Abstract: To improve the detection rate，ability of real-time detecting and intelligence of the intrusion prevention system on the Windows operating system，this paper introduces the embedded assembly language to simplify the monitoring of Windows Native API，and divides the data set into a table of independent variable-length patterns，and applies rough set theory to reduce the size of each pattern.With this method，a prevention model is built on short core API sequence and used to detect call sequence of sendmail program.A series of experiments show that this model’s detection rate reaches to 96.08%，and false alarm rate falls to 1.93%.Compared with other detection models，the result demonstrates that this model has better performance on detection efficiency，ability of real-time detecting and intelligence.

Key words: intrusion prevention, Native API sequence, rough set, variable-length sequence

摘要： 为了提高基于Windows操作系统的入侵防御系统的检测效率、实时性和智能性，引入嵌入式汇编语言来简化对Windows Native API的监控，将数据集划分为一组基本相对独立的变长序列模式，利用粗糙集理论对每种长度的序列集进行简约，建立了较小规模的Native API短序列的防御模型，并应用于sendmail调用序列检测。实验结果表明，模型的检测率达到96.08%，误报率降低到1.93%。与其他检测模型的比较结果表明，模型在检测率、实时性和智能性方面有更优的性能。

关键词: 入侵防御, Native API序列, 粗糙集, 变长序列