Abstract: Current network information security monitoring and protection work mostly relies on security equipment to monitor the characteristic values of access requests for protection. This model has shortcomings such as lagging feature library and insufficient coverage. This paper proposes an IP profile and anomaly detection algorithm based on traffic big data, extracts and analyzes the original data of network access traffic, covers all types of equipment monitoring in the network segment, and provides information on unknown threats through IP profile and clustering algorithms, detection and proactive protection strategy. This paper uses the intranet boundary traffic of a power supply company as a data set to effectively find out the abnormal access equipment. Through the cross-validation of the algorithm and the on-site inspection of the equipment, the compliance with the actual situation is confirmed and the validity of the algorithm is verified.