This paper presents a control-flow-based program behavior extended model EMPDA(extended model based on push down automaton)by adding invariance constraints to control flow model,which can describe some invariance properties while a program is running safely,and enhance the ability of intrusion detection.By distinguishing the importance of system calls according to practical applications,this paper divides the program behavior model into core model and secondary model to reduce the workload of the model and improve the learning efficiency.Experimental results show that the extended model has better performances in many aspects,such as coverage speed,false positive rate and the capability of intrusion detection.