ABSTRAK Penelitian ini mengembangkan sistem deteksi anomali trafik jaringan internet di lingkungan UPA TIK Universitas Negeri Manado menggunakan algoritma K-Means Clustering dengan pendekatan Action Research. Sistem monitoring jaringan yang ada masih bersifat reaktif, sehingga anomali baru terdeteksi setelah laporan pengguna masuk. Data log firewall berupa Report of Connection Events periode 2-9 Februari 2026 dengan sekitar 10.000 baris koneksi valid digunakan sebagai dataset penelitian. Tahapan preprocessing mencakup pembersihan data, rekayasa fitur berbasis perilaku jaringan meliputi Source Connection Count (fsrc), Destination Port Entropy (Hport), dan Byte-to-Connection Ratio (Rbyte), serta normalisasi menggunakan Z-Score Standardization. Penentuan jumlah klaster optimal dilakukan dengan Elbow Method menghasilkan K=3, yang dikonfirmasi dengan Silhouette Score sebesar 0,6493 dan Davies-Bouldin Index sebesar 0,5379. Hasil clustering membagi trafik menjadi tiga kelompok: trafik normal (82,5%), semi-normal (16,5%), dan anomali potensial (1,0%). Visualisasi dengan Principal Component Analysis (PCA) mengkonfirmasi pemisahan klaster secara geometris. Deteksi anomali berbasis threshold persentil ke-99 (P99) berhasil mengidentifikasi empat kategori anomali utama: aktivitas BitTorrent, akses massal ke banyak negara, probing ke zona DMZ, dan penggunaan port tidak umum. Penelitian membuktikan bahwa K-Means Clustering efektif sebagai metode deteksi anomali berbasis data pada jaringan kampus tanpa memerlukan pelabelan data. ABSTRACT This study develops an internet network traffic anomaly detection system at the UPA TIK environment of Universitas Negeri Manado using the K-Means Clustering algorithm with an Action Research approach. The existing network monitoring system is still reactive, meaning anomalies are only detected after user complaints are received. Firewall log data in the form of Report of Connection Events for the period of February 2-9, 2026, consisting of approximately 10,000 valid connection records, was used as the research dataset. Preprocessing stages include data cleaning, network behavior-based feature engineering comprising Source Connection Count (fsrc), Destination Port Entropy (Hport), and Byte-to-Connection Ratio (Rbyte), as well as normalization using Z-Score Standardization. The optimal number of clusters was determined using the Elbow Method, resulting in K=3, confirmed by a Silhouette Score of 0.6493 and a Davies-Bouldin Index of 0.5379. Clustering results divided traffic into three groups: normal traffic (82.5%), semi-normal (16.5%), and potential anomalies (1.0%). Visualization using Principal Component Analysis (PCA) geometrically confirmed cluster separation. Anomaly detection based on the 99th percentile threshold (P99) successfully identified four main anomaly categories: BitTorrent activity, mass access to multiple countries, DMZ zone probing, and use of non-standard ports. The study proves that K-Means Clustering is effective as a data-driven anomaly detection method for campus networks without requiring labeled data.