Multiple Exceptions (user mode) - Modeling Example
Multiple Exceptions (kernel mode)
Multiple Exceptions (managed space)- Multiple Exceptions (stowed)
Dynamic Memory Corruption (process heap)
Dynamic Memory Corruption (kernel pool)- Dynamic Memory Corruption (managed heap)
False Positive Dump
Lateral Damage (general)- Lateral Damage (CPU mode)
Optimized Code (function parameter reuse)
Invalid Pointer (general)- Invalid Pointer (objects)
NULL Pointer (code)
NULL Pointer (data)
Inconsistent Dump
Hidden Exception (user space)- Hidden Exception (kernel space)
- Hidden Exception (managed space)
Deadlock (critical sections)
Deadlock (executive resources)
Deadlock (mixed objects, user space)
Deadlock (LPC)
Deadlock (mixed objects, kernel space)
Deadlock (self)- Deadlock (managed space)
- Deadlock (.NET Finalizer)
Changed Environment
Incorrect Stack Trace
OMAP Code Optimization
No Component Symbols
Insufficient Memory (committed memory)
Insufficient Memory (handle leak)
Insufficient Memory (kernel pool)
Insufficient Memory (PTE)
Insufficient Memory (module fragmentation)
Insufficient Memory (physical memory)
Insufficient Memory (control blocks)- Insufficient Memory (reserved virtual memory)
- Insufficient Memory (session pool)
- Insufficient Memory (stack trace database)
- Insufficient Memory (region)
- Insufficient Memory (stack)
Spiking Thread
Module Variety
Stack Overflow (kernel mode)
Stack Overflow (user mode)
Stack Overflow (software implementation)- Stack Overflow (insufficient memory)
- Stack Overflow (managed space)
Managed Code Exception- Managed Code Exception (Scala)
- Managed Code Exception (Python)
Truncated Dump
Waiting Thread Time (kernel dumps)
Waiting Thread Time (user dumps)
Memory Leak (process heap) - Modeling Example
Memory Leak (.NET heap)- Memory Leak (page tables)
- Memory Leak (I/O completion packets)
- Memory Leak (regions)
Missing Thread (user space)- Missing Thread (kernel space)
Unknown Component
Double Free (process heap)
Double Free (kernel pool)
Coincidental Symbolic Information
Stack Trace- Stack Trace (I/O request)
- Stack Trace (file system filters)
- Stack Trace (database)
- Stack Trace (I/O devices)
Virtualized Process (WOW64)- Virtualized Process (ARM64EC and CHPE)
Stack Trace Collection (unmanaged space)- Stack Trace Collection (managed space)
- Stack Trace Collection (predicate)
- Stack Trace Collection (I/O requests)
- Stack Trace Collection (CPUs)
Coupled Processes (strong)
Coupled Processes (weak)
Coupled Processes (semantics)
High Contention (executive resources)
High Contention (critical sections)
High Contention (processors)- High Contention (.NET CLR monitors)
- High Contention (.NET heap)
- High Contention (sockets)
Accidental Lock
Passive Thread (user space)
Passive System Thread (kernel space)
Main Thread
Busy System
Historical Information
Object Distribution Anomaly (IRP)- Object Distribution Anomaly (.NET heap)
Local Buffer Overflow (user space)- Local Buffer Overflow (kernel space)
Early Crash Dump
Hooked Functions (user space)
Hooked Functions (kernel space)- Hooked Modules
Custom Exception Handler (user space)
Custom Exception Handler (kernel space)
Special Stack Trace
Manual Dump (kernel)
Manual Dump (process)
Wait Chain (general)
Wait Chain (critical sections)
Wait Chain (executive resources)
Wait Chain (thread objects)
Wait Chain (LPC/ALPC)
Wait Chain (process objects)
Wait Chain (RPC)
Wait Chain (window messaging)
Wait Chain (named pipes)- Wait Chain (mutex objects)
- Wait Chain (pushlocks)
- Wait Chain (CLR monitors)
- Wait Chain (RTL_RESOURCE)
- Wait Chain (modules)
- Wait Chain (nonstandard synchronization)
- Wait Chain (C++11, condition variable)
- Wait Chain (SRW lock)
Corrupt Dump
Dispatch Level Spin
No Process Dumps
No System Dumps
Suspended Thread
Special Process
Frame Pointer Omission
False Function Parameters
Message Box
Self-Dump
Blocked Thread (software)
Blocked Thread (hardware)- Blocked Thread (timeout)
Zombie Processes
Wild Pointer
Wild Code
Hardware Error
Handle Limit (GDI, kernel space)- Handle Limit (GDI, user space)
Missing Component (general)
Missing Component (static linking, user mode)
Execution Residue (unmanaged space, user)- Execution Residue (unmanaged space, kernel)
