在现有的单层马尔科夫链异常检测模型基础上,提出一种崭新的两层模型.将性质上有较大差异的两个过程,不同的请求和同一请求内的系统调用序列,分为两层,分别用不同的马尔可夫链来处理.两层结构可以更准确地刻画被保护服务进程的动态行为,因而能较大地提高异常的识别率,降低误警报率.-In the existing single-layer Markov chain model for anomaly detection based on a new two-tier model. Will have a larger difference in the nature of the two processes, different requests and requests within the same system call sequence, sub- for a two-tier, respectively, in different Markov chain to deal with it. a two-tier structure can be more accurately portray the process of protection services by the dynamic behavior, which can greatly improve the identification of abnormal rate and reduce false alarm rate.