This paper evaluates different data modeling methods for detecting intrusions using system call sequences. The authors compare four methods: simple enumeration of sequences, frequency-based methods, rule induction (RIPPER), and Hidden Markov Models (HMMs). They analyze the effectiveness of these methods on a variety of data sets, including normal and intrusion traces from different programs. The study finds that HMMs outperform the other methods in terms of accuracy and efficiency. However, simpler methods may be sufficient for this particular problem. The authors also discuss the factors affecting the performance of each method, including the size and complexity of the data sets, the type of intrusion, and the choice of parameters. The data sets used in the study include traces from various programs, including login, ps, named, xlock, inetd, and sendmail. These data sets include both normal and intrusion traces, with intrusions such as buffer overflows, symbolic link attacks, and denial-of-service attacks. The authors also note that some data sets are more realistic than others, and that the results may vary depending on the specific data set used. The study concludes that while HMMs are the most accurate method, simpler methods may be sufficient for many applications. The authors also note that the results are sensitive to the choice of parameters and the specific data set used. They suggest that further research is needed to determine the best method for different types of data and intrusion scenarios.This paper evaluates different data modeling methods for detecting intrusions using system call sequences. The authors compare four methods: simple enumeration of sequences, frequency-based methods, rule induction (RIPPER), and Hidden Markov Models (HMMs). They analyze the effectiveness of these methods on a variety of data sets, including normal and intrusion traces from different programs. The study finds that HMMs outperform the other methods in terms of accuracy and efficiency. However, simpler methods may be sufficient for this particular problem. The authors also discuss the factors affecting the performance of each method, including the size and complexity of the data sets, the type of intrusion, and the choice of parameters. The data sets used in the study include traces from various programs, including login, ps, named, xlock, inetd, and sendmail. These data sets include both normal and intrusion traces, with intrusions such as buffer overflows, symbolic link attacks, and denial-of-service attacks. The authors also note that some data sets are more realistic than others, and that the results may vary depending on the specific data set used. The study concludes that while HMMs are the most accurate method, simpler methods may be sufficient for many applications. The authors also note that the results are sensitive to the choice of parameters and the specific data set used. They suggest that further research is needed to determine the best method for different types of data and intrusion scenarios.