From CVE to CWE: Syscall-Based HIDS Generalisation

📰 ArXiv cs.AI

Learn how to generalize Host Intrusion Detection Systems (HIDS) from specific CVEs to broader CWEs using syscall-based anomaly detection, enabling better recognition of new exploits

advanced Published 23 Jun 2026
Action Steps
  1. Train a one-class anomaly detector on normal system-call traces of CVEs sharing a Common Weakness Enumeration (CWE) class
  2. Evaluate the detector's performance on unseen exploits of the same CWE class
  3. Configure the detector to recognize new exploits of known weakness types
  4. Test the detector's generalization capabilities using various CVE instances
  5. Apply the syscall-based HIDS to real-world systems to detect unknown exploits
Who Needs to Know This

Security engineers and researchers can benefit from this approach to improve the effectiveness of their HIDS in detecting unknown exploits, while developers can use this knowledge to enhance the security of their systems

Key Insight

💡 Syscall-based anomaly detection can be used to generalize HIDS from specific CVEs to broader CWEs, enabling better detection of unknown exploits

Share This
Generalize HIDS from CVE to CWE using syscall-based anomaly detection #cybersecurity #AI

Key Takeaways

Learn how to generalize Host Intrusion Detection Systems (HIDS) from specific CVEs to broader CWEs using syscall-based anomaly detection, enabling better recognition of new exploits

Full Article

Title: From CVE to CWE: Syscall-Based HIDS Generalisation

Abstract:
arXiv:2606.22581v1 Announce Type: cross Abstract: Host intrusion detection systems (HIDS) based on system-call traces are typically trained and evaluated against individual Common Vulnerabilities and Exposures (CVE) instances. In operational settings, however, defenders need to recognise new exploits of an already known type of weakness. We empirically examine whether a one-class anomaly detector trained on the normal behaviour of a set of CVEs that share a Common Weakness Enumeration (CWE) clas
Read full paper → ← Back to Reads

Related Videos

What is DevSecOps Explained with Examples
What is DevSecOps Explained with Examples
VLR Software Training
What is Post Quantum Cryptography Explained with Examples
What is Post Quantum Cryptography Explained with Examples
VLR Software Training
What is Biometric Authentication Explained with Examples
What is Biometric Authentication Explained with Examples
VLR Software Training
What is Passkeys Explained with Examples
What is Passkeys Explained with Examples
VLR Software Training
What is reCAPTCHA v3  Explained with Examples
What is reCAPTCHA v3 Explained with Examples
VLR Software Training
What is Multi Factor Authentication MFA Explained with Examples
What is Multi Factor Authentication MFA Explained with Examples
VLR Software Training