With the prosperous development of the Internet, the open network environment has also become a breeding ground for hackers, especially in the huge network system, the multi-stage, large-scale and coordinated network attacks have brought great trouble to the traditional defense means. This study designs a network security expert system based on multi-source heterogeneous data based on the characteristics of huge volume of multi-source heterogeneous network security data, heterogeneous format, and diverse semantics. The system contains five hierarchical structures: perception layer, event layer, alarm layer, attack context and attack pattern layer, and attack scenario layer. Petri nets are used for network security risk analysis and assessment to overcome the shortcomings of traditional defenses that become difficult to handle after modeling the attack scenarios. Incorporating the D-S evidence theory, the outputs of multiple decision engines are applied to the network security posture assessment to analyze the network condition from a global perspective and further enhance the effect of network attack classification. In the simulation experiments of simulated attacks, the monitoring information of the network security expert system has autocorrelation coefficients within two times standard deviation ( \(\pm\)0.1) after the 0th-order differencing, which indicates that the system is able to accurately assess the potential values of network attacks, such as scanning, brute-force cracking, DoS, and Web.