Abstract: The traffic behavior description is the basis of network anomaly detection.Traffic behavior pattern is defined in this paper to describe the network traffic and the flows are classified according to their behavior patterns.An algorithm is designed to provide a high efficiency and accurate classification in order to recognize and cluster the flow behavior in real time situation.This is the premise of the network traffic anomaly behav- ior diagnosis.