The invention relates to an APT detection method and system based on an invasion route. The APT detection method based on the invasion route comprises the following steps: S1, carrying out knowledge base modeling on an invasion route area; S2, acquiring behavior data, i.e., acquiring host behavior data and acquiring network behavior data; S3, carrying out association analysis on results obtained through the behavior data acquisition; S4, preserving evidence, i.e., recovering attack risk behaviors for evidence preservation; and S5, presenting the evidence. The APT detection system based on the invasion route comprises an evidence presentation module, a behavior evidence association analysis module, a knowledge base module, an evidence preservation module, and an evidence collection module. The method and system provided by the invention has the beneficial effects that invasion by an APT attacker is intercepted at a source, so that preventive measures can be taken for the invasion route, and low-cost and highly-efficient construction can be achieved; an acquisition process is concealed and totally transparent, so that network loads are avoided; and evidence presentation is easy to use and can be simply operated.