当前合作攻击，多步攻击日益复杂、泛滥，为了揭示网络结构、系统配置、攻击、漏洞、攻击警报之间的逻辑关系，我们建立基于动态描述逻辑（DDL）的计算机安全领域的本体知识库，采用不同的挖掘算法挖掘攻击模板和攻击关键子图，并查找序列攻击、合作攻击，再现和预测攻击过程，降低警报率。首先建立安全领域本体的DDL的知识表达模型，结合专业词典、WordNet语料库、漏洞库、警报库等分类建立本体和安全知识的映射，初步建立领域本体；其次采用自然语言（NLP）分析语料，在爬行规则的指导下，采用主题爬虫获取的攻击、漏洞知识，抽取其中的本体，通过相似查询，迭代地完善和重构基于语义的领域本体库；在此基础上，采用序列挖掘和子图挖掘的算法，建立本体之间的逻辑关系视图，挖掘漏洞、攻击、系统配置之间的关联关系，构建攻击模板库，抽攻击关键子图；结合警报和系统漏洞，利用DDL的推理规则，建立分层警报关联算法，验证算法的有效性。

Currently, cooperative attacks, Multi-step attacks have become rampant and complicated. In order to reveal the logical relationships among the network architectures, system configuration, attacks behaviours,vulnerabilities, and attacks alerts, this research constructs domain Ontology database of computer security based on dynamic description logic(DDL), adopts different mining algorithms to mining serial attacks template and key subgraph of attacks graph, finds out multi-step and cooperative attacks, reconstructs the attack scenario , predicts next attack, and reduces the false positive rate. Firstly the research constructs DDL knowledge presentation model of ontology in security domain, adopts natureal language process softerware to analysis semantics and lexical, labels out smantics and compute information content(IC); Under the guides of the domain dictionary, Wordnet database, vulnerability database and snort alert rules, this research maps the security domain acknowledges to different ontology and builds preliminary domain ontology. Secondly, under rules of crawler, smart crawlers get knowledges of attacks and vulnerabilities, transform them into structure knowledges based on XML, and parse ontologies. By search similarity ontologies, this research improves and reconstructs the security ontology database iteratively. Thirdly, the research uses the serial and subgraph mining algorithms to make the logical relationship views between the Ontologies, which can mine out the relationships among the vulnerabilities, attacks and system configurations, construct the attack sequences. Lastly, combining with attacks alerts and vulnerabilities, the research adopts the reason rules of description logic to construct the layered alert correlation algorithm of addresses to verify the algorithm's efficiency in removing false positives and re-construction attack scenarios.