This paper presents an anomaly detection approach to detect intrusions into computer systems. In this approach, a hier- archical hidden Markov model (HHMM) is used to represent a temporal profile of normal behavior in a computer system. The HHMM of the norm profile is learned from historic data of the system’s normal behavior. The observed behavior of the system is analyzed to infer the probability that the HHMM of the norm pro- file supports the observed behavior. A low probability of support indicates an anomalous behavior that may result from intrusive activities. The model was implemented and tested on the UNIX system call sequences collected by the University of New Mexico group. The testing results showed that the model can clearly iden- tify the anomaly activities and has a better performance than hid- den Markov model. This paper presents an anomaly detection approach to detect intrusions into computer systems. In this approach, a hier-archical hidden Markov model (HHMM) is used to represent a temporal profile of normal behavior in a computer system. The HHMM of the norm profile is learned from historic data of the system’s normal behavior. The observed behavior of the system is analyzed to infer the probability that the HHMM of the norm pro- file supports the observed behavior. A low probability of support that an anomalous behavior that may result from intrusive activities. The model was implemented and tested on the UNIX system call sequences collected by the University of New Mexico group. The testing results showed that the model can clearly iden- tify the anomaly activities and has a better performance than hid-den Markov model.