Dutch research institute TNO, in collaboration with various partners, has developed self-healing security software.
This software is based on the functioning of the human immune system, based on the concept that by mimicking the human regeneration process in IT systems, cyber attacks can be averted much more quickly.
Cyber security is high on the agenda at almost all Dutch organisations. While it is difficult to completely protect a company’s systems, cyber criminals only need one weak spot and can’t afford a single a slip. This means that criminals are, by definition, one up.
Bart Gijsen is a consultant at TNO and involved in the self-healing project team in the Partnership for Cyber Security Innovation (PCSI). “Every time the attacker comes up with something new, the victim has to find a defence mechanism, and once new protection is found, the attacker comes up with a way to crack that again,” he said of the cyber security rat race.
To break through this, TNO and various Dutch banks and insurance companies had already been working on possible new approaches to cyber security for some time. “At PCSI partner Achmea, one person who started working there as an enterprise architect was Rogier Reemer, and he originally graduated as an immunologist,” said Gijsen.
Reemer saw all kinds of parallels with the human immune system in the field of cyber security and then held a presentation about it in his organisation. “At the same time, at another partner in the PCSI programme, they had come to the conclusion that the current way of looking at cyber defence would never be able to overcome the deficit in the fight against cyber criminals,” he said. “They wanted to look at security in a fundamentally different way.”
The strength of the cooperation in the PCSI lies in bringing different parties together to inspire and learn from each other. “We sat down together and asked TNO experts in the field of ICT and microbiology to contribute ideas.”
The idea of autonomic computing was first presented by IBM in 2003, in which they wanted to let the system manage ICT networks as autonomously as possible.
“It is a wonderful idea, but the flexibility of IT is actually quite low,” said Gijsen. “Self-healing mechanisms in nature are evolutionary. With IT, it is designed and built. That means the adaptive content for self-healing in classic IT technology is not there by itself.”
Nevertheless, for about five years now, the world has been seeing IT products that are becoming more and more adaptive. He gave the example of a web server:
“In the past, starting up and shutting down a web server required human intervention and took at least a few minutes, but it could also easily take half an hour. Nowadays, it is possible to fully automate the startup and shut-down of web servers and it is only a matter of seconds.”
This development makes regeneration possible. A fundamental difference between ICT systems and the human body is “disposability”. This means the human body replaces its own biological cells every so often.
Our immune system also uses this principle; when it expects cells to be infected with a virus, the renewal process is accelerated.
Another important difference is that the human body works in a decentralised way. On an IT network, central security software runs and as soon as an attacker hacks a workstation, it is cut off from the network so that the rest of the environment remains secure. In the human body, each cell runs its own scans. If a cell is infected, it shuts down itself and alerts all the other cells, with no control from above.
“We have now built this system of decentralised disposability for IT as well,” said Gijsen. “TNO did this by building a system that is decentralised, repairs itself and also recognises the moment to do so.”
He said existing container technology, like Kubernetes and Docker, lies at the heart of this technological regeneration. “This technology already contains the option of restarting and renewing, but we have added functionality to our software that allows containers to renew themselves at pre-set intervals,” said Gijsen.
This renewal ensures that there are several moments at which cyber attacks can be intercepted. In addition, the software contains anomaly detection, so that containers that detect abnormal behaviour can terminate themselves immediately, without having to pass through a central system first. “This allows for very quick intervention if something is wrong,” he said.
Disposability offers two major advantages for cyber security: it provides protection against undetected infection attacks and it offers the possibility to automatically intensify that protection in case of a suspected infection.
“This development is part of the automated security trend,” said Gijsen. “It ensures that a faster response is possible in the event of an attack. Moreover, it offers cyber security specialists the opportunity to focus on the cause instead of constantly putting out fires.”
He said the system is not a replacement for current security measures. “It is complementary to existing security mechanisms, with the added value that it can respond at ‘machine speed’.”
Close the front door
Gijsen does not expect the self-healing software to be the holy grail in the rat race between cyber attackers and defenders.
“The rat race will not suddenly disappear, but it will be shifted with this technology,” he said. “Where the attackers have been using automated tooling for years, we are now starting to develop effective automated technology for defence as well. It is a new weapon in the defenders’ arsenal.”
Hackers mainly target software that is widely used. As TNO’s self-healing software is not yet used on a large scale, attackers will not target it for the time being, said Gijsen.
“But of course we will have to wait until cyber criminals try to attack this technology as well. Still, that is no reason not to use the self-healing software.
“We do see that organisations that do not apply this type of technology are an easier target for attackers. While nothing can keep you 100% safe, this software does mean that an attacker has to work harder to get inside your networks.” In other words, criminals are more likely to ignore a closed house than one with its front door wide open.
As a research organisation, TNO is not the party bringing the software to the market commercially. The organisation has made the self-healing software available under an open source licence and hopes that organisations, like IT service providers, will use the possibilities of the software in their own security products.
“We try to inspire and hope that the market will then pick this up,” said Gijsen.
Companies from outside the Netherlands are also invited to use the self-healing security software of TNO.