This artical present a system developed to find cyber threats automatically based on web usage mining methods in application layer. This system is an off-line intrusion detection system which includes different part to detect attacks and as a result helps find different kinds of attacks with different dispersals. In this study web server access logs used as the input data and after pre-processing, scanners and all identified attacks will be detected. As the next step, vectors feature from web access logs and parameters sent by HTTP will derived by three different means and at the end by employment of two clustering algorithms based on K-Means, anomaly behaviour of data are detached. Tentative results derived from this system represent that used methods are more applicable than similar systems because this system covers different kinds of attacks and mostly increase the accuracy and decrease false alarms.