From CVE to CWE: Syscall-Based HIDS Generalisation
📰 ArXiv cs.AI
Learn how to generalize Host Intrusion Detection Systems (HIDS) from specific CVEs to broader CWEs using syscall-based anomaly detection, enabling better recognition of new exploits
Action Steps
- Train a one-class anomaly detector on normal system-call traces of CVEs sharing a Common Weakness Enumeration (CWE) class
- Evaluate the detector's performance on unseen exploits of the same CWE class
- Configure the detector to recognize new exploits of known weakness types
- Test the detector's generalization capabilities using various CVE instances
- Apply the syscall-based HIDS to real-world systems to detect unknown exploits
Who Needs to Know This
Security engineers and researchers can benefit from this approach to improve the effectiveness of their HIDS in detecting unknown exploits, while developers can use this knowledge to enhance the security of their systems
Key Insight
💡 Syscall-based anomaly detection can be used to generalize HIDS from specific CVEs to broader CWEs, enabling better detection of unknown exploits
Share This
Generalize HIDS from CVE to CWE using syscall-based anomaly detection #cybersecurity #AI
Key Takeaways
Learn how to generalize Host Intrusion Detection Systems (HIDS) from specific CVEs to broader CWEs using syscall-based anomaly detection, enabling better recognition of new exploits
Full Article
Title: From CVE to CWE: Syscall-Based HIDS Generalisation
Abstract:
arXiv:2606.22581v1 Announce Type: cross Abstract: Host intrusion detection systems (HIDS) based on system-call traces are typically trained and evaluated against individual Common Vulnerabilities and Exposures (CVE) instances. In operational settings, however, defenders need to recognise new exploits of an already known type of weakness. We empirically examine whether a one-class anomaly detector trained on the normal behaviour of a set of CVEs that share a Common Weakness Enumeration (CWE) clas
Abstract:
arXiv:2606.22581v1 Announce Type: cross Abstract: Host intrusion detection systems (HIDS) based on system-call traces are typically trained and evaluated against individual Common Vulnerabilities and Exposures (CVE) instances. In operational settings, however, defenders need to recognise new exploits of an already known type of weakness. We empirically examine whether a one-class anomaly detector trained on the normal behaviour of a set of CVEs that share a Common Weakness Enumeration (CWE) clas
DeepCamp AI