In order to analyze intrusion evidences automatically, a layered method for reconstructing intrusion scenario is proposed. It includes 3 main phrases. First, the intruder’s abstract steps and the relationships between them are reconstructed by the alert correlation. Secondly, detailed behaviors of each step are reconstructed based on attack signatures and the OS-Level dependency tracking. Finally, the results are mapped and refined, and a behavior graph is generated. This graph can describe the completed intrusion process. The experiments on DARPA 2000 prove that the results are not only easy to understand, but are also full and accurate. Hence, it is fit to be presented in the court. Compared with current methods, this method shows more advantages. For example, it can process more complex scenarios.