Security and the Immune System MetaphorSecurity and the Immune System Metaphor
On several occasions I have seen the use of the immune system metaphor used to describe the workings of an information security system, with unclear real-world applicability and success. You may recall the beginnings of IBM's Digital Immune System for Cyberspace that strives to "automatically detect viral activity during early spread, automatically develop a cure and distribute it across the Internet faster than the virus spreads." This initiative has been in existence for many years, and I have yet to hear about any discrete results besides a 1999 announcement that Symantec incorporated IBM's technology to create its own product suite. I am still unclear whether the system was actually modeled after a real immune system, or whether that was just a marketing gimmick.
The latest use of the immune system metaphor is in the context of Sana Security's intrusion protection system, described in a recent InfoWorld article. The article quotes Steven Hofmeyr, Sana Security's chief scientist:
Biological models help us produce better security systems... Our system is accurate because it learns in the local environment. One machine may be differently configured and have different usage patterns from another. That effects how you should protect it... I can't always take an organ out of my body and just transplant it into yours, because your body may reject it.
I tried downloading Sana Security's technical whitepaper that describes their product, but encountered a bug in their registration script that prevented me from accessing the materials. Sana Security seems to have implemented behavioral mechanisms that monitor the system to establish a baseline for normal behavior to alert and block behavior that deviates from the expected profile. This concept, with various objectives and implementations, was implemented by the likes of Tiny Software, Alladin, Finjan, and Pelican Software, which Microsoft purchased in 2003. I am glad that looking at the immune system has inspired Sana Security to develop a behavior-based intrusion prevention system, though I wonder how different their product is from those that did not use the immune system analogy.
The immune system metaphor may be a great marketing device for providing non-techie executives a high-level overview of a security product, but sticking too closely to the analogy is likely to be misleading. As Marcus Ranum wrote in 2003, computers are not biological entities. He further pointed out that computer functions differ from this anology in several ways:
Computers don't heal themselves. Once they're down they stop getting better on their own. Once you unplug them they stop getting worse. Computers can temporarily "opt out" of their biosphere by being turned off or unconnected from the network. During their disconnected state they can heal, with help from their friends the system administrators. Computers, unlike biological organisms, can rapidly share immunity without having to actually be exposed to the pathogen in question.