This paper explores the use of system call sequences as an observable for intrusion detection. The authors compare four data modeling methods—simple enumeration, frequency-based methods, data mining approaches, and Hidden Markov Models (HMMs)—to identify normal behavior and detect intrusions. They use a variety of data sets, including synthetic and real-world traces from different programs, to evaluate the performance of each method. The results show that while HMMs are the most powerful method, they are also the most computationally expensive. Other methods, such as sequence time-delay embedding (stride) and t-stride, are more efficient but may be less accurate. The study concludes that for this specific problem, weaker methods than HMMs are likely sufficient, and the choice of method depends on the specific requirements of the application.This paper explores the use of system call sequences as an observable for intrusion detection. The authors compare four data modeling methods—simple enumeration, frequency-based methods, data mining approaches, and Hidden Markov Models (HMMs)—to identify normal behavior and detect intrusions. They use a variety of data sets, including synthetic and real-world traces from different programs, to evaluate the performance of each method. The results show that while HMMs are the most powerful method, they are also the most computationally expensive. Other methods, such as sequence time-delay embedding (stride) and t-stride, are more efficient but may be less accurate. The study concludes that for this specific problem, weaker methods than HMMs are likely sufficient, and the choice of method depends on the specific requirements of the application.