With the incoming of information era, web-based service has been developed rapidly and offered more and more business. These “open”, and widely “web enabled” applications are subject to greater and greater levels and types of attacks as hackers exploit vulnerabilities within the software like SQL Injection and Cross Site Scripts (XSS) attack. In this paper, we proposed a type of novel Embedded Markov Model (EMM) to detect different web application attacks, monitor the on-line user behavior and defend the malevolent user promptly. Comparing to previous web application attacks detecting approaches, our EMM approach can not only detect user’s invalidated input errors but also find out the unreasonable page transition behavior. By detecting unreasonable page transition, we can immediately defend the malevolent or silly user behavior to avoid the further web system failures and sensitive information disclosure. Furthermore, we implement an on-line user behavior surveillance system and use the real web traffic to evaluate the performance of our system. The experiment results show that our proposed EMM method can discover the abnormal behavior of malevolent user and detect the invalidated input attacks like SQL injection, XSS and string buffer overflow attacks.