Efficient deterministic method for detecting new U2R attacks

The purpose of this study is to describe an efficient deterministic intrusion detection approach that detects both old and new attacks. We especially focused on detecting the user to root (U2R) attacks of the 1999 DARPA evaluation dataset. The main idea of our approach is to test if an unknown behavior is close enough to a known behavior (attack or normal) such as we can conclude that it belongs to its class. To achieve that, we formulate the problem of intrusion detection as a linear programming system (LPS). The objective function of this LPS leads to minimize the distance between an unknown behavior and one of the known behaviors, by respect of some constraints. The solution of such a problem is a set of bivalent variables xij. If (xij = 1) then we can conclude that the unknown behavior i belong to the class of behaviors j. Our experiments demonstrated the efficiency of our approach.