The invention belongs to the field of network space security, and discloses a method and system for abnormality detection based on business flow. By monitoring the business flow, the source IP address, destination IP address, source port, destination port, protocol type, Time and other elements, analyze whether there is anomaly from the perspective of business agreement; based on the time interval between current business events and the execution frequency of certain parts of business activities, analyze whether there is anomaly from the perspective of business performance; from the perspective of business logic, Construct a business logic matrix based on the normal business process logic structure, and analyze whether there is any abnormality in the sequence of current business events. The invention makes up for the deficiencies of traditional safety protection measures, detects safety problems that cannot be found by traditional technical means, strengthens the internal control of safety protection, prevents the occurrence of violations by internal personnel, and forms a powerful supplement and improvement to the existing safety protection system.