With the rapid development of Internet technology, network security is becoming more and more severe. Data transferred on the Internet can be divided into two categories, normal data and intrusion data. Clustering is a popular data analysis technology to classify data according to the characteristics of the data and clustering can also be used for intrusion behavior analysis on the Internet. K-means is a simple and an efficient data clustering algorithm, but it has a tendency to converge to local optima and the optimization results depend on the initial values of cluster centers. Therefore, DD-means clustering algorithm, which selects the initial center points based on the density and the maximum distance of different data points, has been proposed to improve the performance of classical K-means. The performance of DD-means clustering algorithm is significantly better than that of classical K-means clustering algorithm in silhouette coefficient. The experimental results show that the proposed algorithm is effective and efficient for analyzing the intrusion behavior on the Internet.