The embodiment of the invention discloses an attack detection method and system. The method comprises the following steps: establishing a plurality of detection models related to an HTTP request in advance, and detecting each record after web access logs are decomposed by utilizing each detection model respectively to obtain a parameter abnormal value of each detection model aiming at the record; calculating an optimized weighted value corresponding to the parameter abnormal value of each detection model, carrying out weighted calculation to obtain a final parameter abnormal value, and determining a final abnormal threshold; judging whether the final parameter abnormal value calculated aiming at the log record to be detected is greater than the determined final abnormal threshold; and if yes, determining the HTTP request of the log record to be detected as attack behavior. By applying the embodiment of the invention, unknown attacks can be actively discovered, so that the detection rate of the unknown attacks can be improved; and optimized weighting of multiple detection models is adopted for detecting, so that the limitation of a single detection model is avoided, false-reporting and under-reporting conditions are reduced, and the false detection rate is lowered.