Provided is a method for analyzing a network attack situation. The method categorizes network intrusion detection alerts into network attack situations, counts the frequency of same-featured intrusion alert occurrence for each network attack situation using a counting algorithm based on time slots, and analyzes the network attack situation based on the frequency of same-featured intrusion detection alert occurrence, the rate of same-featured intrusion detection alert occurrence, or an AND/OR combination of them. The network attack situation can be correctly detected in real time without relatively being influenced by the size of the network or amount of the occurrence of the intrusion detection alerts.