Abstract: Attack modeling plays an important role in network security analysis and assessment. A Generalized Stochastic Colored Petri Net (GSCPN) model for attack composition is proposed. To each attack, a GSCPN model is constructed to describe the relation of components graphically. Operators to construct attack composition from known ones as blocks are defined formally. The algorithm to construct a composite attack is delivered, and the structural complexity of combination?model is measured also. On this basis, the time cost of vulnerabilities is assessed. The network example validates further the effectiveness of the proposed composition model and calculation method.