- Execution Residue (managed space)
Optimized VM Layout- Invalid Handle (general)
- Invalid Handle (managed space)
- Overaged System
- Thread Starvation (realtime priority)
- Thread Starvation (normal priority)
- Duplicated Module
- Not My Version (software)
- Not My Version (hardware)
- Data Contents Locality
- Nested Exceptions (unmanaged code)
- Nested Exceptions (managed code)
- Affine Thread
- Self-Diagnosis (user mode)
- Self-Diagnosis (kernel mode)
- Self-Diagnosis (registry)
- Inline Function Optimization (unmanaged code)
- Inline Function Optimization (managed code)
- Critical Section Corruption
- Lost Opportunity
- Young System
- Last Error Collection
- Hidden Module
- Data Alignment (page boundary)
- C++ Exception
- Divide by Zero (user mode)
- Divide by Zero (kernel mode)
- Swarm of Shared Locks
- Process Factory
- Paged Out Data
- Semantic Split
- Pass Through Function
- JIT Code (.NET)
- JIT Code (Java)
- Ubiquitous Component (user space)
- Ubiquitous Component (kernel space)
- Nested Offender
- Virtualized System
- Effect Component
- Well-Tested Function
- Mixed Exception
- Random Object
- Missing Process
- Platform-Specific Debugger
- Value Deviation (stack trace)
- Value Deviation (structure field)
- Runtime Thread (CLR)
- Runtime Thread (Python, Linux)
- Coincidental Frames
- Fault Context
- Hardware Activity
- Incorrect Symbolic Information
- Message Hooks - Modeling Example
- Coupled Machines
- Abridged Dump
- Exception Stack Trace
- Distributed Spike
- Instrumentation Information
- Template Module
- Invalid Exception Information
- Shared Buffer Overwrite
- Pervasive System
- Problem Exception Handler
- Same Vendor
- Crash Signature
- Blocked Queue (LPC/ALPC)
- Fat Process Dump
- Invalid Parameter (process heap)
- Invalid Parameter (runtime function)
- String Parameter
- Well-Tested Module
- Embedded Comment
- Hooking Level
- Blocking Module
- Dual Stack Trace
- Environment Hint
- Top Module
- Livelock
- Technology-Specific Subtrace (COM interface invocation)
- Technology-Specific Subtrace (dynamic memory)
- Technology-Specific Subtrace (JIT .NET code)
- Technology-Specific Subtrace (COM client call)
- Dialog Box
- Instrumentation Side Effect
- Semantic Structure (PID.TID)
- Directing Module
- Least Common Frame
- Truncated Stack Trace
- Data Correlation (function parameters)
- Data Correlation (CPU times)
- Module Hint
- Version-Specific Extension
- Cloud Environment
- No Data Types
- Managed Stack Trace
- Managed Stack Trace (Scala)
- Managed Stack Trace (Python)
- Coupled Modules
- Thread Age
- Unsynchronized Dumps
- Pleiades
- Quiet Dump
- Blocking File
- Problem Vocabulary
- Activation Context
- Stack Trace Set
- Double IRP Completion
- Caller-n-Callee
- Annotated Disassembly (JIT .NET code)
- Annotated Disassembly (unmanaged code)
- Handled Exception (user space)
- Handled Exception (.NET CLR)
- Handled Exception (kernel space)
- Duplicate Extension
- Special Thread (.NET CLR)
- Hidden Parameter
- FPU Exception
- Module Variable
- System Object
- Value References
- Debugger Bug
- Empty Stack Trace
- Problem Module
- Disconnected Network Adapter
- Network Packet Buildup
- Unrecognizable Symbolic Information
- Translated Exception
- Regular Data
- Late Crash Dump
- Blocked DPC
- Coincidental Error Code
- Punctuated Memory Leak
- No Current Thread
- Value Adding Process
- Activity Resonance
- Stored Exception
- Spike Interval
- Stack Trace Change
- Unloaded Module
- Deviant Module
- Paratext
- Incomplete Session
- Error Reporting Fault
- First Fault Stack Trace
- Frozen Process
- Disk Packet Buildup
- Hidden Process
- Active Thread (Mac OS X)
- Active Thread (Windows)
- Critical Stack Trace
- Handle Leak
- Module Collection
- Module Collection (predicate)
- Deviant Token
- Step Dumps
- Broken Link
- Debugger Omission
- Glued Stack Trace
- Reduced Symbolic Information
- Injected Symbols
- Distributed Wait Chain
- One-Thread Process
- Module Product Process
- Crash Signature Invariant
- Small Value
- Shared Structure
- Thread Cluster
- False Effective Address
- Screwbolt Wait Chain
- Design Value
- Hidden IRP
- Tampered Dump
- Memory Fluctuation (process heap)
- Last Object
