Abstract: With the wide application of information communication technology in the power industrial control system, the risk of power industrial control system being attacked by network is increasing. The information transmission and interaction of the power industrial control system is carried by the flow data of the communication protocol. The application layer message of the industrial data has the risk of being stolen and tampered in the transmission process. Taking IEC 60870-5-104 protocol as an example, this paper proposes a protocol characteristics based method to detect the abnormal behavior of power industrial control flow on the basis of its vulnerability analysis. Firstly, the application layer message of power industrial control flow is extracted and analyzed, and the normal behavior model of power industrial control flow is established based on the message field characteristics and typical power business characteristics. Secondly, according to the normal behavior model, single field anomaly verification, multiple field coupling logic verification, frame to frame timing logic verification, and frame to frame context exception verification are performed on the flow data to identify abnormal flow behaviors. Finally, based on the actual flow data set of a 220 kV substation, the simulation results show that the accuracy of the proposed method for typical abnormal behavior detection is about 99.98%, which can effectively identify the abnormal flow behavior of power industrial control system and improve the security of power system.