The invention discloses a serial dispersed hidden threat intrusion attack detection method and system, and the method comprises the steps: detecting the unknown abnormal flow in the network flow through the research on an extensible application recognition technology and a hidden threat analysis detection technology. According to the extensible application identification technology, on the basis of a deep packet detection technology, the category of application layer identification is extended, different applications are evaluated from various dimensions, more information in network traffic ismined, and the deep application layer identification capability is provided. The distributed hidden intrusion threat analysis system is deployed in a network in a gateway mode, a series mode or a bypass mode, collects and analyzes the current network flow, timely finds an activity trace of a malicious file at the boundary of the network, and provides real-time security alarm, threat positioning and execution actions.