The traditional intrusion detection system has the problem of high false positive rate and false negative rate. This paper deeply analyzes the differences of statistical features between single-flow and multi-flow on the database network, and presents a group of features that are easy to acquire and can be used to detect the anomaly in database network efficiently. By applying this group of features in Fisher algorithm for anomaly detection, the false positive rate and false negative rate are dramatically reduced. Simultaneously, the model made by using the group of features has the advantages of low algorithm complexity, good detection result and strong generalization ability. Experimental results show that there is higher accuracy when using the features of single-flow and multi-flow to construct the anomaly detection model than only using single-flow features.