The paper describes the methodology of constructing models of typical user behaviour in a distributed information system, which may operate with sensitive data. The model is designed for the detection of abnormal behaviour occurring during the invasion of an intruder in the system. Also, the paper deals with the general approach to the implementation of the model infrastructure and algorithms of the main modules. Moreover, two possible methods for implementing the model in the target system are described.