Nowadays, development of network influences and changes our life a lot. People can almost do everything through the network, and this is what we should be aware of. The availability and anonymity of network are convenient to normal users, but also benefit attackers/hackers too. Our research focus on the time and space distribution method that the malicious flows do to avoid detection. Most of the current research focus on single flow/IP, but actually the relationship between flow/IP in time and space dimension are significant. Using suspicious list, blacklist, and malicious traffic behavior with time traceback and space distributed method, we can effectively and efficiently figure out potential inner malicious device.