The invention discloses a network intrusion detection and active defense linkage control device, comprising a packet forwarding module, a packet mirroring traffic preprocessing module, a linkage control device module, a network behavior detection and analysis module and a traffic database cluster system.The invention combines the traditional network anomaly detection PHAD model method, combines the limited depth detection and analysis to the critical segment of the packet and tries to accurately determine whether the network traffic has the characteristic with attack behavior. On this basis, implement the dynamic intervention through the forwarding rules table of the packet forwarding module to achieve the abnormal data traffic block.The main characteristic of the device is to analyze the attack behavior and reverse control the forwarding behavior. When the abnormal network attack is detected, the data flow can be effectively cut off in real time so as to achieve the active detection attack and the active defense.