In order to improve the alerts quality and prediction capability of traditional intrusion detection systems (IDS), the advanced alerts correlation algorithms are proposed, which is based on attack scenarios modeling using colored petri net (CPN). The current analysis approach information filtering is updated to messages logic deduction by reasoning under the model. The alert and the attack are converted to two different parameters for computation. By means of transforming CPN model and calculating the minimal covering set, the algorithms for multi-step attack and cooperative attack are designed. The experimental alerts correlation analysis system (ACAS) is programmed. That experiment results indicate that these algorithms could be applied to improve the alerts quality and prediction ability of IDS effectively.