Due to using a single point in time for the processing unit, current network alerts information fusion methods cannot adapt to the network attacks with high concealment and long duration. Aiming at this problem, a network alerts depth information fusion method based on time confrontation was proposed. In view of multi-source heterogeneous alerts data flow, firstly, the alerts were collected and saved in a long time window. Then the alerts were clustered using a clustering algorithm based on sliding window. Finally, the alerts were fused by introducing window attenuation factor. The experimental results on real data set show that, compared with Basic-DS and EWDS (Exponential Weight DS), the proposed method has higher True Positive Rate (TPR) and False Positive Rate (FPR) as well as lower Data to Information Rate (DIR) because of longer time window. Actual test and theoretical analysis show that the proposed method is more effective on detecting network attacks, and can satisfy real-time processing with less time delay.

By analyzing and comparing the existing network security situation evaluation methods, it is found that they can not accurately reflect the features of large-scale, coordination, multi-stage gradually shown by network attack behaviors. Therefore, a network security situation evaluation method based on attack pattern recognition was proposed. Firstly, the causal analysis of alarm data in the network was made, and the attack intention and the current attack phase were recognized. Secondly, the situation evaluation based on the attack phase was realized. Lastly the State Transition Diagram (STG) of attack phase was created to realize the forecast of network security situation by combining with vulnerability and configuration information of host. A simulation experiment for the proposed network security situation evaluation model was performed by network examples. With the deepening of the attack phase, the value of network security situation would increase. The experimental results show that the proposed method is more accurate in reflecting the truth of attack, and the method does not need training on the historical sequence, so the method is more effective in situation forecasting.