An attack tracking system includes multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created therefrom; a tracking information database server storing the pieces of host-based event information; a tracking information analysis server creating behavior events by defining malware behavior from the pieces of host-based event information, retrieving targets to be analyzed from the pieces of host-based event information and the behavior events based on a preset input value, creating first tracking contexts for identifying the malware behavior by analyzing the relationship between the pieces of host-based event information and the relationship between a set of the pieces of host-based event information and a set of the behavior events, and creating second tracking contexts tracking malware routes and behavior events between the multiple hosts by analyzing the correlation between the first tracking contexts.