The anomaly-based intrusion detection systems examine current system activity do find deviations from normal system activity. The present paper proposes a method for normal activity description using the Hidden Markov Models (HMM), which is tuned up using the gradient based method. The obtained model is utilized as a baseline, depicting the normal system activity. The main purpose is to distinguish the normal traces of user activity from abnormal ones using the BCJR decoding algorithm. Some results from the conducted simulation experiments are introduced as well.