1. Prove or disprove that state-based logging and transition-based logging are equivalent if and only if the state of the system at the first transition is recorded.
2. Suppose a remote host begins the TCP three-way handshake with the local host but never sends the final ACK. This is called a half-open connection. The local host waits for some short time and then purges the information from its network tables. If a remote host makes so many half-open connections that the local host cannot accept connections from other hosts, the remote host has launched a syn flood attack (See Section 26.4 for more details.) Derive logging and auditing requirements to detect such an attack.