Abstract: Anomaly detection is an essential component of the protection mechanisms against novel attacks. In this paper, an entropy-based method to measure the regularity of normal behaviors in anomaly detection is proposed. This measure is defined as the ratio of normal behavior's entropy to totally random behavior's entropy. Two case studies on Unix system call data and network tcpdump data are used to illustrate the utilities of this measure. A new algorithm is advanced to detect network intrusions using sequences of system calls, and it can realize anomaly detection over noisy data. At the same time, a new immune algorithm: multi-level negative selection algorithm is developed and applied to anomaly detection, compared with Forrest's negative selection algorithm. It enhances detector generation efficiency in essence.