Anomaly detection of privileged processes is one of the most important means to safeguard the host and system security. The key problem for improving detection performance is to identify local behavior of the short sequences in traces of system calls accurately. An alternative modeling method was proposed based on the typical pattern matching of short sequences, which builds upon the concepts of short sequences with context dependency and the specially designed aggregation algorithm. The experimental results indicate that the modeling method considering the context dependency improves clearly the sensitive decision threshold as compared with the previous modeling method.