A method and device for intrusion detection are provided. The method comprises: allocating one or more detection units for each type of network attack event to detect and configuring the type of object to detect of this type of network attack event, a detection operator and a detection knowledge base; in intrusion detection, acquiring network data packets in real time and acquiring the objects to detect included therein; then corresponding detection units performing intrusion detection according to the detection operators and detection knowledge bases configured, so as to generate network attack alarm events. The intrusion detection device comprises sequentially connected data pre-processing unit, data distribution unit and detection grid including one or more detection units, and a configuration management unit connected with them. The present invention supports accurate detection of various complex network attack events and considers the execution efficiency of the entire intrusion detection device.