Small Summary of SANA

SANA is an artificial immune system for network protection. Nowadays, nearly all computers are connected to some networks, e.g. Internet, commercial or academic networks. These network and the computers connected to it are under a constant assault from attacks, e.g. Worms, Viruses, and Hackers. Therefore, protection systems are installed which are called NIDS (Network Intrusion Detection Systems). These NIDS check the network traffic and try to identify attacks on the network. If such an attack is found, the attack is removed and the already infected nodes will be disinfected.

Already introduced NIDS – e.g. SNORT – use a single computer in order to check the network traffic. This computer resides normally at important places in the network like the Internet-Gateway or the Email-Server. Thus, this node of the network is secured against all known attacks. Unfortunately, there exist three significant problems using such a solution for network protection:

Only this network node is secured against the attacks. All other nodes are not secured and the attack infects these nodes (only a local solution).
The NIDS checks the network traffic in this node against all known attacks. This needs a lot of computational power and, consequently, these machines costs a lot of money.
There exist attacks which load the network connections to the NIDS with the maximum possible amount of traffic. These attacks overstrain the NIDS and the NIDS cannot check each packet (only about 30%-50%). Hence, the rest of the network traffic is unchecked and attacks can be carried in this traffic.

Thus, the solution for network security to use a NIDS in a single computer does not provide enough security and novel approaches for network security are needed.

A promising field of computer science research is to use the human body as archetype. The human body protects itself against attacks – pathogens called – using the immune system. The human immune system is highly efficient, adaptive, distributed, autonomous and resistant against attacks on it. The aim of SANA is to use the technique of the human immune system in order to protect a computer network. SANA is located in the research project INTRA (Information Traffic Management and Computer Network Protection) which is currently performed at the University of Luxembourg and SANA is supported by the Ministre Luxembourgeois de leducation et de la recherché.

The main component of SANA is the agent. An agent is an artificial cell which tries to model the behaviour of the T- and B-Cells of the human immune system. These agents know how to identify and remove a set of attacks. However, not every agent knows all attacks, only a small subset in order to reduce the time if an agent checks a packet. The agents flow through the network, stay some time at a network node and check each packet which travels over the network node autonomous. If the agent identifies a packet as malicious, the agent knows how to proceed with this packet – e.g. remove the packet, disinfect the packet, inform other components of SANA. Furthermore, there exist agents which disinfect infected network nodes and which identify infected network nodes using the technique of ant colonies.
With these agents, SANA provides the following advantages:

Distributed:
SANA works distributed over the network. Every network node is secured against attacks using the travelling agents.

Shared Computational Power:
A network node needs only some computational power and there exist no center which needs a lot of computational power. Consequently, the computational power is shared over the network.

Adaptive:
Agents learn how to detect new attacks autonomous.

Hard to attack:
Because of the distributed environment is SANA hard attackable. If a node is infected or a component of SANA breaks down, all other components keep on checking.

Thus, SANA is a novel approach for network security and SANA is currently implemented basing on a network simulator using Java.

"Small Summary of SANA" is mentioned on: SANA