Using data-independence in the analysis of intrusion detection systems

In this paper we demonstrate the modelling and analysis of intrusion detection systems and their environment using the process algebra Communicating Sequential Processes and its model checker FDR. We show that this analysis can be used to discover attack strategies that can be used to blind an intrusion detection system, even a hypothetically perfect one that knows all the weaknesses of its protected host. We give an exhaustive analysis of all such attack possibilities. We discuss how to strengthen the intrusion detection systems to prevent these attacks, and finally we show how we can use data independence techniques to verify the corrected versions.