Abstract: Efficient short sequence models used in anomaly analysis of program behaviors arc not available in anomaly detection field. The current models are short of abstracting program behaviors. Therefore, a new highly self-explanatory pattern called GV pattern(gapped variable frequent pattern) was provided to cover three fundamental structures of program:sequence, selection and circulation. Subsequently, GV pattern mined algorithm and system-call flow chart model based on GV pattern library were presented in details. Experiments show that the anomaly detection algorithm based on new model keeps low detection overhead and false positive rate on the condition of high detection rate, which is crucial in a real-time intrusion detection system.

Key words: Anomaly detection, Short sequence model, l3chavior analysis, Pattern matching, Data mining