Sana Security information defense is based on human immune system

June 1, 2004
The human immune system, arguably the best and most complex security system known, is the model for a technology solution called Sana Profile from Sana Security in San Mateo, Calif.

By John McHale

SAN MATEO, Calif. — The human immune system, arguably the best and most complex security system known, is the model for a technology solution called Sana Profile from Sana Security in San Mateo, Calif. The tool aims at blocking and neutralizing information attacks from worms such as the recent Sasser, hackers, and other threats.

While stopping attacks it also enables legitimate system behavior for every application on every server in a network. The technology cuts down on the need for human involvement by being able to adapt autonomously to changes in system behavior, company officials claim.

The technology is based on research by Sana's chief scientist, Steven Hofmeyr, into how the human immune system repels invaders. Hofmeyr founded the company in 2002 after completing his research at the University of New Mexico in Santa Fe, N.M., and the Massachusetts Institute of Technology in Cambridge, Mass.

Sana Profile immediately identifies anomalous code paths as being outside of normal application behavior, and stops them by blocking system call executions.

Click here to enlarge image

Much like the human immune system identifies and responds to attack, Sana Profile learns normal application behavior by observing code paths in running programs, Hofmeyr says. Vulnerabilities such as software bugs, misconfigurations, injected code, and other attacks, force applications to travel down unexpected code paths. Sana Profile immediately identifies these anomalous code paths as being outside of normal application behavior, and stops them by blocking system call executions, he explains.

It typically takes one to two days to set up an application profile, Hofmeyr says. If the normal behavior should change for a system such as a server backup, a human operator who monitors the system could click a button and add the backup to the software agent's definition of normal, he explains. The technology is continually learning, which enables it to identify legitimate changes within applications, producing minimal false positives, company officials claim

The Sana solution will allow organizations to stop relying on patches; hackers are so sophisticated today that by the time a patch is distributed the hacker has obtained its binary code and has developed another line of attack, Hofmeyr says. Solutions that are geared to stopping known attacks are usually a step behind, he adds.

Another way is for a human to set up a rules-based application. That way a deviation from the rules triggers an attack warning and deploys countermeasures, Hofmeyr says. This can be effective but becomes much less so when problems become much more complex, Hofmeyr says.

The tool also has relatively simple management controls, enabling minimal network security skills and training. Sana Profile is host-based and capable of protecting computers from internal and external threats, even with encrypted data, Sana officials say.

Primary Response, the first product release built on Sana Profile technology, has been selected by officials at the U.S. Air Force Materiel Command at Wright-Patterson Air Force Base, Ohio, to protect more than 2,000 servers at 16 different Air Force bases, with a potential of as many as 140,000, Hofmeyr says.

The Air Force had spent many months working on a rules-based solution from a major competitor, "but after only two months looking at our technology, picked us because we could scale easily to large numbers of servers," he claims.

Hofmeyr sys he believes that his product would also be attractive to small operations that have the expertise to design rules-based solutions.

Primary Response monitors and protects applications at the operating system kernel level, building a profile of the application's normal behavior based on the code paths of a running program, then continually monitoring those code paths for deviations from the norm.

Primary Response was designed without signatures or custom scripting, so information resource requirements are minimal. The tool is easy to deploy on new applications, without requiring previous knowledge of each application and its configuration because it automatically accommodates system updates and reconfigurations by simply "relearning" normal system behavior, Sana officials say.

Customers can also either have the software solution respond immediately to threats or wait for human approval, Hofmeyr says.

The Sana product has support for as many as 7,000 agents per management server, agent management groups, role-based user management, and third party management systems integration. Primary Response is compatible with Windows, Solaris, and will also soon be with Linux, Hofmeyr says.

For more information on Sana Security contact the company online at www.sanasecurity.com.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!