Intrusion Detection System Evasion: Signature-Based vs. Anomaly-Based

You run a security company selling intrusion detection systems, and currently have two core technologies: M, a misuse-based (signature-based) scheme; and A, an anomaly-based scheme. Suppose that M is a network-based scheme that works by passively analyzing individual UDP and TCP packets. Suppose that A is a host-based scheme that works as a browser plugin, processing and analyzing individual URLs on the fly. Scheme M operates in a stateless fashion and scheme A maintains state regarding URLs it has previously analyzed.

As your company becomes more successful, you may get concerned that attackers will manage to evade your detectors. Which of the following is correct (ONE answer):

1. Scheme A is vulnerable to evasion by attackers who can force their traffic to be sent using fragmented packets.
2. Scheme M is vulnerable to evasion by attackers who can manipulate the order and timing of the packets they send.
3. An attacker can more easily try to exhaust the memory used by scheme M than the memory used by scheme A.
4. Neither system A nor system M could be evaded by attackers.
5. None of the above.

2. Scheme M is vulnerable to evasion by attackers who can manipulate the order and timing of the packets they send.