As the main technical means of computer protection, intrusion detection technology has been widely studied due to its advantages of strong adaptability and ability to identify new types of attacks. However, the recognition rate and false alarm rate are difficult to guarantee, which is the main bottleneck of this technology. To improve the recognition rate and reduce the false alarm rate of anomaly detection technology, this study proposes a terminal-level intrusion detection algorithm (TL-IDA). In the data preprocessing stage, the terminal log is cut into continuous and small-block command sequences, and common statistical indicators are introduced to construct feature vectors for the command sequences. Then TL-IDA is applied to model users through the feature vectors. On this basis, a sliding window discrimination method is also proposed to judge whether the system is under attack, so as to improve the performance of the intrusion detection algorithm. The experimental results show that the average recognition rate and false alarm rate of the TL-IDA are 83% and 15%, respectively, which are superior to those of similar terminal-level intrusion detection algorithms based on anomaly technology such as ADMIT and hidden Markov model.