Abstract: Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type.