You can’t rely on the conventional approach.
Today, it is said a number of known malwares hit more than 200 millions and increasing 200 thousands a day. Since anti-virus software that is well accepted by end users rely on pattern-matching method, it is getting more difficult to cope with unknown threats. Upon this situation, an executive in the industry expressed “The anti-virus is dead”.
There are many other methods replacing with pattern-matching, such as heuristic analysis, network traffic analysis, sand-boxing, or micro VMs. Unfortunately, none of them can provide complete and real-time protection against Advanced Persistent Threats (APT) or Zero-Day attacks.
Because these attacks are made not only to hide and escape wisely from security software, but also are able to manipulate or destroy computer’s execution environment. Those attackers have deep knowledge on CPU and OS.
Since the conventional products are made as programs running on OS, it is obvious that they are helpless to prevent direct attacks on CPU and OS themselves. You may no longer rely on the conventional approach against ever-evolving cyber attacks.
We went back to the root.
Now, how can we protect the whole computer system, including CPU and OS? We went back to the root and thought from scratch, from its fundamental principle.
To begin with, from computer architecture point of view, there is no difference between normal programs requested by normal user and malicious programs 窶錀 malwares 窶錀 by intruder. They are same piece of codes. Computer executes those codes upon their request, as defined by spec.
That means, it is a wrong idea that you can distinguish “normal programs” and “malicious programs”. Therefore, we abandoned our mistaken idea 窶錀 which is pretty in common among the industry - that we can “detect” malicious programs.
Now, how can we prevent cyber attacks? We’ve decided to focus on executed processes themselves, not programs. If an intruder try to run a program with malicious intention, certain processes those are never required by normal program are executed. Such processes are invalid privilege elevations, network communications with external servers, and modifications on CPU and OS environment parameters. If you can monitor and detect these processes outside from OS, you can protect the system.
To detect malicious processes, not programs, with a mechanism of monitoring and protecting from outside of OS. We think this is a whole new approach to bring a paradigm shift to the cyber security industry.
Our technology made the impossible possible.
To protect OS architecture from outside of OS, and monitor all processes. Although the idea is simple, you need to understand specs of CPU and OS deeply inside, then finely implement. In fact, it is said many professionals tried in vain. F.TRON made it first in the world.
There are 3 major features in INTΦ(pronounced int-zero), a whole new security protection mechanism.
First, it boots up and starts working right after computer power-up, before OS. Then, it allocates a memory space which is not visible from OS and builds its working environment. After this, it allocates rest of the memory space to OS and let it go for its start-up sequence. Since malicious programs are executed in OS, INTΦ is never attacked by them. INTΦ monitors OS from its boot up process through shutdown, protecting whole system. In this way, INTΦ provides protection mechanism from outside of OS.
Secondly, INTΦ catches and controls whole processes in the computer, at CPU instruction level. Since this is implemented using Intel VT-x architecture, without any overheads like hardware emulations, it runs pretty quickly. INTΦ monitors processes of OS and applications, processes of CPU, and CPU and OS parameter reads / writes.
Finally, INTΦ provides intelligence to CPU instructions. Monitoring Kernel instructions, processes, device I/O, and network communications, it makes judgments whether the process is requested by normal users or malicious intruders. It stops only malicious processes certainly.
Protection policies of INTΦ is carefully defined to block all the paths which intruders to hack the system. With this strict policies, it can block even if it’s a process of unknown malicious program.