Insider threads posed by authorized users have caused significant security and privacy risks to IT systems. The behavior of authorized users in using system services must be monitored and controlled. However, the administrators in large distributed systems are overwhelmed by the number of system users, the complexity and changing nature of user activities. This paper presents a new generation of intelligent decision support systems that effectively assist system administrators to get deep insight into the system users’ dynamic behavior patterns. With these patterns, the system administrators are capable of constructing dynamic refinement to the existing security policies. We explore the method of interactively and incrementally extracting user’s behavior patterns by combining data mining techniques with domain and system knowledge, and applying such knowledge to provide recommendations throughout the whole process. A prototype tool has been developed to analyze the audit logs from distributed medical imaging systems to validate the proposed approach.