At present, the Source-Grid-Load Friendly Coordination System is relatively weak in dealing with professional organized complex attack. To deal with the security problem, this paper designs anomaly monitoring framework of Source-Grid-Load Friendly Coordination System which includes the network communication anomaly monitoring and the Source-Grid-Load interactive terminal anomaly monitoring. For the network communication anomaly monitoring, a method based on rule-matching is used to identify anomaly events of the sensitive business operation, detecting business command exceptions by analyzing the business command features of the system. For the Source-Grid-Load interactive terminal anomaly monitoring, a method based on the security policy is used to monitor the anomaly status of the terminal by matching malicious behavior in real time.