The invention provides a detecting party and a device of a sequence attack, wherein the method comprises the following steps of: acquiring data in an industrial control system in real time; Whether the observed quantity is abnormal or not is judged according to the observed quantity change information of the operation interval for the observed quantity obtained after the first operation instruction is obtained. For an operation instruction obtained after the first operation instruction is obtained, obtaining a history operation instruction sequence of a certain length, calculating a jump probability of jumping from the history operation instruction sequence to the current operation instruction according to the detection model, judging whether the operation instruction is abnormal accordingto the jump probability, and detecting whether the observation quantity change information when the operation instruction is executed is abnormal. The embodiment of the invention effectively solves the problems that the operation sequence cannot be detected and the detection failure is caused by the false control flow data, improves the accuracy of the sequence attack detection, and realizes theintrusion detection of the whole operation flow.