Abstract: Traditional intrusion monitoring system can not keep up with the speed of malicious code upgrade，monitoring effect is poor． Therefore，an automatic security monitoring system for malicious code intrusion in local area network is designed． In the hardware part of the system，the malicious code packets with intrusion and attack behaviors are stored and matched by the database module，and the restored information is stored． The features of the packets with intrusion are extracted by the intrusion monitoring module，and the intrusion behaviors are judged． Through the database restore module to the network transmission packet interception，and restore the data processing and storage; Through the log audit module，the information of intrusion into the system is transmitted to the database． On this basis，a clustering algorithm is used to effectively monitor the malicious code invading the system． The experimental results show that the monitoring system has the advantages of high coverage monitoring rate，less monitoring time and low error rate．

Key words: local area network ( LAN) , malicious code, intrusion monitoring, clustering algorithm