Program behavior control is an active detection mechanism. The research of program behavior contro mainly focuses on four aspects: audit data selection, behavior description, the establishment of normal behavior and behavior matching. This paper investigates the event sequence model and proposes the use of LSM(Linux security modules) as an alternative data source to system calls. Based on the data quality analysis and execution results from real systems, the efficiency of the LSM data source is verified from both theoretical and practical points of view Results show that, because of its more refined granularity and its better security relevance, LSM data source is more suitable for the audit events used in event sequence models.