1.

2 Problem Statement Snort intrusion detection systems (IDS) which use a signature-based approach in which, similar to virus scanners, events are detected by matching specific pre-defined patterns known as signatures (Snort.org, 2010). The main limitation of signature-based IDS is the failure to identify novel attacks, and sometimes even minor variations of known patterns (Georg, 2007). However, anomaly detection has an advantage over signature-based detection in such a way that a new attack for which a signature does not exist can be detected if it falls out of the normal traffic patterns. The best example of this is how this system detects new automated worms. When a new system is infected with a worm it usually starts scanning for other vulnerable systems at an accelerated or abnormal rate flooding the network with malicious traffic, thus triggering a TCP connection or bandwidth abnormality rule (Foster, 2007). But the main disadvantage of anomaly detection is it suffers high false detection rate. Some previous studies had come up with hybrid IDS by combining Snort with anomaly-based detection. Teodoro (2007) proposed Markov model, an anomaly-based detection combined with Snort, a signature-based one, thus producing in a hybrid detection system, in order to improve the overall detection throughput. In the same year, Hwang(2007) developed a weighted signature generation scheme to integrate anomaly detection system(ADS) with Snort by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the Snort signature database for fast and accurate intrusion detection. Ding (2009) used a technique that combines Snort as signature-based detection system with anomaly detection system (ADS). The ADS used was called the frequency episode rule algorithm. Gomez(2009) presents a new anomaly pre-processor using statistical-based algorithm that extends the functionality of Snort IDS, making it a hybrid IDS. Aydin(2009) developed the hybrid IDS by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomalybased IDSs with the misuse-based IDS Snort. Therefore the aim of this research is to combine both algorithms that are signature based and anomaly based in order to improve the detection of new malicious packets and reduce excessive false alarm rate (Northcutt, 2007). Snort is using for signature-based IDS and for anomaly-based IDS is using Kmeans clustering algorithm. The normal packets that filter by Snort is analyze with K-means clustering algorithm to determine whether it is an attack or not. The efficiency of IDS can be measured by low false alarm rate and high true alarm rate (Nieves, 2009).