The invention discloses an intrusion detection method based on a traceability graph, and belongs to the field of computer system security, and the method comprises the steps: obtaining a traceability graph of a to-be-detected behavior, and calculating the node importance; rapid judgment and accurate judgment are carried out. In the rapid judgment stage, N1 nodes with high importance and corresponding K1 neighborhood nodes are selected, the traceability graph is converted into a first neighborhood matrix through a mapping rule, so that main body features of the traceability graph are rapidly extracted, if the difference m1 between the features and normal rule behaviors is larger than a threshold ThH during detection, intrusion behaviors are judged, and if the difference m1lt is larger than a threshold ThH, the traceability graph is judged to be intrusive behaviors; if so, judging that the behavior is normal; if yes, judging whether TLt; tilt; Tilt; if yes, entering a precise judgment stage: expanding a central node N2 (N2gt; n1) and a neighborhood node K2 (K2gt; (K1) scale, deeply mining the traceability graph, constructing a second neighborhood matrix and extracting features, if the difference between the features and normal rule behaviors is m < 2lt >; if Th, determining the behavior as a normal behavior, otherwise, determining the behavior as an abnormal behavior. According to the invention, intrusion detection can be efficiently and accurately realized.