Based on the network intrusion detection and alarm method, the IDS alarm information attributes include time stamp, source IP, destination IP, port number, attack type and detector ID, and determine the following basic elements; 1) node and service; 2) node value and service value ;3) node security degree; 4) alarm reliability; 5) alarm risk; The evaluation of the alarm information also needs to evaluate the environmental matching degree of the alarm information, so its algorithm is still multi-layered; 6-1), calculate the environmental matching degree according to the matching degree of known environmental factors; 6-2), use and The method of calculating the matching degree of the environment is the same method to calculate the credibility and danger level and the final alarm threat level; the state of the attack type credibility is divided into three types: high, medium and low, and the values are 1, 0.6, and 0.2 respectively. , the state of the correlation attack is respectively set to three states of strong correlation, weak correlation and no correlation.