The invention discloses a method, device and system for network intrusion detection. The method comprises the following steps: when a switch transmits data to an internal computer, backup data of the data is acquired from the switch, and system log information of the internal computer is acquired from the internal computer; and the system log information of the internal computer and the backup data are detected whether an intrusion event exists therein. According to the embodiment of the invention, the system log information of the internal computer and the network data are comprehensively utilized to carry out the network intrusion detection, and the accuracy and comprehensiveness of the network intrusion detection are improved. At the same time, according to the embodiment of the invention, the network intrusion detection method changes a convention method which progresses from the detection to the data transmission, and the network intrusion detection is realized while the timely transmission of the network data to the internal computer is ensure.