Dutch researchers build security software to mimic human immune system

by Emma

Dutch research institute TNO, in collaboration with various partners, has developed self-healing security software.   This software is based on the functioning of the human immune system. It is based on the concept that cyberattacks can be averted much more quickly by mimicking the human regeneration process in IT systems.  

Cyber security is high on the agenda at almost all Dutch organizations. While it is difficult to completely protect a company’s systems, cybercriminals only need one weak spot and can’t afford a single slip. This means that criminals are, by definition, one up.

 

Bart Gijsen is a consultant at TNO and involved in the self-healing project team in the Partnership for Cyber Security Innovation (PCSI). “Every time the attacker comes up with something new, the victim has to find a defense mechanism, and once new protection is found, the attacker comes up with a way to crack that again,” he said of the cyber security rat race.  

To break through this, TNO and various Dutch banks and insurance companies had already been working on possible new approaches to cyber security for some time. “At PCSI partner Achmea, one person who started working there as an enterprise architect was Rogier Reemer, and he originally graduated as an immunologist,” said Gijsen. 

Reemer saw all kinds of parallels with the human immune system in the field of cyber security and then held a presentation about it in his organization. “At the same time, at another partner in the PCSI program, they had come to the conclusion that the current way of looking at cyber defense would never be able to overcome the deficit in the fight against cybercriminals,” he said. “They wanted to look at security in a fundamentally different way.”

The strength of the cooperation in the PCSI lies in bringing different parties together to inspire and learn from each other. “We sat down together and asked TNO experts in the field of ICT and microbiology to contribute ideas.”

Adaptive IT

The idea of autonomic computing was first presented by IBM in 2003, in which they wanted to let the system manage ICT networks as autonomously as possible.

“It is a wonderful idea, but the flexibility of IT is actually quite low,” said Gijsen. “Self-healing mechanisms in nature are evolutionary. With IT, it is designed and built. That means the adaptive content for self-healing in classic IT technology is not there by itself.”

Nevertheless, for about five years now, the world has been seeing IT products becoming more and more adaptive. He gave the example of a web server:

“In the past, starting up and shutting down a web server required human intervention and took at least a few minutes, but it could also easily take half an hour. Nowadays, it is possible to fully automate the startup and shut-down of web servers, and it is only a matter of seconds.”

Disposability

This development makes regeneration possible. A fundamental difference between ICT systems and the human body is “disposability”. This means the human body replaces its own biological cells every so often.

Our immune system also uses this principle; the renewal process is accelerated when it expects cells to be infected with a virus.

Another critical difference is that the human body works in a decentralized way. On an IT network, central security software runs, and as soon as an attacker hacks a workstation, it is cut off from the network so that the rest of the environment remains secure. In the human body, each cell runs its own scans. If a cell is infected, it shuts down itself and alerts all the other cells, with no control from above 

Containers

“We have now built this system of decentralized disposability for IT as well,” said Gijsen. “TNO did this by building a system that is decentralized, repairs itself, and also recognizes the moment to do so.” 

He said existing container technology, like Kubernetes and Docker, lies at the heart of this technological regeneration. “This technology already contains the option of restarting and renewing, but we have added functionality to our software that allows containers to renew themselves at pre-set intervals,” said Gijsen.

This renewal ensures that there are several moments at which cyber-attacks can be intercepted. In addition, the software contains anomaly detection so that containers that detect abnormal behavior can terminate themselves immediately without having to pass through a central system first. “This allows for rapid intervention if something is wrong,” he said.

Faster response

Disposability offers two significant advantages for cyber security: it provides protection against undetected infection attacks. It gives the possibility to automatically intensify that protection in case of a suspected infection.

“This development is part of the automated security trend,” said Gijsen. “It ensures that a faster response is possible in the event of an attack. Moreover, it offers cyber security specialists the opportunity to focus on the cause instead of constantly putting out fires.”

He said the system is not a replacement for current security measures. “It is complementary to existing security mechanisms, with the added value that it can respond at ‘machine speed’.”

Close the front door

Gijsen does not expect the self-healing software to be the holy grail in the rat race between cyber attackers and defenders.

“The rat race will not suddenly disappear, but it will be shifted with this technology,” he said. “Where the attackers have been using automated tooling for years, we are now starting to develop effective automated technology for defense as well. It is a new weapon in the defenders’ arsenal.”

Hackers mainly target software that is widely used. As TNO’s self-healing software is not yet used on a large scale, attackers will not target it for the time being, said Gijsen.

“But of course, we will have to wait until cybercriminals try to attack this technology as well. Still, that is no reason not to use self-healing software.

“We do see that organizations that do not apply this type of technology are an easier target for attackers. While nothing can keep you 100% safe, this software does mean that an attacker has to work harder to get inside your networks.” In other words, criminals are more likely to ignore a closed house than one with its front door wide open. 

Open-source

As a research organization, TNO is not the party bringing the software to the market commercially. The organization has made the self-healing software available under an open-source license and hopes that organizations, like IT service providers, will use the possibilities of the software in their own security products.

“We try to inspire and hope that the market will then pick this up,” said Gijsen. Companies from outside the Netherlands are also invited to use the self-healing security software of TNO. 

Related Posts

Leave a Comment