The invention relates to an attack path restoration method and apparatus. According to the method, through comprehensive analysis on a security event alarm, and a connection relationship of each device in a network topology, a connection relationship between each of respective lists of an attacker, an internal network weak point, an attack source and the attacker and each set of device is obtained, thereby finishing restoration of an attack process. Compared with the existing path restoration method, the method provided by the embodiment of the invention can go deep into an internal network todiscover a security weak point in internal network protection, so that an attack path is traced to the source and thus the method is more effective to improve the enterprise security and improves theanalysis efficiency; and meanwhile, a noise of an uncritical connection in massive security events can further be shielded and only an attack path coming into effect is traced to the source; moreover, all attacks can be restored, so the restoration capacity is improved; and in addition, according to the method provided by the invention, while the attack path is restored, an operating service is not affect and thus the normal operation of the service can be kept.