Can we build an Immune System for the Product Body?

April 14, 2015
 |  No Comments

Back Ground

Could a model or adaptation of the human immune system be used to build a better security system for the product body? There are already lots of analogies in cyber security that are made with the health of the human body. For example, use of the terms: virus, antivirus, infection, symptoms, diagnosis, etc.

If we look at the definition of immune system we see it comes from the Latin word immunis, meaning “free” or “untouched”. The immune system protects the body like a guardian from harmful influences from the environment and is essential for survival. The immune system is made up of different organs, cells, and proteins and aside from the nervous system is the most complex system the human body has.  I see it as a framework of interrelated elements that form a defensive ecosystem for the body. As long as the body’s system of defense is running smoothly, we do not notice the immune system. I certainly see the cyber security similarity in this area.

Without an immune system, a human being would be vulnerable to the harmful influences of pathogens or other substances from the outside environment as well as to harmful changes happening inside the body. When something dies, its immune system (along with everything else) shuts down. In a matter of hours, the body is invaded by all sorts of bacteria, microbes, parasites and in about two weeks these invaders will completely dismantle your body and only a skeleton will remain. None of these things are able to get in when your immune system is working, but the moment your immune system stops the door is wide open. The main tasks of the immune system are:

  • Recognizing and neutralizing harmful substances from the environment
  • Fighting against the body’s own cells that have changed due to an illness, for example cancer
  • Neutralizing pathogens like bacteria, viruses, parasites or fungi that have entered the body, and removing them from the body

It is pretty easy to see the similarities of the above with cyber security in general. Just like the immune system is the framework for the body, I think the concept of a cyber-security immune system could be used to develop a better frame work for the protection of our products.  The human immune system is engineered by nature, evolution and if you believe in a higher being, the hand of God to help protect the body from disease. This could be a great model to follow when trying to develop the frame work we use to secure our products. Similar to the immune system of the body, the protections put in place by the ideal cyber security system should be mostly ignored until they are put to work to protect the product when it is being attacked. What if we took the analogy further and started using other lessons learned from the human immune system to secure our products.

Differentiation Between “Self” and “Non-Self” Substances

For the immune system to be effective it must be able to differentiate between “self” and “non-self” cells, organisms and substances. In addition, the body should not work against its own healthy cells. If we think about antivirus applications, their main purpose is probably to help the product differentiate in a similar way between good code and malicious code, antivirus applications try to protect our products from infection. Other elements we have already developed like entry point protection between trust boundaries, banning of known vulnerable Application Programing Interfaces (APIs), use of things like encryption to protect important assets either at rest or in transit, provide similar protection from infection  However, have we really tried to solidify the differentiation between “self” and “non-self”?   I think there is room for improvement in this area.

The average company infected by an Advanced Persistent Threat (APT) exploit, typically has been infected for a period of two years before they found out they were infected. Then, it may only know because the FBI calls them and starts asking about the large of amounts of data the FBI see leaving the business and country and landing in counties where there are known APT perpetrators.  These APT threats are hard to identify and may also be self-destructive when found. It would be better to prevent them from entering the system or product in the first place. Perhaps the key is in this area of differentiating between the “self” and “non-self”.

Are there ways to better identify the “self” and differentiate from the “non-self”?  We already use signing mechanisms and hashing for integrity protection and they could be employed more broadly and perhaps at a more granular level in modules of code. It is always a question of balance and the checking required to implement this type of protection might be prohibitive for all application because of the potential performance impacts, but maybe doing the checks at the hardware level could alleviate the impact. Hashing could also be performed across an entire code base or binary composed of component hashed modules and if a hash is not correct it could trigger a review, which could be used to trace down to the hash of the component module with the incorrect hash.

Cryptographic signing typically is used to both authenticate the source of code to be inserted into product as well as to check the integrity of that code. Should we do more signing not only at external trust boundaries but within the subsystems of a product against both data and code when it is transferred?

What to do with the identified “Non-Self” Substances?

The immune system can be activated by many “non-self” substances. The human health term for these “non-self” substances is antigens. For example, proteins found on the surfaces of bacteria, fungi and viruses are all antigens. Antigens are the identity tags that identify molecules.  When antigens bind to special receptors on defense cells, a specific series of cell processes is started. The immune system begins to recall stored “memories” from pathogens the immune system has seen in the past in order to more quickly be ready to defend the body.

The body’s own cells have surface proteins, too. However, the immune system does not defend against them, because it has already learned at an earlier stage that these cell proteins are “self.” If the immune system identifies the cells of its own body as “non-self,” it is called an autoimmune reaction.

In the previous section I describe an ability using signing or hashing, which we might be able use to decide on which substances are “self” and which are “non-self” in a product but how can computers handle “self” items, which come back identified as “non-self” and what defenses can the SDL employ for an autoimmune reaction? This area certainly has some intriguing questions, which could foster a whole new area of research.

Innate immune system

There are two main parts of the immune system: the innate and the adaptive immune system.

The evolutionary older innate immune system provides a general defense against pathogens, so it is also called the nonspecific immune system. It works mostly at the level of immune cells like “scavenger cells” or “killer cells.” These cells mostly fight against bacterial infections. Some of these defensive cells are called macrophages and they constantly patrol your body, destroying germs as soon as they enter. Tumor Necrosis Factor (TNF) is also produced by macrophages. It is able to kill tumor cells, and it also promotes the creation of new blood vessels so it is important to healing. This is your ‘natural’ or inborn immunity. But if an infection begins to take hold, your body fights back with an even more powerful defenses of T- and B-cells. They give you acquired immunity, so that the same germ can never make you as ill again. We will talk about this more in the next section when we address the adaptive immune system.

How can we create processes or threads which take on capabilities similar to “scavenger” or “killer” cells? Can we develop intelligent modules that seek out “non-self” modules and destroy them?  How would we go about destroying these “non-self” modules, especially if they may only be an infected part of some otherwise productive and necessary module? This again could be another place of research interest that might produce some very beneficial results.

Adaptive immune system

In the adaptive immune system, particular agents like the so-called antibodies target very specific pathogens that the body has already had contact with. That is why this is also called a learned defense or a specific immune response. By constantly adapting and learning the body can also fight against bacteria or viruses that change over time.

In the parallel of the adaptive immune system in the cyber world we would need to first know the basic differences between “self” and “non-self” and then we must continually learn and adapt to changes in the characteristics we use to determine these differences. Does that mean the “scavenger” or “killer” module must also be artificially intelligent? Would this help us defeat polymorphism of malware?

The innate and adaptive immune systems do not work independently of each other. They complement each other in any reaction to a pathogen or harmful substance, and are closely connected with each other.  How is this done and could the same mechanism be modeled and applied to cyber security modules?

Layers of Defense

There many similar parallels with cyber security in other parts of the immune system. The most obvious part of the human immune system is what you can see. For example, skin is an important part of the immune system. It acts as a primary boundary between germs and your body. This is the first layer of defense. In the cyber world this skin and things like your eyes ears, nose and mouth would be represented as the trust boundary with anything external to the system. Are there more human immune system layers of defense which if modeled and adapted to cyber security could provide additional layers of defense for our products. I firmly believe that the answer is yes.