The invention provides a network intrusion detection method and device. The method comprises the following steps of: according to a current intrusion feature database, performing misuse detection of network data acquired in real time; when the fact that the network data has an intrusion behavior is judged, processing feature value sequences of the network data according to a genetic algorithm, so that various current feature value sequences are obtained; and, calculating adaptation values of the various current feature value sequences, and storing the current feature value sequences, the adaptation values of which are greater than a threshold value, in the current intrusion feature database, wherein the threshold value is obtained by processing at least one training feature value sequence in the current intrusion feature database in advance. By means of the method disclosed by the invention, detection on network flow data is realized; furthermore, crossover and variation of the detected intrusion behavior can be carried out according to the genetic algorithm; furthermore, more intrusion behaviors can be obtained through comparison with the adaptation threshold value; therefore, the intrusion feature database can be continuously updated; and thus, the network intrusion detection accuracy rate can be continuously increased.