Network intrusion protection system

The invention relates to a network intrusion detection system, which is arranged at an important network node, such as on a border router, and used for filtering a network packet comprising malicious intrusion/attack behavior content. A network card in the network intrusion detection system is provided with a microprocessor, a network packet parsing program, and a malicious intrusion packet filtering program which is used for previously filtering the malicious network packet according to header file information of the network packet. Later, a central processor of the network intrusion detection system parses packet content of the residual network packets, and judges whether the network packets are malicious packets according to intrusion behavior definition files. If the network packets are malicious packets, the network packets are discarded; and if the network packets are not malicious packets, the network packets are transmitted to a computer in an internal local area network.