Abstract: This paper presents an analysis meathod based on dissimilarity abnormal behavior for network communication identification.With Netflow network management data, we designed concrete steps for implementation, then we can achieve significantly changes on real-time monitoring for realization of abnormal network attacks, emergency traffic anomaly, and phenomenon of network communication behavior rules. This meathod show significantly implement results,and increase network security support service capabilities of ISP.