In today’s world, exploit codes are being created more easily and faster than ever. As a result, more and more attack events are happened on the Internet. Unfortunately, current Internet security architecture can not efficiently control those malicious activities. Traditional intrusion detection systems used stateless approach in which network traffic is inspected packet by packet. Because stateless approaches can not monitor the behavior of the network, they will fail to detect a sequence of complicated attack procedure. In addition, due to more and more exploit programs available in the public domain, attackers are now capable of launching more sophisticated attacks such as stealthy worms. Attack procedure of stealthy worms will become more complicated to evade detection. Furthermore, there are some attacks such as polymorphic worms can mutate themselves and will not have clear signature. The stateless approach with simple pattern-matching techniques is not sufficiently to detect sophisticated attacks and polymorphic worms. In the previous work, we proposed Security Monitor (SecMon), a cross-layer Stateful intrusion detection system, to detect sophisticated attacks. In SecMon, we use finite state machines to maintain the transition of different layer protocols to understand the evolution of connections. SecMon is able to detect polymorphic worms and unknown attacks at early stage which can not be detected by Signature-based intrusion detection system. In this thesis, we proposed a sufficient logging mechanism based on SecMon to sufficiently log malicious activities and preserve the evidence to achieve the goal of post-mortem analysis. With the logging event and the cross-layer stateful SecMon intrusion detection system, the system administrator can reconstruct the attack procedure to understand what happened in the network.