The invention relates to network safety and aims at providing an attack chain behavior analysis based Trojan horse detection method and system. The attack chain behavior analysis based Trojan horse detection system comprises a DNS domain name anomaly detection module, a Trojan horse incubation behavior anomaly detection module and a Trojan horse communication behavior anomaly detection module andcan perform anomaly detection on three behavior processes, including, a Trojan horse connection process, a Trojan horse incubation process and a Trojan horse communication process, in a Trojan horse permeation attacking process; when the anomaly detection condition of the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process is met, a factthat a Trojan horse is detected is confirmed and the Trojan horse detection is realized. By performing sequential associated analysis on the three Trojan horse behavior processes, including, the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process, the comprehensive and efficient Trojan horse detection method and system are provided respectively based on the behavior features of the three Trojan horse processes, the accuracy of Trojan horse detection is enabled to be higher, and the missing report rate is enabled to be lower.