While automatic online software anomaly detection is crucial for ensuring the quality of production software, current techniques are mostly inefficient and ineffective. For online software, its inputs are usually provided by the user at runtime and the validity of the outputs cannot be automatically verified without a predefined oracle. Furthermore, some online anomalous behavior may be caused by the anomalies in the execution context, rather than by any code defect, which are even more difficult to detect. Existing approaches tackle this problem by identifying certain properties observed from the executions of the software during a training process and using them to monitor software online anomalous behavior. However, the large execution overhead required for monitoring these properties limits their applicability at runtime. We present a model that applies effective algorithms to select a close to optimal set of anomaly-revealing invariants, which enables online anomaly detection with minimal execution overhead. Our empirical results show that an average of 75% of anomalies were detected by using at most 5% of execution overhead.