Objective Aiming at the difficulty in analyzing a large number of alert messages issued by network intrusion detection systems a method for modeling and analyzing network attack alerts based on process mining and trace clustering was proposed to build and simplify the network attack model according to network security log information. Methods This method used process mining technology to analyze the behavioral information of attackers and the attack methods contained in alert messages and provided attack information to network administrators through high-level visualization models. Behavioral relationships among log activities were analyzed using frequent sequence pattern-based trace clustering to extract frequent sequence patterns of activities and similar traces were clustered into one class by matching traces based on frequent sequence patterns thus decomposing the complex network attack alert model of a log L into simple and intuitive sub-models of multiple sub-logs. Results Simulation experiments indicated that the proposed method yielded network attack models with good performance in terms of precision fitness and F1 score. For complex attack models the utilization of trace clustering methods could generate multiple low-complexity models effectively reducing their complexity. Conclusion This modeling method for network attacks with the introduction of process mining and trace clustering can effectively reflect the intrusion strategies of network attackers compared with traditional modeling and analysis methods and can effectively reduce the complexity of complex attack models.