How　to　distinguish　abnormal　access　from　normal　ones　is　the　key　problem　in　Distribution　Denial　of　service(DDoS)　attack　detection.　This　research　aims　at　finding　out　the　major　difference　between　the　abnormal　access　and　the　normal　ones　in　application　layer.　To　this　end　,　the　paper　conducts　modeling　on　Web　users＇　access　behaviors　based　on　hidden　Markov　model(HMM)　with　multiple　chains　and　puts　forward　a　method　to　identify　abnormal　access.　Tests　on　simulation　data　indicate　that　this　model　can　undo　Web　users　access　to　a　certain　degree　and　discern　the　abnormal　access　well.　©　2010　IEEE.