Most　attacks　on　the　Internet　are　progressive　attacks　and　exploit　multiple　nodes.　Traditional　Intrusion　Detection　Systems　(IDS)　cannot　detect　the　original　attack　node,　making　it　difficult　to　block　the　attack　at　its　source.　This　paper　focuses　on　using　IDS＇　alerts　corresponding　to　abnormal　traffic　to　correlate　attacks　detected　by　the　IDS,　reconstruct　multi-step　attack　scenarios　and　discover　attack　chains.　Due　to　many　false　positives　in　the　information　provided　by　IDS,　accurate　reconstruction　of　the　attack　scenario　and　extraction　of　the　most　critical　attack　chain　is　challenging.　Therefore,　we　propose　a　method　to　reconstruct　multi-step　attack　scenarios　in　the　network　based　on　multiple　information　fusion　of　attack　time,　risk　assessment　and　attack　node　information.　First,　we　propose　a　Convolution　and　Agent　Decision　Tree　Network　(CTnet),　a　convolutional　neural　network　that　evaluates　the　attacks　detected　by　the　IDS　and　gives　an　alert　with　an　attack　risk　assessment.　Then,　we　reconstruct　the　weighted　attack　scenario　by　applying　Graph-based　Fusion　Module　(GM)　on　the　captured　attacks＇　risk　assessment　and　time　information.　Finally,　we　extract　the　high-risk　attack　chain　by　Depth　First　Search　with　Time　and　Weight　(TW-DFS)　algorithm.　The　experimental　results　show　that　the　proposed　method　can　accurately　reconstruct　multi-step　attack　scenarios　and　trace　them　back　to　the　original　host.　It　can　help　administrators　to　deploy　security　measures　more　effectively　to　ensure　the　overall　security　of　the　network.