Real-Time anomaly detection is a highlighted topic of network security research in recent years. Based on statistics character of traffic in a large-scale network, the steady metrics that can estimated network behavior are found and a sampling measurement model is presented in this paper. According to the center limited theory and hypothesis test, a real-time detection model on anomaly behavior of network traffic is built. Finally, the network behavior metrics on the ratio between ICMP request packets and reply packets is defined and the ICMP scan attack in the CERNET network is monitored real timely. Method and idea of this model provide some directed sense for other network security detection research.