Security App Modeled After Immune System

Start-up Sana Security looked to the human immune system in developing its new application security platform.

The security industry has always looked to the field of medicine for metaphors and ways of thinking about network protection. Now, Sana Security Inc., a San Mateo, Calif., start-up, is extending that relationship to another level with the introduction Monday of its Primary Response application security platform.

The software works by observing application-operating system interactions and learning the code paths that each application uses during its normal operations. The system develops a profile of each applications behavior and then blocks anything that falls outside that profile.

As a result, the system produces a remarkably low number of false positives—as few as two or three per month in some customer environments.

The concept was taken from the human immune systems ability to recognize potential infections and begin defending against them before they reach their intended targets. The software is the brainchild of Steven Hofmeyr, Sanas founder and chief scientist, who came up with the idea while doing research for his doctoral thesis.

Although the concept is somewhat similar to several other systems on the market—notably those sold by Okena Inc.—there is one key difference, Hofmeyr says: Sana does not rely on a human to define the acceptable behavior for each application.

"They assume that theres some human out there with sufficient knowledge to recognize the attacks and know what to do," Hofmeyr said. "Weve assumed the human wont understand."

Primary Response relies on a server-agent architecture and is meant mainly for servers handling Web, FTP and Domain Name System traffic. However, it can also protect custom applications.

Once an attack is detected and blocked, the system functions much like other security applications. It sends an e-mail alert to the administrator and logs the event in a central management console. The system also includes a set of analytics to help identify trends and dig deeper into each event.

Primary Response is due to ship in mid-March on the Windows and Solaris platforms; Linux and AIX versions are in the works. One server license costs $6,500 and each agent is $1,750.

  • Read more articles by Dennis Fisher
  • Read more security stories