The invention discloses an abnormality detection method, device and system. Wherein, the embodiment of the method can be as follows: monitoring the behaviors of a software accessing registry; when the behaviors of the software accessing registry belong to an abnormal behavior feature model and / or do not belong to a normal behavior feature model, determining the software as a malicious software; or when the behaviors of the software accessing registry do not belong to the abnormal behavior feature model and / or belong to the normal behavior feature model, determining the software as a normal software; the normal behavior feature model is obtained by normal accessing and modeling the registry; and the abnormal behavior feature model is obtained by abnormal accessing and modeling the registry. As monitoring the registry occupies less resources and the malicious software has the generality of abnormal accessing behaviors, new vicious procedures can be judged without updating the signature library. In conclusion, the embodiment can realize detecting unknown attacks on condition that the embodiment occupies less system resources to achieve the aim of defending malicious attacks.