In major computing systems, such as UNIX, intrusion by exploiting the buffer overflow is still a serious problem. As opposed to this problem resulting from vulnerabilities of an application program, there are researches in intrusion detection system which monitors the behavior and detects anomaly behavior of it. In intrusion detection, there are misuse detection and anomaly detection. In the former, an abusing of a computer is detected based on the signature of an intrusion, but in the latter, based on normal operation data (data in which it is shown that the subject for surveillance is operating normally). In the related researches in an anomaly detection system, there are researches based on system calls which are emitted during normal operation of an application program. In the background of these researches, there is an idea that an application program can be characterized by the history of the system calls which it publishes Therefore, we study a method for detecting anomaly detection efficiently based system calls.
