A major goal of current computer network security systems is to protect the network from outside attackers; however, protecting the network from its own users is still an unattended problem. In campus area networks, the risk of having internal attacks is high because of their topologies and the amount of users. This work proposes a new approach to identify whether a network user is having or not a normal behavior, by analyzing host traffic using top-k ranking similarity measures. The result of this analysis could be an input of intrusion detection systems. The document presents an experiment where real-time traffic of different users in a campus area network is compared to a reference traffic that corresponds to one of them.