Aiming at the problems of low recognition rate and high false alarm rate of open source software user attack behavior. This paper proposes a multi-level identification model of open source software user attack behavior based on WL (Weisfeiler-Lehman, WL) and GraphSAGE. The model first extracts the fingerprint features and three-channel graph features of the open-source software user attack behavior traffic data, and then combines the fingerprint features and graph features with the traffic data ID to generate a graph model. Then, a multi-level recognition model is used to recognize user behavior. The first level calculates the graph model similarity of the current user behavior based on the WL (Weisfeiler Lehman, WL), and preliminarily identifies user attack behavior. The second level is based on the GraphSAGE model to embed the graph model of the current user behavior, combined with the training of the graph model classification and recognition model, to realize the identification of user attack behavior. Finally, through the fusion strategy of multi-level recognition model, the recognition rate of the overall framework is improved and the false alarm rate is reduced. Compared with the comparison model, the model has better performance in identifying user attack behavior.