O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Abnormal Value

While preparing a presentation on malware narratives59 we found that one essential pattern is missing from the current log analysis pattern catalog. Most of the time we see some abnormal or unexpected value in a software trace or log such as a network address outside the expected range and this triggers further investigation. The message structure may be the same having the same Message Invariant (Volume 6, page 251) but the variable part may contain such values as depicted graphically:

images

Please not that we also have Significant Event (Volume 5, page 281) pattern that is more general and also covers messages without variable part ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required