The embodiment of the invention discloses an attack detection method and device. The method comprises the following steps: collecting flow data passing through a firewall in a network; performing attack detection on the flow data passing through the firewall to obtain flow data with aggressivity; and updating original aggressivity features corresponding to the firewall according to the flow data with aggressivity to obtain updated aggressivity features, applying the updated aggressivity features to the firewall, and performing the attack detection on the passing flow data. As the flow data with aggressivity passing through the firewall are not detected by the firewall previously, the original aggressivity features of the firewall are updated according to the flow data with aggressivity, so that the firewall generates defense ability to the attack behaviors that are not detected previously in time, the firewall can perform the attack detection on the passing flow data by using the updated aggressivity features, and thus the network security is improved.