On the basis of the current single layer Markov chain anomaly detection model, this paper proposes a new two-layer model. Two distinctly different processes, the different requests and the system call sequence in the same request section, are classified as two layers and dealt with by different Markov chains respectively. The two-layer frame can depict the dynamic activity of the protected process more exactly than the single layer frame, so that the two-layer detection model can promote the detection rate and degrade the false alarm rate. Furthermore, the detected anomaly will be limited in the corresponding request sections where anomaly happens. The new detection model is suitable for privileged processes, especially for those based on request-response.