On the basis of traditional FSA (finite state automaton), system objects can be resolved from the parameters of system call, and a Software Behavior model based on system object (SBO) is presented. This model defines the software state as all states of system objects, which are owned by the software, and then each state in the model has been assigned semantic information. Therefore, SBO can solve a problem of irrelevant semantics between different traces using the semantic information, and it can detect data semantic attacks, which directly or indirectly modifies system call parameters. Finally, a software anomaly intrusion detection prototype system based on SBO (SBOIDS) is implemented. The experimental and analysis results show that SBO can effectively detect data semantic attack and control the flow-based and mimicry attacks.