A new method for anomaly detection of the program behaviors based on hidden Markov models is presented. The method uses system calls to represent the behavior profiles of programs based on hidden Markov models. The behavior patterns of programs are classified according to their frequency distributions, and the states of the hidden Markov models are associated with the classes of the behavior patterns. Because the collections of observations corresponding to different states are mutually disjoint, the models can be trained with a sequence matching algorithm which requires lower computational complexity and less computation time than the classical Baum-Welch algorithm. A decision rule based on the probabilities of short state sequences is adopted while the particularity of the model states is taken into account. The performance of the method is tested by computer simulation. The results show it maintains higher detection accuracy and efficiency than other alternative approaches.