As the rapid growth of Internet applications, the number of cyber attacks increases drastically and presents challenges to network administrators. One of the challenges comes from that Internet hackers usually take multiple actions to achieve their malicious objectives; thus blurred their intention by triggering several seeming unrelated alerts during the same attack scenario. As a result, either for earning enough time to take appropriate actions or for reducing the number of alerts by correlating them, the administrators naturally want to have a quick way to recognize the multistage attacks. To address this desire, this paper presents a novel Colored Petri Net (CPN) based approach for administrators to correlate the alerts caused by intrusion detection systems to identify whether a multistage attack occurs or not. With this approach, we developed a CPN model to represent cyber attacks, and also implemented a prototype system to validate the effectiveness of our approach. We took DARPA/Lincoln Laboratory 2000 datasets as experiment inputs; the results showed that the CPN approach could recognize the multistage attacks, such as sadmind attack, from these alert datasets while has simpler modeling representation as well as friendlier user interface than alternative approaches.