An anomaly intrusion detection method based on HMM is presented. The system call trace of a UNIX privileged process is passed to a HMM to obtain state transition sequences. Preliminary experiments prove the state transition sequences can express the different mode between normal action and intrusion behaviour in a more stable and simple manner.