Abstract: Correlation between system calls at different positions is defined based on local theory of programming. A fuzzy matching method, which works between the real system call serial and normal system call serial is presented, using the correlation defined. This method can be used to judge whether the program is running normally and therefore used for intrusion detection. A host based intrusion detection system using the method described above is presented and its system structure, as well as the relation among modules, principle and design of the module are given in detail. A test-bed was used to test the intrusion detection system and the test results used to show the validity of the method.