In the continuous battle between cyber attackers and defenders a new perspective is provided by immune system inspired self-healing. The defensive response mechanisms of the immune system against viruses and bacteria can be regarded as a defense in depth approach. The innate immune system is the first line of defense (or the second if we include the preventive defense of the human skin) that provides an immediate response to any invader. The innate immune system is ‘distributed’ in the sense that it consists of cells (e.g. white blood cells) that are present in the entire body. The response is non-specific, effective within minutes and focuses on disabling and prevention of spreading throughout the body. Aside from this defensive function, the innate immune system also ‘cleans’ the body from foreign substances and from human body cells that are at the end of their life-time. The latter function is referred to as a programmed cell death. While cleaning the body, the presence of pathogens is ‘signaled’ to the second line of defense: the adaptive immune system. The adaptive immune system consists of specialized weapons (T-cells and anti-body producing B-cells) that are targeting specific pathogens that have invaded the body. This is referred to as targeted cell death. This specific weaponry is located in the Lymph nodes and therefore slightly less decentralized than the innate immune system; its activation requires several tens of hours. Yet another layer of defense is the learning and memory function of the adaptive immune system. Vaccines can be administered to activate this function, which can speed up the adaptive response time (although vaccines themselves take many days to become effective).
This simplified description of defensive response within the human body highlights three fundamental self-healing properties:
- Disposability: the process of cell duplication and programmed cell death results in continuous regeneration of human body cells, where any small number of cells is disposable. Disposability is a prerequisite for the effectiveness of the immune system; it may kill as many cells as it deems necessary.
- Distribution: the more distributed the implementation, the faster the response. The (most distributed) innate immune system acts faster than the adaptive immune system, which in turn is faster than vaccination (which is the most centralized, population level measure).
- Adaptation and proportionality: the more energy consuming adaptive immune system is only activated if the invaders are overwhelming the innate immune system.
Emerging containerization technology and accompanying monitoring and deployment tools enable the incorporation of such self-healing properties into an IT platform. Self-Healing for Cyber Security (SH4CS) software provides periodic container regeneration, similar to how human body cells regenerate themselves. The SH4CS software can influence the moment at which such regeneration will take place, either time based or triggered by particular cyber security events. In a proof of concept implementation, the Falco security monitoring tool for Kubernetes was used to detect specific security events and trigger the regeneration of a container in case of an alert, thus making the SH4CS concept adaptive to cyber security events.
The current SH4C software primarily consists of Python code that implements (a) a decentralized control loop, also referred to as Lymphocyte software, that executes healing functionality for an individual application container (by running as a sidecar in the same Kubernetes POD), (b) a proxy to interface between Lymphocyte and the Docker daemon and (c) an API to interface between anomaly detection tools and Lymphocyte. The software code was reviewed by the partners in the PCSI consortium (see below) and can be deployed in modern container platforms empowered by Kubernetes and Docker.
This software component was developed within the Partnership for Cyber Security Innovation (PCSI), a Dutch innovation ecosystem that features leading companies across several industries.