In order to overcome the shortcomings of the traditional security protection strategy based on the vulnerability database, the recognition and early warning of unknown attack behavior should be realized. Using time window division and deep packet inspection, the content of end-to-end communication is transformed into a sequence of control actions. According to the control protocol's semantic features, the control behavior sequences are transformed into the feature vectors of unified dimension using the semantic vector model. The anomaly recognition model based on One Class Support Vector Machine (OCSVM) is constructed by normal behavior samples only, overcoming the difficulty of obtaining exception samples from the production environment. The average recognition accuracy of the model is to more than 93% on the simulation sequences containing multiple abnormal behaviors.