Intrusion detection systems are now an essential component in the all kinds of network even including wireless ad hoc network. With the rapid advancement in the network technologies, the focus of intrusion detection has shifted from simple signature matching approaches to detecting attacks based on analyzing contextual information that employed in based on anomaly and hybrid intrusion detection approaches. In order to correctly and effectively recognizing the hidden attack intrusion from large volume of low level system logs, a layered based on anomaly intrusion detection framework was proposed using conditional random fields to detect a wide variety of attacks. For four classes of attack the framework trains four different models separately, and then processes the data layer by layer to detect intrusion. Attacks could be identified and intrusion response could be initiated in real time with this framework and the system adaptability and portability were improved significantly reduce the system false alarm rate and false detection rate. Experiments show that the CRF model could detect attacks effectively.