In this paper, an anomaly detection method is proposed based on the summary data structure—sketch. It records the network traffic information in sketch online and detects anomalies at every circle. After using EWMA forecasting model to get each circle’s forecast sketch, this paper computes the errors between the recoded sketch and forecast sketch. Then, the network traffic change reference is constructed by establishing the Mean-Standard deviation model on the error sketch. The method is effective in detecting DDOS attack, scan attack and so on. Particularly, it can track the IP address of anomaly. Evaluated by the experiment, this method can detect anomaly in the backbone network with small computing and memory resource.