The invention discloses an active defense method for an industrial control operating system with self-learning characteristics, which includes the following steps: step 1, judge whether the program can be executed according to the credible strategy, and if it is executable, monitor the business behavior, and access the program according to the detected subject and object Operation; step 2, according to step 1, monitor the logs generated by business calls, and realize non-deterministic security policy learning; step 3, monitor the behavior of system calls at the Linux kernel layer, collect corresponding system call information, according to steps 1 and 2 The generated security policy judges whether the system call is allowed or denied; Step 4, according to Step 1 and Step 2, based on the self-learning system mandatory access control, assisted by the application of trustworthiness measurement, to build the active defense system of the industrial control operating system. The present invention can realize that it can still be immune to attacks in the case of defects and loopholes, and has the characteristics of automatic learning, simple application, and small business impact.