In order to overcome the difficulty in discovering multi-stage attack from multi-source alerts, an algorithm was proposed to mine the attack sequence pattern. The multi-source alerts were normalized into a unified format by matching them with regular expressions. The redundant information of alerts was compressed, and the alerts of the same stage were clustered according to the association rule set trained by strong association rules, efficiently removing the redundant alerts, so that the number of alerts was reduced. Then, the clustered alerts were divided to obtain candidate attack event dataset by sliding-window, and the attack pattern mining algorithm PrefixSpan was used to find out the attack sequence patterns of multi-stage attack events. The experimental results show that the proposed algorithm can lead to an accurate and efficient analysis of alert correlation and extract the attack steps of attack events without expert knowledge. Compared with the traditional algorithm PrefixSpan, the algorithm has an increase in attack pattern mining efficiency of 48.05%.