The paper introduces PAYL, a payload-based anomaly detector designed for intrusion detection. PAYL models the normal application payload of network traffic in an automatic, unsupervised, and efficient manner. During the training phase, it computes a byte frequency distribution and standard deviation of the application payload for a single host and port. In the detection phase, Mahalanobis distance is used to compare new data against the pre-computed profile, generating alerts when the distance exceeds a threshold. The method demonstrates high accuracy and low false positive rates on both the 1999 DARPA IDS dataset and a live dataset from the Columbia CS department network. The authors aim to detect the initial occurrences of worms or other malicious payloads, preventing their propagation before they cause significant damage. The approach is site-specific and can be integrated with standard firewall technology to enhance security.The paper introduces PAYL, a payload-based anomaly detector designed for intrusion detection. PAYL models the normal application payload of network traffic in an automatic, unsupervised, and efficient manner. During the training phase, it computes a byte frequency distribution and standard deviation of the application payload for a single host and port. In the detection phase, Mahalanobis distance is used to compare new data against the pre-computed profile, generating alerts when the distance exceeds a threshold. The method demonstrates high accuracy and low false positive rates on both the 1999 DARPA IDS dataset and a live dataset from the Columbia CS department network. The authors aim to detect the initial occurrences of worms or other malicious payloads, preventing their propagation before they cause significant damage. The approach is site-specific and can be integrated with standard firewall technology to enhance security.