The invention provides a method and a device for detecting network attack. The method mainly comprises the following steps of: obtaining message from network equipment and analyzing the message; conducting host abnormal detection to the host in a host monitoring list which the message corresponds to according to the preset host statistic indicators on the basis of the analysis result; and carrying out network abnormal detection to the subnetworks which are formed by all the hosts in the host monitoring list. By organically combining the detection method based on the host statistic indicators of the host with the method based on the network statistic indicators, according to the abnormal detail conditions, the inveniton analyzes the message data which is stored in real time, and can effectively detect various attack behaviors on the conditon of limited system resources.