The advanced persistent threat (APT) is the foremost threat to industrial network security today, and traditional feature detection-based industrial intrusion detection systems are often unable to detect the latest APT attacks. Existing researchers believe that theft of sensitive data is one of the important goals of APT attacks. In order to accurately identify the stealing behavior of the APT attack, the APT attack in the stealing phase controlled host and the control and command (C&C) server communication TCP flow characteristics in-depth study, the use of depth flow detection technology, and proposed a A multi-feature spatial weighted combination SVM classification detection algorithm is used to detect abnormal APT attack session flows. Experiments show that the use of depth flow detection technology has a good ability to detect hidden APT attacks, and the multi-feature spatial weighted combined SVM classification detection algorithm has higher detection accuracy and lower false alarm rate than traditional single classification detection, and it is also safe for industrial control security. The research has a promoting effect.