Define stateful protocol analysis. Include in your answer the concept of the event horizon.

What will be an ideal response?

When an IDPS receives a packet, information about the connection between the host and remote computer is compared to entries in the state table. A state table maintains a record of connections between computers that includes the source IP address and port, destination IP address and port, and protocol. Furthermore, the IDPS needs to maintain state information for the entire length of the attack, which is called the event horizon. Maintaining this information might require an IDPS to review many packets of data; during long attacks, such as those that last from user logon to user logoff, the IDPS might not be able to maintain the state information long enough, and the attack could circumvent the system.