In order to relieve the alarm fatigue of security analysts and improve the security operation efficiency, an attacker IP analysis system based on the Ensemble-based Local Outlier Factor algorithm (EBLOF) was proposed in this paper. Firstly, normalized network security alarm logs were extracted and merged, and then the feature engineering was constructed from the attribute dimension and attack behavior dimension of attacker IP. Secondly, inspired by the idea of ensemble learning and traditional LOF anomaly detection algorithm, a robust EBLOF algorithm of finding high-threat attacker IP was constructed in the system. Thirdly, a set of online learning architecture was built by the system, aiming to solve the problem that the machine learning model was difficultly updated online. Through the batch real-time learning technology, the learning architectures ensure that the learning model can be updated online from the system architecture level rather than the algorithm level. Finally, the EBLOF algorithm of this paper was trained on the public anomaly detection data set ODD. The experimental results showed a fact that the algorithm has better robustness than the naive LOF algorithm under different data distributions. The system proposed in the paper was applied in real attack and defense scenarios. Its effectiveness and feasibility were verified by comparing with security operation analysts