The present invention discloses a reverse DNS query attribute aggregation-based exception detection method and system. Reverse DNS query logs of devices are fused, so as to detect abnormal behaviors, such as the frequency of scanning a network segment and spam raging, of the network rapidly. Reverse DNS query record data amount is small, so that device congestion due to a large quantity of logs is avoided, and the device performance is improved. The whole monitor network is controlled globally according to reverse DNS query records of different devices. The reverse DNS query records are content of log information that cannot be controlled by an attacker, the attacker cannot hide the behavior, the recorded content of the log is more reliable, and the activity state of the whole network is reflected more accurately, so that abnormal behaviors in the network environment are better detected.