Abstract: An alert correlation model based on sequential pattern is presented for the analysis of attacker alarm. Alerts are filtered and merged by means of the network information and similarity membership function first. In the alert correlation module, an incremental sequential algorithm based on WINEPI is employed aiming at the correlation rule mining when the rule database increases. The online correlation module matches rules and constructs attack scenarios. The experiment results with the 2000 defense advanced research projects agency (DARPA) intrusion detection scenario specific datasets indicate that the proposed alert correlation model can improve the performance of intrusion detection system (IDS) efficiently.