggregating signals over time, such as login times, locations, accessed resources, traffic volume, application usage, and device fingerprints, then applying statistical or machine-learning techniques to define a normal pattern. Network access control systems profile endpoints by inspecting DHCP, HTTP user-agent, and traffic attributes to classify a device as, say, a printer or a laptop. User and Entity Behavior Analytics (UEBA) platforms build per-user behavioral baselines and score current activity against them.
Profiling matters because attacks frequently manifest as behavioral anomalies: a compromised account suddenly accessing unusual systems, a device transferring data at odd hours, or an endpoint communicating with a known-bad host. Accurate profiles enable detection of insider threats and account takeover that signature-based tools miss. Poor profiling, however, causes false positives that desensitize analysts, and behavioral profiles can raise privacy and fairness concerns, requiring careful governance of what data is collected and how it is used.
For example, a UEBA system profiles an employee who normally logs in from one city during business hours and accesses finance applications. One night, that account authenticates from a foreign IP, escalates privileges, and begins copying large volumes from an engineering repository. Because this activity diverges sharply from the established profile, the system raises a high-risk alert, and security responders investigate, discovering credential theft before significant data is exfiltrated.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →