Known-exploit detection for the kernel

The social aspect of it is the problem.

Sure the kernel implementing features like this may succeed at detecting ham-fisted attacks, but the problem you run into is that people will naturally assume that this security feature has merit and will unfortunately actually try to depend on it.

People will write blog posts on how critically important it is to make sure you use a kernel version with this detection enabled in it and so on and so forth. It'll end up in Google's cache when people search 'make sure Linux is secure' or such things and then it'll just get increasingly stupid and self-defeating from then on.

You can see the same thing happen all over the place with various 'linux security features'.

A perfect example of this is things like 'chkrootkit'. People may end up with a hacked website and then install chkrootkit and run it thinking that somehow it will actually be effective at detecting root kits, which it is not. Or schemes that involve checking file checksums using 'rpm' utility. Or things like 'fail2ban' being used to 'secure' ssh, or port knocking, or any other number of silly and hokum things that people try to do to 'improve' their security.

Like anti-virus in Windows there is a actual limited useful application for some of this stuff, but most people are not able to know what that is.

Software security is already hard enough without creating features that add to the confusion with no real benefit.