Information systems (ISs) of large organisations are constantly becoming more complex. As a result, it is becoming extremely difficult to secure against internal threats and safeguard sensitive data in such a multi-system environment. There is a need for a common centralised data protection platform. One way to defend against internal threats using intelligent algorithms is Anomaly Activity Detection (AAD). To gain benefits of AAD systems and avoid their typical problems, we have developed our own AAD framework, which is embedded into the IS at the application level of the OSI model. To solve the problems associated with the growth of the number of information systems, an extension of common user behaviour profile to a distributed one has been developed within the framework of the research. One user has a common profile for all ISs of a corporate information network; as a result, the costs of implementing, maintaining and using the abnormal behaviour detection system are significantly reduced. At the same time, there is a cumulative effect when the amount of data about the user behaviour increases due to their receipt from all target ISs, which gives improvement in the efficiency of such a global profile. The paper proposes three approaches to building distributed profiles of user behaviour.