Abstract: This paper built the mining model of attacking mode to analyze log information combined the process "optimized selection" and "elimination".The process "optimized selection" used the sparseness tactic based on Modified Classical Gram Schmidt (MCGS) to reset dataset, improved the efficiency of taxonomy model of Least Squares Support Vector Machines (LS-SVM) .The "elimination" process eliminated the unreal attacking events, and presented the tactic of modified sliding-window based on correlated detection to avoid attacking modes repeating in the result set got from the process of "optimized selection".The experiment validated this method can find out complex attacking modes in network efficiently and correctly.