Abstract: Network security analysis must identify vulnerabilities in network and intruder’s intention. A novel network risk analysis model is proposed based on simulation attacks. First, the information about target network and intruder is studied and described. By correlating the system’s vulnerabilities and attacker’s behaviors, attack state graph (ASG) was introduced, and its generating algorithm presented. In ASG the state transfer during the attack process is simulated. Then the ASG is used to find out all the routes of the attacker’s pervasion, and then to evaluate the threatened location and risk degree, which provides a useful evidence and guidance for making risk decision. Finally a virtual network environment is given to illustrate the applicability of this risk analysis model, and validate its effectiveness to network security analysis and quantitative assessment.