- Rough Stack Trace (unmanaged space)
- Rough Stack Trace (managed space)
- Past Stack Trace
- Ghost Thread
- Dry Weight
- Exception Module
- Reference Leak
- Origin Module
- Hidden Call
- Corrupt Structure
- Software Exception
- Crashed Process
- Variable Subtrace
- User Space Evidence
- Internal Stack Trace
- Distributed Exception (managed code)
- Thread Poset
- Stack Trace Surface
- Hidden Stack Trace
- Evental Dumps
- Clone Dump
- Parameter Flow
- Critical Region
- Diachronic Module
- Constant Subtrace
- Not My Thread
- Window Hint
- Place Trace
- Stack Trace Signature
- Relative Memory Leak
- Quotient Stack Trace
- Module Stack Trace
- Foreign Module Frame
- Unified Stack Trace
- Mirror Dump Set
- Memory Fibration
- Aggregated Frames
- Frame Regularity
- Stack Trace Motif
- System Call
- Stack Trace Race
- Hyperdump
- Disassembly Ambiguity
- Exception Reporting Thread
- Active Space
- Subsystem Modules
- Region Profile
- Region Clusters
- Source Stack Trace
- Hidden Stack
- Interrupt Stack
- False Memory
- Frame Trace
- Pointer Cone
- Context Pointer
- Pointer Class
- False Frame
- Procedure Call Chain
- C++ Object
- COM Exception
- Structure Sheaf
- Saved Exception Context (.NET)
- Shared Thread
- Spiking Interrupts
- Structure Field Collection
- Black Box
- Rough Stack Trace Collection (unmanaged space)
- COM Object
- Shared Page
- Exception Collection
- Dereference Nearpoint
- Address Representations
- Near Exception
- Shadow Stack Trace
- Past Process
- Foreign Stack
- Annotated Stack Trace
- Disassembly Summary
- Region Summary
- Analysis Summary
- Region Spectrum
- Normalized Region
- Function Pointer
- Interrupt Stack Collection
- DPC Stack Collection
- Dump Context
- False Local Address
- Encoded Pointer
- Latent Structure
- ISA-Specific Code
Pattern-Oriented Diagnostics and Cybersecurity: A Contest Between Patterns
Cybersecurity is often described as an arms race between attackers and defenders, but this framing obscures what is actually contested. The struggle is not primarily over tools, exploits, or even visibility. It is a contest between patterns: patterns of action, patterns of observability, and patterns of interpretation. Attacks succeed or fail not simply because signals are present or absent, but because those signals are read correctly or misread under adversarial conditions.
Every cyber incident produces a narrative. Systems execute, identities propagate, services communicate, and instrumentation captures fragments of these processes as logs, traces, metrics, memory artefacts, and signals. None of these artefacts is the attack itself. They are representations, shaped by choices of instrumentation, system architecture, and analytical assumptions. Pattern-Oriented Diagnostics (POD) begins with the recognition that cybersecurity operates within a representational space, where meaning must be reconstructed rather than directly observed.
Traditional security practice relies heavily on indicator-driven reasoning. Known signatures, rules, and thresholds are matched against observed data, and deviations are flagged as suspicious. This approach is effective when threats are stable, and behaviours are loud. Modern attacks, however, are deliberately quiet, distributed, and adaptive. They fragment activity across components, extend actions over long periods, and exploit normal operational pathways. In such environments, indicators lose discriminative power, while observability data grows richer but more ambiguous.
POD reframes this situation by focusing on recurring structural and behavioral forms rather than specific indicators. In cybersecurity terminology, problem patterns describe how compromises tend to manifest, regardless of the technology or tools used. Lateral movement manifests as extended causal chains that cross trust boundaries. Credential abuse manifests as subtle inconsistencies in authentication narratives rather than outright failures. Data exfiltration often emerges as sustained low-amplitude behaviour embedded in legitimate workflows. Command-and-control activity takes the form of periodic or asymmetrical message structures rather than obvious beaconing. These patterns persist even as infrastructures evolve.
