It is hard to find out multi-step attack in multi source and heterogeneous network alerting fusion, for solving this problem, put forward dig model based on of frequent altering sequence model. Used dynamic time window to divided alert data, changed the IDS, firewall alerting data into alerting sequence. According to alerting sequence similarity, establish attack sequence set, then used two attack sequence attribute information to judge correlation of attack steps in one attack environment. The test results analysis show that the model can automatically provide the minimum support degree to the users without establishing complex correlation rules and storing experience knowledge, it also can improve correctness of correlation algorithm and successfully find the multi-step attack.