Various malicious programs, such as Trojan horse and backdoor, have become popular on the Internet in recent years. More and more automated penetration testing tools appear and now less background knowledge of attack is needed than before. As a result, the responsibility of computer is transferred to the host-based intrusion detection systems. Our research mainly combines Hidden Markov Model and Support Vector Machine and proposes a host-based anomaly detection system under Windows platforms. We use Windows Native Application Interface (API) sequences to establish the program normal behavior model. This kind of data has a significant characteristic that is the order of API appearing sequence. So we utilize the Hidden Markov Model that is good at expressing dynamic sequences relation to describe the probability relation of order between Windows Native APIs. After obtaining the hidden state sequences of Native API sequences by Hidden Markov Model, we put it into Support Vector Machine to train normal behavior of programs. If our prototype system detects the state of program belonging to the anomaly, we can inform users about the anomalous behavior of the program. A prototype system is developed by us using the proposed method. We did several experiments to evaluate the performance of this system. The experiments use the dataset of the New Mexico University and the data of the Windows Native API dataset collected by ourselves. The results of experiments prove the effectiveness of the combination of the Hidden Markov Model and Support Vector Machine that can distinguish anomalous program behavior from normal program behavior.