NetFlow data can be used to identify attacks on your network such as denial of service (DoS), viruses, and worms. Changes in network behavior is represented clearly with NetFlow data and these deviations from normalcy can help in identifying harmful anomalies. An event or condition in the network that deviates from previously typical traffic patterns is considered an anomaly.
opFlow can detect anomalies by determining an average network usage baseline and comparing it with traffic of a suspected anomaly event. Using a threshold system, you could create a rule to notify you of network behavior which current value exceeds the mean by two or three times the standard deviation.