Abstract: For the sake of fusing multi-source heterogeneous security information and extracting security element information about the whole network, a network security situation element extraction method based on Dissimilarity Computing (DSimC)and Exponentially Weighted DS Evidence I}heory(EWDS) was proposed. The method was divided into two phases including multi-source alert clustering and alert fusing. First of all, multi-source alert clustering method was put forward through computing different characteristics dissimilarity of alert to judge the dissimilarity among alerts.Then multi-source alert fusion method based on EWDS was proposed through fusing different sources to indentify intrusion attack behaviors. Experimental results indicate that the proposed method does well in True Positive rate (TPR),False Positive rate (FPR) and Data to Information Rate (DIR)，remarkably reduces the number of alerts and enhances detection performance, and supplies data sources for network security situation evaluation and situation prediction.

Key words: Network security situation, Element extraction, Dissimilarity computing, Exponentially weighted DS evidence theory