This paper presents an approach of the intrusion detection problem applied to CORBA-type distributed environments. The approach is based on the measure of deviation from client reference behaviors towards the CORBA servant objects to be protected. We consider a client behavior as a sequence of invoked requests between each couple of client-server, during each connection of the observed client. We construct, during a training period, a client behavior model based on variable-length branches tree representation. This model both takes into account the series of invoked requests and their parameter values. To make our approach more flexible, we construct, at the end of the training period, a tolerance interval for each numerical parameter. These intervals allow deviation between observed and learned values to be measured. This article presents our preliminary results and introduces our future works.