Modeling Intrusion Detection on Biology

Software taps human immune system to minimize false positives

Sana Security Inc. bills its intrusion detection software, Primary Response 1.0, as the first security product to be modeled on the human immune system. In medicine, instead of monitoring the patient for all known pathogens, a doctor may check for a fever. Likewise, with intrusion detection, rather than looking scanning for known attacks, the software searches for evidence that enterprise applications are unwell, then looks for the cause.

The San Mateo, Calif. firm was originally founded as Company 51 by Steven Hofmeyr, a Ph.D. in computer science, now the company’s chief scientist. Hofmeyr’s interest in possible relationships between computer security, immunology, and adaptive computation led him to research genetic algorithm dynamics, and to study immunology to answer such questions as “How does the immune system function so well in an increasingly complex environment, and what can we learn from this?”

Primary Response is the first attempt at applying some of these biological lessons to intrusion detection. (The product's name refers to a body’s immune response following an initial encounter with an antigen.) The software protects enterprise applications on Windows and Solaris platforms; Sana plans future versions for Linux and AIX.

Once Primary Response gets installed, it spends a couple of days studying how the enterprise applications work. With those profiles in hand, the software continuously monitors the applications. Only when they deviate from normal behavior—say there’s a buffer overflow, or the server tries to make an external connection via an anomalous port—does Primary Response sound the alert.

The drive for alternate paradigms mirrors the ongoing security challenges businesses face. “The demand for effective information security has never been greater, as application complexity and the rate of system modifications increase exponentially in real-world environments,” says John Zicker, CEO of Sana Security.

The typical Achilles heel of intrusion detection software, of course, is the false positive, and that doesn’t scale well. Yet getting the intrusion detection software tuned just right, so that it isn’t always crying wolf, is crucial for freeing security administrators from analyzing possible attacks all day.

Any software that can reduce false positives vis-à-vis current intrusion detection software, as Sana claims Primary Response will do, means saving security administrators’ time and money.

“By applying the principles of the human immune system, we have dramatically increased the efficacy of application security and reduced false positives, allowing for more efficient use of expert resources than ever before possible,” says Zicker.


About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.