Opposing these are analysis patterns, which determine how security data is produced, transformed, and interpreted. Aggregation windows, correlation logic, enrichment pipelines, sampling strategies, and cardinality reduction are not neutral technical details. They impose grammars on observable reality, defining what counts as continuity, causality, relevance, and anomaly. In adversarial contexts, attackers actively probe and exploit these grammars. They do not need to eliminate signals; they only need to ensure that the signals remain interpretable as benign.
Cybersecurity, therefore, becomes a contest between defensive diagnostic patterns and offensive pattern-shaping strategies. Here, analysis anti-patterns play a critical role in this contest. Narrative truncation prematurely closes causal histories and fragments incidents into unrelated alerts. Over-correlation forces disparate events into a single explanatory frame, obscuring genuine attacker agency. Representational drift allows evolving systems to invalidate baselines without explicit acknowledgement, enabling long-lived compromises to normalise themselves. These failures are structural weaknesses in interpretation, not merely operational mistakes.
In incident response, a pattern-oriented approach shifts attention away from linear timelines toward causal reconstruction. The central question is not just what happened and when, but which causal structures persisted, branched, or collapsed across the system. This is especially important in cloud-native and AI-augmented environments, where control planes, data planes, automation, and learning components generate overlapping but non-isomorphic narratives. POD provides a way to align these narratives without forcing them into a single, misleading story.
In proactive defence and threat hunting, POD enables analysts to search for abstract forms rather than concrete indicators. The focus moves from known bad values to anomalous structures: unexpected persistence of intent across components, asymmetries between request and response, incomplete or truncated message narratives, or unusual changes in causal density. This allows defenders to reason about novel attacks using stable diagnostic concepts.
Viewed this way, cybersecurity is not won by perfect visibility. It is won by resilient interpretation. Pattern-Oriented Diagnostics frames security as an interpretive discipline, one that recognises observability artefacts as texts written under adversarial pressure. In a contest between patterns, the decisive advantage lies not in seeing more, but in reading better, even when the text is designed to deceive.
Within cybersecurity, pattern-oriented work spans multiple layers of abstraction, from raw execution state to adversarial meaning-making. Three complementary pattern catalogs exemplify this stratification. The ADDR patterns capture recurring structural forms encountered during reverse engineering and memory-level analysis, providing a vocabulary for understanding how execution, corruption, and manipulation manifest in memory artefacts. Malware analysis patterns operate at a higher behavioural level, grounded in memory analysis patterns, and describe recurring motifs in malicious execution, persistence, and obfuscation that recur across families and platforms despite surface-level variation. Malnarratives and network trace analysis, grounded in trace and log analysis patterns, address a higher interpretive layer in which attackers deliberately shape logs, traces, and artefacts to produce misleading or ambiguous narratives for defenders. Taken together, these pattern catalogs illustrate how cybersecurity is contested across structure, behaviour, and narrative: attackers manipulate memory, actions, and meaning, while defenders rely on pattern repertoires at each level to stabilise interpretation under adversarial pressure.
POD Catalogs from DA+TA (DumpAnalysis.org + TraceAnalysis.org)
Memory Analysis Pattern and Structural Memory Patterns Catalogs include recurring structural and behavioral forms encountered during the analysis of memory dumps and execution artefacts. These patterns arise from long-term post-mortem analysis practice and capture how failures, corruption, abnormal execution, and malicious interference manifest in memory. They cover recurring situations observed in stacks, heaps, objects, pointers, threads, exceptions, and execution contexts across native, managed, and kernel environments. In cybersecurity contexts, these memory analysis patterns are especially valuable because memory often preserves evidence that higher-level telemetry does not. Even when logs are incomplete, traces are sampled, or observability data is manipulated, memory artefacts retain structural traces of execution and interference. By relying on documented memory analysis patterns rather than ad hoc interpretation, analysts can reason about compromise, exploitation side effects, and malicious persistence based on stable structural forms rather than fragile indicators.
Building on structural insights, Malware Analysis Pattern Catalog extends the pattern-oriented methodology specifically to the domain of malicious code investigation. Rather than relying solely on signatures or heuristic flags, these patterns describe common behavioural and morphological motifs observed across malware artefacts. By treating malware presence as a recurrent behavioural form in memory and trace universes, analysts can recognise functional similarity even in heavily obfuscated or polymorphic variants. This pattern-driven lens not only accelerates detection but also aligns malware analysis with broader diagnostic principles: patterns persist across contexts, and mastery of them enables detection of novel or adaptive threats that evade signature-centric defences.
