Research in network security, network intrusion detection is always the threat of academic research focus. With the development of network attacks are becoming more frequent, the means increasing complexity. For large-scale network intrusion detection, this paper presents a behavior through the alert log analysis, associated content, matching, fusion, and ultimately determine the method of attack paths. First, a warning association algorithm, by improving the classical algorithm Apriori, greatly improves the efficiency. At the same time, a behavior pattern matching algorithm proposed, the information collected by the alert, and threatening behavior to match the template sequence, and through the right path value, and ultimately determines the path of the network threats. And for the overall algorithm flow, proposed complete threat detection system architecture.