The invention discloses a multi-layer anomaly detection method based on network traffic. The invention is capable of detecting the small traffic attack behavior well with high detection accuracy, andmay adapt to different data sets. The invention comprises: firstly adopting a binary representation of symbol attributes in the data preprocessing stage to eliminate the negative influence of the traditional numerical size on the classification, and raising the attribute set of the data set to a relatively high dimension, so that the subsequent data classification effect is more accurate; then using the dimension reduction method to extract features and reduce the amount of data, so that the running speed is faster and the memory consumption is lower during the subsequent steps; subsequently,using the KNN outlier detection method and genetic algorithm combination method for data selection, so that different types of data are more balanced, each type of data is separated as far as possible, and the classification result is fairer; finally, using the constructed multi-layer classifier, thereby enabling more accurate identification of large-flow attacks and small-flow attacks.