Abstract: Modeling program behavior based on system call has become the hot topic in intrusion detection since system call can reflect the program behavior in some degree. This paper studied three different types of modeling methods that are dynamically modeling, statically modeling and hybridly modeling as the breakthrough point, and concluded that the development process of behavior models can be divided into three stages: initial stage, developmental stage and synthetical stage. I}he evaluation and comparison experiments were done to find the inherent relations and development track of some typical models in different stages. The whole analysis in this paper indicates that the future trend of behavior modeling methods is to develop a software behavior model with high detection capability, completeness, and actual feasibility through the combination consideration of the static techniques with dynamic techniques, the control flow with data flow,and the other real-time information such as environment variables and context information.

Key words: Behavior model,Intrusion detection,Systcm call