Anomaly detection techniques in network security face significant challenges on configuration and evaluation, as collecting data for accurate analysis is difficult or nearly impossible. One viable approach is to avoid live data collection and replace if by the agent-based simulation of the network traffic with models of user’s behavior. In this paper we propose three approaches differing by the level of detail with which user behavior is modeled. They are well suited for generating NetFlow/IPFIX data that can be used for evaluation and optimal configuration of anomaly detection techniques. First two techniques use simple statistical model that is easy to implement and does not require large amount of training data. The third leverages sophisticated model of the user’s behavior covering different aspects of the network traffic not captured by the simpler models. In experimental evaluation it is demonstrated that the complex model generates data indistinguishable for current state-ofthe-art anomaly detection methods from the real-world samples, which makes it well-suited for their evaluation and configuration.