Dutch researchers build security software to mimic human immune system

by Joseph K. Clark

The Dutch research institute TNO has developed self-healing security software in collaboration with various partners.  This software is based on the functioning of the human immune system. It is based on the concept that cyberattacks can be averted much more quickly by mimicking the human regeneration process in IT systems.  Cybersecurity is high on the agenda at almost all Dutch organizations. While it is difficult to completely protect a company’s systems, cybercriminals only need one weak spot and can’t afford a single slip. This means that criminals are, by definition, one-up.

Bart Gijsen is a consultant at TNO and is involved in the self-healing project team in the Partnership for Cyber Security Innovation (PCSI). “Every time the attacker comes up with something new, the victim has to find a defense mechanism, and once new protection is found, the attacker comes up with a way to crack that again,” he said of the cyber security rat race.  To break through this, TNO and various Dutch banks and insurance companies had already worked on possible new cyber security approaches for some time. “At PCSI partner Achmea, one person who started working there as an enterprise architect was Rogier Reemer, and he originally graduated as an immunologist,” said Gijsen. 

Reemer saw all kinds of parallels with the human immune system in the field of cyber security and then held a presentation about it in his organization. “At the same time, at another partner in the PCSI program, they had concluded that the current way of looking at cyber defense would never be able to overcome the deficit in the fight against cybercriminals,” he said. “They wanted to look at security in a fundamentally different way.” The strength of cooperation in the PCSI lies in bringing different parties together to inspire and learn from each other. “We sat down together and asked TNO experts in ICT and microbiology to contribute ideas.”

security software

Adaptive IT

The idea of autonomic computing was first presented by IBM in 2003; they wanted to let the system manage ICT networks as autonomously as possible. “It is a wonderful idea, but the flexibility of IT is quite low,” said Gijsen. “Self-healing mechanisms in nature are evolutionary. With IT, it is designed and built. That means the adaptive content for self-healing in classic IT technology is not there by itself.”

Nevertheless, for about five years now, the world has seen IT products becoming more adaptive. He gave the example of a web server: “In the past, starting up and shutting down a web server required human intervention and took at least a few minutes, but it could also easily take half an hour. Nowadays, it is possible tto automate the startup and shut-down of web servers fully, and it is only a matter of seconds.”


A fundamental difference between ICT systems and the human body is “disposability”. This means the human body replaces its oi logical cells every so often. This development makes regeneration possible. Our immune system also uses this principle; the renewal process is accelerated when it expects cells to be infected with a virus.

Another critical difference is that the human body works in a decentralized way. On an IT network, central security software r ns, and as soon as an attacker hacks a workstation, it is cut off from the network so that the rest of the environment remains secure. In the human body, each cell runs its oca s. If a cell is infected, it shuts down itself and alerts all the other cells, with no control from above 


“We have now built this system of decentralized disposability for IT as well,” said Gijsen. “TNO did this by building a decentralized system, repairing itself, and recognizing the moment to do so.” He said existing container technology, like Kubernetes and Docker, lies at the heart of this technological regeneration. “This technology already contains the option f restarting and renewing, but we have added functionality to our software that allows containers to renew themselves at pre-set intervals,” said Gijsen.

This renewal ensures that there are several moments at which cyber-attacks can be intercepted. In addition, the software contains an anomaly de section, so containers that detect abnormal behavior can terminate themselves immediately without having to pass through a central system first. “This allows for rapid intervention if something is wrong,” he said.

Faster response

Disposability offers two significant advantages for cyber security: it protects against undetected infection attacks. It can automatically int notify that protection in case of a suspected infection.

“This development is part of the automated security trend,” said Gijsen. “It ensures that a faster response is possible during an attack. Moreover, cyber security specialists can focus on the cause instead of constantly putting out fires.”

He said the system is not a replacement for current security measures. “It is complementary to existing security mec anisms, with the added value that it can respond at ‘machine speed’.”

Close the front door.

Gijsen does not expect the self-healing software to be the holy grail in the rat race between cyber attackers and defenders.

“The rat race will not suddenly disappear, but it will be shifted with this technology,” he said. “Where the attackers have been using automated tooling for years, we are now starting to develop effective automated technology for defense as well. It is a new weapon in the defenders’ arsenal.”

Hackers mainly target software that is widely used. As TNO’s self-healing software is not yet used on a large scale, attackers will not target it for the time being, said Gijsen.

“But <span data-contrast= “auto”>of course, we will have to wait until cybercriminals try to attack this technology as well. Still, that is no reason not to use self-heal ng software.

“Organizations that do not apply this type of technology are an easier target for attackers. While nothing can keep you 100% safe, this aware means that an attacker must work harder to get inside your networks.” In other words, criminals are likelier to ignore a closed house than one with its front door wide open. 


As a research organization, TNO is not the party bringing the software to the market commercially. The organization has made the self-healing so are available under an open-source license and hopes that organizations, like IT service providers, will use the possibilities of the software in their security products.

“We try to inspire and hope that the market will pick this up,” said Gijsen. Companies from outside the Netherlands are also invited to use the self-healing security software of TNO. 

Related Posts