The ADDR Pattern Catalog (Linux version) is a pattern repertoire developed for reverse engineering and low-level memory analysis, rather than a general diagnostic foundation. It catalogs recurring structural and behavioural forms encountered while reversing memory dumps, crash artefacts, disassembly contexts, and execution state across environments. In cybersecurity, the catalog plays a complementary role. It equips analysts with a shared vocabulary for reading memory as a constructed artefact, where both legitimate execution and malicious interference leave recognisable structural traces. When applied in incident response or malware investigations, these reversing-oriented patterns help distinguish normal complexity from adversarial manipulation, providing the raw structural insight upon which higher-level diagnostic and narrative reasoning can be built.
Trace and Log Analysis Pattern Catalog documents pattern-oriented approaches to analysing traces, logs, and execution histories, focusing on how behaviour unfolds over time rather than on individual events. These analysis patterns describe recurring ways in which execution narratives are structured, fragmented, repeated, or distorted as they pass through instrumentation, logging frameworks, and tracing systems. In cybersecurity, such patterns allow analysts to reason about attacker activity that is distributed, delayed, or blended into legitimate behaviour. Rather than treating logs and traces as literal records of truth, pattern-oriented trace and log analysis treats them as representations shaped by the choices of collection, aggregation, and interpretation. This enables the detection of adversarial activity by recognising recurring structural forms in execution narratives, even when specific indicators, signatures, or alerts are absent or misleading.
A particularly provocative concept emerging from pattern-oriented practice is that of malnarratives: intentionally distorted narratives crafted by threat actors to confound interpretation. In traditional diagnostics, logs, traces, and execution artefacts form a narrative of system behaviour; in malnarratives, adversaries manipulate this narrative structure itself rather than just the underlying behaviour. These engineered distortions can mimic normal patterns or introduce deceptive combinations of artefacts that mislead analysis, creating false causal chains, ambiguous sequences, or narrative gaps. Malnarratives challenge defenders to recognise not only what patterns are present but also whether the narrative they imply has been adversarially shaped. This elevates cybersecurity from anomaly detection to narrative integrity assessment, an essential step in adversarial contexts where attackers think in terms of deception as much as exploitation.
A natural extension of this pattern-oriented approach is network trace analysis, a domain that traditionally lacks a unified pattern language despite the presence of richly structured execution artefacts. By treating a network trace as a form of software trace, in which packet headers serve as trace messages coupled with transmitted data, existing software trace analysis patterns can be applied directly. Once a packet stream is rendered by a trace visualisation tool, it becomes amenable to the same diagnostic grammars used for software execution, including narratological interpretation, discourse analysis, and alternative representations. Patterns such as Discontinuity, No Activity, Truncated Trace, and Time Delta reveal gaps, absences, and temporal distortions in network behaviour, while patterns like Anchor Messages, Significant Event, and Bifurcation Point expose structural pivots and causal branching in communication flows. Layered protocols naturally give rise to Embedded Message patterns, as protocol headers encapsulate one another, and filtering by embedded headers yields representations analogous to Adjoint Threads (What is an Adjoint Thread?), where multiple logical conversations coexist within a single physical trace. This reframing positions network traces not as low-level traffic dumps, but as structured execution narratives that can be read, compared, and diagnosed using the same pattern repertoires developed for software traces.
These pattern catalogs are orthogonal pattern repertoires: they define independent ways of reading and interpreting execution artefacts, rather than stages in a pipeline or mutually exclusive data domains. They demonstrate how cybersecurity operates across different representational layers and provide documented pattern repertoires at each layer, enabling defenders to reason coherently from low-level execution states to high-level adversarial narratives without relying on invented taxonomies or tool-specific abstractions. A crucial consequence of this orthogonality is that, although memory analysis patterns, trace and log analysis patterns, and network trace analysis patterns operate at different representational layers, they are not mutually exclusive. In practice, trace and log analysis patterns can be applied directly to memory dumps, which often contain implicit execution traces, event sequences, and narrative fragments encoded in stacks, heaps, object graphs, and corrupted state. This cross-application reinforces the central point: these pattern catalogs describe different ways of reading artefacts, not different kinds of artefacts.
PDF: https://www.dumpanalysis.org/files/Pattern-Oriented-Diagnostics-Cybersec...