An apparatus and method for detecting abnormal connection behavior are disclosed. The apparatus for detecting abnormal connection behavior includes a data extraction unit, a data storage unit, and a detection unit. The data extraction unit collects network data transmitted and received over a network including a plurality of hosts, and extracts data required for the detection of abnormal connection behavior from the network data. The data storage unit stores the extracted data required for the detection of abnormal connection behavior. The detection unit detects abnormal connection behavior based on characteristic factors corresponding to the stored data required for the detection of abnormal connection behavior and characteristic factors corresponding to malicious behavior.