The invention discloses a Trojan horse communication feature fast extraction method based on network data stream clustering. The method comprises the steps that firstly, a captured network data packet is sorted according to a network conversation, wherein an IP address and a port of a monitoring object serve as a source IP address and a source port, and the data packet is subjected to conversation division according to equivalent tetrads; secondly, data streams are clustered into data stream clusters through a data stream clustering algorithm based on timestamps; lastly, Trojan horse communication features are extracted, wherein the Trojan horse communication features are extracted at the Trojan horse interactive operation stage. According to the Trojan horse communication feature fast extraction method, on the basis of network data stream clustering, the network data streams are processed with clusters as units, the difference between a Trojan horse communication behavior and a normal network communication behavior is analyzed, the difference between the two behaviors is dug deeply and the network communication features are extracted in combination with traditional statistic analysis, correlation analysis and other technologies, the false alarm rate is lowered while the detection rate is guaranteed, and the Trojan horse communication feature fast extraction method can be used for detecting a secret stealing behavior in a network.