A security-state-region-based (SSR-based) model called security-state-region-based evaluation model (SSREM) is proposed, which integrates the assessment based on the attack graph and the evaluation according to criteria together. In the model, the attack result is divided into the change in the attack ability and environment. The cause and effect relationship among them lays a foundation for building mathematic equations. After that, the definition of SSR is proposed, and also curve and surface fitting recurring to Matlab is used to analyze the attack trend, the result of which provides a theoretical basis for the division of SSR and the network security assessment based on SSR. Experiments in the posterior part of the paper show that, the evaluation according to SSREM can reflect how difficult it is to enter into different states through SSR and the tendency coefficient of security state region (TC_SSR), which can be used for reference by quantitative evaluation of network security.