Instead of using the plain frequency of audit data, this paper presents several novel cross frequency weights to model user and program behaviors for anomaly detection. The frequency weights are plain Term Frequency (TF) and various term frequency-inverse document frequency (tfidf) defined as Ltfidf, Mtfidf and LOGtfidf respectively. Nearest Neighbor (NN) and K-NN methods with Euclidean and Cosine distance measures as well as Chi-square test method based on these frequency weights are used for anomaly detection. Extensive experiments are performed based on command data from Schonlau et al. and the results show that the LOGtfidf weight gives better detection performance compared with plain frequency and other types of weights, and Eculidean distance gives better detection performance compared with Cosine distance measure while the Chi-square test consistently returns the worst results. By using the LOGtfidf weight, the simple NN method achieves the better masquerade detection results than the other 7 methods in literature. The LOGtifidf weight improves the detection results with 27.9% than plain TF and improves with 30.8% than Ltfidf based on the NN method. The sendmail system call data from University of New Mexico (UNM) are used as well and the results also demonstrate the effectiveness of the LOGtfidf weight for detection of anomalous program behavior.