The embodiment of the invention discloses an industrial host terminal security protection system. The system integrates the core functions of behavior monitoring, virus searching and killing, remote investigation and evidence obtaining, linkage defense, risk situation display and the like. The advanced technologies of behavior recognition, multi-engine sample identification, neural network, trapping, immunization and the like are adopted, real-time detection and disposal of known and unknown threats are achieved, and the threats which cannot be effectively defended by traditional security products, such as ransomware, mining, killing-free escape, file-free attack and the like, are effectively solved. By acquiring full kernel-level particle size behavior data in real time through a lightweight terminal Agent program to continuously monitor a terminal system, and screening out an event which is beneficial for a customer to carry out threat tracing from the event and storing the event, rapid analysis and response (including determination of a zero damaged terminal, an attack range and the like) of the threat event are realized, the maximum protection is obtained with the minimum resource overhead, and the terminal security management capability of the client is comprehensively improved.