July 2003

Computer Immunity

Better anti-hacking tools attack invaders.

By Wade Roush

For years computer scientists have dreamed of building computer security software as effective and versatile as the human immune system, which can swiftly overwhelm even intruders it has never seen before. Such a software tool would free programmers from having to anticipate and respond to the changing array of attacks hackers use; instead, it would simply allow a computer to understand its own normal behavior and shut down deviant processes.

Now such systems are finally going commercial. An intrusion prevention system from Sana Security of San Mateo, CA, is protecting private customer data for companies like Smith and Hawken, a catalogue and Internet retailer in Marin County, CA. Smith and Hawken officials say none of the many attempts to infiltrate their computers have succeeded since they began a trial run of Sana's software in mid-2002, and that hands-on monitoring has been reduced by dozens of hours a week. "I've heard the immune system analogy before in the security business, and usually my eyes roll up in my head," says Eric Ogren, a senior analyst and computer security specialist at Boston technology consultancy the Yankee Group. "What makes Sana unique is the way their software is able to automatically learn."

In the body, immune cells learn to recognize invaders by assuming that unfamiliar patterns on the surfaces of cells are foreign. Sana's software, launched commercially in March, uses a similar trick. It learns a computer's typical pattern of "system calls," or requests that a program issues to the operating system in order to carry out actions such as reading or writing on a disk. "When someone is using a flaw in a program to gain access to a system, they are typically forcing the system to do something unusual," says Sana founder and chief scientist Steven Hofmeyr. "Our self' is really the sequence of normal system calls, and nonself' is those that are caused when the system is attacked."

There's a big incentive to upgrade security: a California law going into effect this summer will require companies to notify-and possibly pay damages to-customers whose private information is exposed through computer breaches. Sana has a handful of competitors, including Hewlett-Packard and IBM, that are also using lessons from human physiology to automate computer security. But considering it took millions of years for immune systems to evolve, it may be a while before the market selects a winner.