Possible Co-stimulators

What we are really looking for are state attributes of a system or a process that will contain meaningful data when an attack is in progress or just succeeded. Some examples:

Open network connections to the target process or system (with endpoint information) at the time the anomaly is detected
File access history (access profiling)
Value of the user-mode instruction pointer at the time the anomaly is detected
Memory segment map (for evaluating what the instruction pointer is referencing)
Process exec history
Current user context of the process and the expected context
unhandled segmentation fault counter per binary (spanning all process instances)

Curious: how many of you know why the last one is interesting?