The invention provides an information security monitoring method and system. The method comprises the steps of obtaining traffic information and a message of a device node in a network; carrying out comparison with a network traffic model according to the traffic information and judging whether traffic is abnormal or not; carrying out comparison with a business logic model according to the messageand judging whether an instruction is abnormal or not; acquiring a log of a security device and/or a security system when a traffic abnormity and/or an instruction abnormity exists, thereby judging whether the traffic abnormity and/or instruction abnormity is associated with a security attack behavior or not; and carrying out information security alarm when the traffic abnormity and/or instruction abnormity is associated with the security attack behavior. According to the information security monitoring method and system provided by the invention, through collection, analysis and modeling ofthe traffic and message, a normal business behavior is taken as a reference, an abnormal behavior in operation is identified, moreover, the related log of the security device and/or security system can be connected, and a potential attack can be sensed.