Security as an immune system

Dr. Steven Hofmeyr

Long before blaster and slammer invaded the enterprise, Steven Hofmeyr was convinced that traditional security approaches were inadequate to fend off such attacks.

Drawing on his research in immunology, he was already at work 10 years ago crafting a security model patterned after the human immune system to better protect Web-based and networked business software applications.

"There's still an urge to lock down the operating system, but that approach has never worked," says Hofmeyr, chief scientist at Sana Security, developers of a unique intrusion detection and prevention system called Primary Response. "These [invaders] are effectively biological in nature, so you need a defense mechanism that adapts and evolves."

Hofmeyr is the principal architect of Primary Response, which learns normal application behavior and blocks abnormal behavior in the way that our immune system is constantly learning and adapting to counter foreign agents. Announced last year and now shipping, it detects exploits when they try to force applications down unexpected code paths.

"We don't rely on human expertise," says Hofmeyr, who received his Ph.D. in computer science from The University of New Mexico in 1999. "Instead we rely on the system to automatically learn behavior. You take our software agent, put it on the machine you want to protect, and in the production environment it will learn the behavior of the application you want to protect."

His behavior-based strategy is a significant departure from traditional approaches to IT security, such as knowledge-based (knowing what attacks look like before they occur) and signature-based (spotting invaders by their signatures) techniques. It also does away with the need for constant IT updates, maintenance, and patch deployment.

Dr. Hofmeyr founded Company 51 in 2000 but soon changed the name to Sana Security to make it boardroom-friendly and to reflect his unwavering interest in bridging immunology and IT security. ("Sana" is a Latin root word meaning "health.")

"Biological models help us produce better security systems," Hofmeyr says. "Our system is accurate because it learns in the local environment. One machine may be differently configured and have different usage patterns from another. That effects how you should protect it …. I can't always take an organ out of my body and just transplant it into yours, because your body may reject it."

Despite his full confidence in Primary Response, Hofmeyr is vigilant about evolving threats. "We haven't found a way to outsmart [our product] yet. But it's always an arms race, so we have to keep innovating."


Copyright © 2004 IDG Communications, Inc.