提出了一种新的基于规则的异常检测模型.把系统调用按照功能和危险程度进行了分类,该模型只是针对每类中关键调用(即危险级别为1的系统调用).在学习过程中,动态地处理每个关键调用,而不是对静态的数据进行数据挖掘或统计,从而可以实现增量学习.同时通过预定义,精炼规则,有效地减少了规则数据库中的规则数目,缩减了检测过程中规则的匹配时间.-A new rule-based anomaly detection model. The system call function and the degree of risk in accordance with the classified, the model only in the key of each type of call (that is, the danger level for the system call one). In the learning process, dynamically deal call for each key, rather than the static data for data mining or statistics, so that we can realize the incremental learning. At the same time through a predefined, refining the rules, the rules effectively reduces the number of rules in the database, reducing the testing process time in the match rules.