A method for analyzing user's behaviors is provided. API function call patterns occurring when operations on various objects are performed on a computer system are configured with contexts. User's behaviors are recognized as associations between the contexts and systematically expressed. Information flow occurring in the user's behaviors (i.e., associations between the contexts) is tracked. The information flow chain is divided into a source and a destination. When the information flow a confidential object to a leakage point occurs, the information leakage is rapidly detected and blocked. By exactly recognizing behaviors belonging to the corresponding information flow chain, user's behaviors related to the information leakage can be detected. Furthermore, the behavior expression based on the contexts configured with the API function call patterns with respect to the system object can be achieved by naturally connecting the API function call occurring on the system as an abstract behavior.