False positive rate is the main shortcoming for anomaly-based network intrusion detection systems. Many approaches have been proposed with dominating machine learning and artificial intelligence techniques or its combination. High false positive rate is due to being more general while designing detection model. Rule-based network intrusion detection systems lack high false positive rate if any, because rules are tighter to individually known type of attack. Although anomaly-based network intrusion detection systems do not need prior knowledge of attack, it is still possible to imitate some rule-based specificity at certain level while designing detection model in order to reduce the false positive rate. The specificity being handled in this paper is the design of network intrusion detection system for TCP/IP network traffic. Then we propose a method to prepare quality clusters to build a network intrusion detection model. It has been surveyed that some research did not bring contribution to network based intrusion detection systems due to improperly preprocessed data especially during feature selection. In this paper, we propose an attribute selection method with basic TCP network features only. By doing so, the experiment confirms the false positive rate (0.2%) and maintains overall system accuracy (99.6 %).