This study provides a potential approach to detect network intrusion based on anomaly-free network traffic at the system level. Since the variables used in the model are retrievable from network audit data and the bootstrap simulation can be accomplished via common computer languages, this proposed model could be adopted by a variety of intrusion detection systems. In particular, it could be used as a threshold to filter network traffic in the mobile computing environment where training data are limited and may not include any abnormal events or such events are insufficient for other methods. The presented simple probability-based model illustrates equivalent performance in sensitivity, specificity, ROC (receiver operating characteristic) area, and classification agreements as compared with the logistic regression approach. Network traffic audit data proved unique and valuable information for network security. Although a comprehensive intrusion detection scheme contains multiple data sources and multiple measurements, the system-level traffic data provide important baseline information on anomalous traffic that could harm the network system, and such information can be learned from training data. This study focused on two goals: (1) to develop a probability model that describes the baseline normal behavior pattern for each site represented by the Internet Protocol (IP) address with anomaly-free data and (2) to validate the model and estimate the probability of being normal for each network connection. Tables, figures, and references