Computing Applications

Active Defenders

An artist's impression of cybersecurity software.
The Lympho software treats Docker containers like human cells, mimicking the immune system's propensity for maintaining healthy cells.

The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, with losses exceeding US$4.1 billion, according to the FBI's 2020 Internet Crime Report. Cyberthugs have been automating cyberattacks for years using tools such as command and control (C&C) servers to puppet their botnets and malicious infections. Cybersecurity needs to automate its response to the schemes of these criminal hackers.

According to Innovation Origins, a European platform for independent journalists who write about innovation, start-ups, and "technologies that will shape the world of tomorrow," Dutch bank ABN AMRO will use self-healing cybersecurity software developed by TNO (The Netherlands Organization for Applied Science Research) to protect applications running in software containers. Containerization benefits software development with standardized application container images that accelerate secure development and deployment. The human immune system inspired the self-healing concept, which will replace containers periodically to remove unknown infections. The self-regenerating software solution will replenish containers when security monitoring and threat detection tools identify infections.

Developers from TNO created and integrated software called Lympho, which implements the Self-Healing-4-Cyber-Security (SH4CS) concept, with Kubernetes + Docker platforms to heal containers through regeneration automatically. Kubernetes is a popular open-source container orchestration platform from Google, which many organizations use to develop and deploy their software. Docker is a popular open-source application container platform that automates deployment, typically using container images.

TNO's Lympho implementation can be seen as an attractive solution, since so many potential Lympho customers use Kubernetes in tandem with Docker. Future customers such as ABN AMRO, which is testing the Lympho implementation, will use it with their existing Kubernetes + Docker installations. Lympho leverages the container regeneration abilities native to Kubernetes to renew infected and at-risk customer applications.

To enable its self-healing nature, immunologists aided the development of the Lympho software by modeling the human immune system's capacity to periodically replace the body's biological cells and regenerate cells infected with viruses. The Lympho software treats Docker containers like human cells, mimicking the immune system's propensity for maintaining healthy cells.

TNO, the independent organization responsible for the research component of the SH4CS project, is a member of the Partnership for Cyber Security Innovation (PCSI), where collaboration on the self-healing concept began. PCSI's partners, including financial institutions  ABN AMROING, de Volksbank, and Achmea, fund TNO's ongoing research into SH4CS. 

Both the PCSI and support for SH4CS are expanding. "We are discussing with several other large Dutch companies (outside the financial sector) to join the PCSI. Several companies are interested in the Lympho software, mostly non-financials. For the specific SH4CS project, ABN AMRO and Achmea are the most active partners," says Reinder Wolthuis, senior project manager/consultant for cybersecurity at TNO.

As an open source project, SH4CS has the potential for broad application across an increasing array of security tools, virtual environments, and platforms. "SH4CS is enabling the integration of a wide range of cybersecurity monitoring and detection solutions with container scheduling actions in a Docker container platform using Kubernetes as the container orchestrator platform," says Bart Gijsen, senior consultant in TNO's department of Cyber Security & Robustness (CSR).  While the current implementation of Lympho software is limited to these platforms, it is possible to extend the SH4CS concept to other combinations of container or VM runtime and orchestration platforms, adds Gijsen.

Software developers at ABN AMRO Bank already are experimenting with different use cases of the technology; they will continue to investigate them, according to Jarco de Swart, senior press officer for ABN AMRO Bank in Amsterdam.

"ABN AMRO is in continuous discussion with TNO on how to improve the software's capabilities to prevent, detect, and respond to security vulnerabilities and malicious activities. For example, we are investigating ways to identify vulnerable containers so we can shut them down and spin up secure ones," says Federico Casano, ABN Amro's project lead for the self-healing project.

Reactions from industry onlookers vary. "It's an interesting concept and still in its infancy," says Steve Tcherchian, a member of the CISO Advisory Board of the Information Systems Security Association International (ISSA). "The model to kill off containers and spawn new ones proactively is a step in the right direction. However, we know that cybersecurity is a cat and mouse game. Eventually, attackers will get wise and figure out a way around this as well," Tcherchian says.

"Other companies have already expressed interest and are considering the potential execution of tests of the Lympho software," says Casano.

According to TNO, banks including ING, Achmea, de Volksbank, and Rabobank plan to use the software.

The Lympho software is available at GitHub as open source code. Adds Gijsen, "The main programming language is Python. The code is available under the MPL-2.0 License."


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More