In　order　to　ensure　the　security　of　information　systems,　it＇s　essential　to　make　sure　that　system　behaviors　are　trusted.　By　analyzing　threats　that　exist　in　executing　procedures,　a　trust　model　based　on　structured　protection　is　proposed.　We　consider　that　functional　components,　system　actions　and　message　flows　between　components　are　three　key　factors　of　information　systems.　Structured　protection　requirements　on　components,　connections　and　action　parameters　are　also　provided.　Four　trusted　properties　of　the　model　are　deducted　through　formal　analysis,　and　trusted　system　behavior　is　defined　based　on　these　properties.　Furthermore,　decision　theorem　of　trusted　system　behavior　is　proved.　The　developed　prototype　system　indicates　the　model　is　practical.　It　is　a　general　theory　model　built　on　logic　deduction　and　independent　on　specific　environment　and　the　behaviors　of　the　system　designed　and　implemented　following　the　model　are　trusted.