In view of the insufficient ability of application layer protocol audit, an intranet behavior audit scheme based on improved Regular Expression (RE) rule grouping was proposed. First, the protocol needed to be audited was described by regular expression, and the relevant parameters were set, so that the states of high frequency protocols and the relative importance protocols of the audit in the intranet had the high priority in the RE set. Then, under the premise of the small interaction value of the regular expression, the high priority protocol state expression was built into the same automaton group to generate the audit engine as much as possible. At last, according to the audit requirements, the relevant parameters were changed to achieve security audit of the intranet behavior. Experimental results showed that, compared with the classic Nondeterministic Finite Automaton (NFA) algorithm named Thompson, the state number of the transformation of the proposed automata construction algorithm was reduced to 10% to 20%, and the throughput became 8 to 12 times as much as the throughput of the traditional automata grouping engine in detection. The proposed audit scheme can satisfy the demand of the application layer protocol in safety audit with high accuracy and efficiency.