Portable computers are used to store and access sensitive information. They are frequently used in insecure locations with little or no physical protection, and are therefore susceptible to theft and unauthorized access. We propose an implicit user re-authentication system for portable computers that requires no application changes or hardware modifications. The proposed technique observes user-specific patterns in filesystem activity and network access to build models of normal behavior. These are used to distinguish between normal use and anomalous use. We describe these automated model generation and user detection techniques, and explain how to efficiently implement them in a wireless distributed system composed of servers and battery-powered portable devices. The proposed system is able to distinguish between normal use and attack with an accuracy of approximately 90% every 5 minutes and consumes less than 12% of a typical laptop battery in 24 hours.