The invention discloses a Trojan horse detection method and system, wherein the Trojan horse detection method comprises the following steps: S1, acquiring network flow data; S2, grouping the network flow data according to ip pairs; S3, respectively aggregating data packets in the same group of ip pairs into one or more clusters; S4, aggregating the clusters aggregated by the data packets in the same group of ip pairs into one or more types; S5, standardizing a time sequence corresponding to each type, wherein the time sequence is composed of the clusters in the types at intervals; S6, respectively calculating the time sequence statistic of the standardized time sequences; and S7, screening out a time sequence, the time sequence statistic of which is not in a first threshold value range, as a Trojan horse sequence, and outputting the ip of the Trojan horse. According to the invention, the disadvantage that the current Trojan horse detection is incorrect can be made up; periodic Trojan horse heartbeat behaviours possibly existing in the network flow can be effectively identified from the perspectives of multiple dimensions and multiple variables; and the Trojan horse sequence and the ip of the Trojan horse can be detected objectively and accurately.