Abstract: The research of anomaly detection now focuses on four aspects:selection of data source, specification of behavior, normal behavior learning, behavior matching. For the first aspect, a new data source, which is based on linux security modules, is presented in paper. In order to test its effect, we employ two kinds of method:information-theoretic measures and Markov chains model, and we also compare the result with data of system call. The conclusion of experiment indicates that this data source is useful and even better than data of system call under certain condition.