Method, apparatus and system for detecting abnormality of DNS (domain name system) query flow

The invention relates to a method, an apparatus and a system for detecting the abnormality of DNS query flow, which belong to the technical field of Internet. The detection method comprises the following steps of: respectively counting DNS query flows of regions according to the pre-divided region units; respectively determining the covariance matrixes corresponding to a plurality of time slices according to DNS query flows of regions; respectively calculating the matrix relevance variation value between the covariance matrixes corresponding to the plurality of time slices and the average covariance matrix; and outputting the instantaneous alarm information when the matrix relevance variation value between the covariance matrixes corresponding to any time slices and the average covariancematrix is greater than the first predetermined value for indicating that the DNS query flow of any time slices is abnormal. The invention is beneficial to reducing the loss of abnormality of DNS query flow.