Based on the immune mechanism, we present a computer system security model used to detect and classify non-self, which overcomes some drawbacks of traditional computer immune system based on system call: the large number of system calls intercepted, the loss of useful information owing to paying no attention to the arguments of system calls, distinction between self and non-self just by rule matching, etc. We introduce the process of non-self detection and classification based on rule and Sandbox further distinguishing the process of unknown type, based on the definition of system call related to security and event related to security. We resolve the problem of traditional sandbox system: the unreliability and insecurity of process and the display of process behavior incompletely caused by denying the execution of a system call. Experimental results verify the effectiveness of distinguishing non-self and its class based on system call related to security, and show that our model can detect non-self in Sandbox which is unknown type by rule matching without imposing heavy performance impact upon operating system.