Possible Co-stimulators
What we are really looking for are state attributes of a system or a process that will contain meaningful data when an attack is in progress or just succeeded. Some examples:
- Open network connections to the target process or system (with endpoint information) at the time the anomaly is detected
- File access history (access profiling)
- Value of the user-mode instruction pointer at the time the anomaly is detected
- Memory segment map (for evaluating what the instruction pointer is referencing)
- Process exec history
- Current user context of the process and the expected context
- unhandled segmentation fault counter per binary (spanning all process instances)
Curious: how many of you know why the last one is interesting?