The invention provides a method for discovering potential or ongoing network threat events on a network, in particular to a threat detection method based on deep protocol analysis. The device is characterized by comprising the following steps: a data packet capture module collects a data packet from the Ethernet; or obtains all the data packets flowing through the network outlet through the port mirror image of the switch; and transmits the obtained original data packet to a protocol identification module, performs IP recombination on the original data packet by the protocol identification module, starts TCP session recombination when it is found that the original data packet has a TCP session identifier, and transmits the recombined network layer data and application layer data to a deepprotocol analysis module. Meanwhile, compared with similar existing methods, the method can analyze most common network protocols, can go deep into the protocols, directly analyzes the loads of the protocols, and is good in adaptability and detection effect.