In order to ensure the network communication security of intelligent substation and the substation can run stably. This paper presents a method of abnormal flow analysis based on machine learning K-means clustering algorithm. According to the characteristics of the process level network in the intelligent substation, combined with the message structure analysis of IEC61850 intelligent substation’s proprietary goose and SV protocol, a feature selection method based on information entropy is used to analyze and select the network communication flow in the intelligent substation during normal operation, and K-means clustering algorithm is used to complete the detection and analysis of abnormal flow. In this paper, compared with the previous methods, the characteristics of process layer network flow information of intelligent substation are selected. According to the theory of information entropy, the selection of important features and the elimination of redundant features are completed. It improves the efficiency of clustering algorithm and the accuracy of abnormal flow detection.