The present disclosure discloses a method, device and system for recognizing network behavior of a program. The method comprises: during the program's access to a network, acquiring application layer data in a current network behavior of the program; judging whether the application layer data includes an unknown protocol; if protocols in the application layer data are all known protocols, identifying the current network behavior of the program as a network behavior of a recognizable program; and if the application layer data includes an unknown protocol, identifying the current network behavior of the program as a network behavior of a suspicious program. As such, a accurate recognition of a network behavior of a program is realized, the network behavior of the program including an unknown protocol is identified as a network behavior of a suspicious program, risk prompt information can be sent to a user, and a final selection is performed by the user, thereby solving the problem that conventional solutions for recognizing a network behavior of a program cannot accurately recognize a network behavior of a newly-emerging or new variant program.