The malware detection is one of the important parts in a secure Linux frame．Most existing malware detection methods are based on the signature and generally leave behind the development of the malware technology, which cannot meet the ever increaing needs of security. Behavior-based detectors require high-quality specifications of malicious behavior. This paper introduces an automatic technique to mine specifications of malicious behavior based on system calls and explores multiple execution paths for malware specifications, which helps the specifications to be more specific and more comprehensive, and improves the rate of detection of the behavior-based detectors.