The invention provides an unstructured P2P botnet detection method and device based on SAW community discovery. The method comprises the following steps: step 1, converting original flow data in a pcap format into flow data in a netflow format; 2, converting the flow data in the netflow format into a quintuple cluster flow by using an F-link big data platform, and filtering from the quintuple cluster flow to obtain a P2P (Peer-to-Peer) cluster; 3, calculating weights of shared neighbor nodes among the P2P clusters by using a Jaccard coefficient, and constructing a shared neighbor graph; step 4, using SAW to access each vertex in the shared neighbor graph, generating a vertex matrix between the vertexes, using principal component analysis (PCA) to perform dimension reduction on the vertex matrix, calculating Bray-Curis dissimilarity, using hierarchical clustering to calculate node similarity, and performing community mining, thereby clustering the P2P nodes of the same kind; and 5, classifying clustering results by using community attributes, and filtering out the botnet.