The invention discloses an APT attack identification and defense method. The method comprises the following steps: 1, acquiring network and system logs, and identifying APT attack behaviors; 2, miningan attack subject based on the weblog, and determining attack subjects of different targets; 3, counting the attack timelines of the attack subjects of different targets, and predicting the next attack time of the attack subjects of different targets; and 4, acquiring attack file types expected by the attack subjects of different targets, manufacturing false files of the same type, and providingthe files to an APT attacker according to the predicted next attack time of the attack subjects of the different targets so as to perform APT attack defense. According to the method, the APT attack can be identified, the attack subjects of the APT attack can be mined, the attack timelines can be predicted, a large number of error files can be automatically generated and tampered for mixed audiovisual operation, the error files can be automatically deleted after the attack timelines, the file content information can be recovered, and the problem of the APT attack can be fundamentally solved.