CN114500115B - Auditing device, system and method for flow data packet - Google Patents
Auditing device, system and method for flow data packet Download PDFInfo
- Publication number
- CN114500115B CN114500115B CN202210388763.2A CN202210388763A CN114500115B CN 114500115 B CN114500115 B CN 114500115B CN 202210388763 A CN202210388763 A CN 202210388763A CN 114500115 B CN114500115 B CN 114500115B
- Authority
- CN
- China
- Prior art keywords
- data packet
- host
- information
- flow
- host process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an audit device of flow data package for monitoring platform, the device includes: the first receiving module is used for receiving the characteristic information of the flow data packet; the host positioning module is used for determining a host corresponding to the flow data packet according to the address information; the first sending module is used for sending a first instruction to the corresponding host, and triggering the host to acquire the relevant information of the host process and the executable file using the flow data packet and the relevant information of the dynamic link library according to the port information; the second receiving module is used for receiving the relevant information of the host process and the executable file which are sent by the host and use the flow data packet, and the relevant information of the dynamic link library; the storage module is used for constructing a flow data packet auditing model by utilizing the corresponding relation between the flow data packet and the host process, the executable file and the dynamic link library respectively; and the auditing module is used for comparing and analyzing the newly constructed flow data packet auditing model with the flow data packet auditing model prestored in the storage module and outputting an analysis result.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an auditing device, system and method for a flow data packet.
Background
In the field of traditional flow analysis, a flow analysis system mainly acquires a network communication data packet in a mode of serial connection or bypass mirroring, and then analyzes the communication data packet to complete the processes of data packet analysis, communication protocol analysis, communication flow recombination and application protocol analysis. And according to the communication analysis result, finding out possible abnormal communication behaviors (such as port scanning), and judging possible application layer attack behaviors according to the communication data and the attack characteristic library of the application layer. And partial products can further judge the communication behavior based on the flow characteristic baseline.
However, in the conventional network traffic analysis method, the analysis granularity of both communication parties is only the host, and it is impossible to analyze which program is specific, whether the program is possibly an illegal program or not, and whether the program is changed recently. This results in an inability to determine whether the communication anomaly actually originated from the host when the anomaly is discovered. When an abnormal situation is found, it is impossible to determine which program the communication is specifically caused by. In addition, the traffic analysis method in the prior art is difficult to track the communication characteristic change of the host process after version upgrading or other changes.
Disclosure of Invention
Aiming at the defects, the invention provides an auditing device, a system and a method of a flow data packet, which are used for solving the problem that the communication characteristic change of a host process after version upgrading or other changes is difficult to track in the flow analysis method in the prior art.
The application provides an audit device of flow data package for monitoring platform, the device includes:
a first receiving module, configured to receive feature information used for characterizing a traffic data packet and sent by a network side node, where the feature information includes address information, port information, and a packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
the host positioning module is used for determining a host corresponding to the flow data packet according to the address information;
a first sending module, configured to send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, a host process using the traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process;
A second receiving module, configured to receive relevant information of a host process that uses the traffic data packet and all executable files related to the host process and that is sent by the host, and relevant information of a dynamic link library used by the host process;
and the storage module is used for respectively establishing a flow data packet auditing model by the data packet identification of the flow data packet and the corresponding relation of the host process, the executable file and the dynamic link library.
Further, the apparatus further comprises:
the flow matching module is used for judging whether a source device corresponding to the source address of the flow data packet is an NAT device and/or judging whether a target device corresponding to the target address of the flow data packet is an NAT device according to the address information and the network configuration information;
the second sending module is configured to send a second instruction to the NAT device when the traffic matching module determines that the source device corresponding to the source address of the traffic data packet is the NAT device and/or determines that the target device corresponding to the target address of the traffic data packet is the NAT device, where the second instruction is used to trigger the NAT device to query the address information correspondence relationship before and after translation of the traffic data packet;
And the third receiving module is used for determining the characteristic information of the traffic data packet before translation according to the corresponding relationship of the address information before and after translation of the received traffic data packet from the NAT equipment, and triggering the host positioning module to determine the host corresponding to the traffic data packet.
Further, the apparatus comprises:
the fourth receiving module is used for acquiring a network flow log and/or a system application log sent by a host, and triggering the storage module to construct a communication baseline based on the network flow log and/or the system application log, wherein the communication baseline is used for judging whether a flow data packet is abnormal or not;
the auditing module is used for judging whether the running time of the host process and/or the executable file is larger than a preset threshold value or not based on the network flow log and/or the system application log of the host,
if the running time is longer than the preset threshold value, judging that a flow data packet used by the host process and/or the executable file is a fixed characteristic flow, and auditing the fixed characteristic flow based on the communication baseline;
if the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal.
Further, the storage module is further configured to construct and store a first host device list, where the agent is installed in a host in the first host device list;
when the second receiving module fails to acquire the host process of the host in the first host equipment list, or the related information of the executable file, or the related information of the dynamic link library, the auditing module judges that the host corresponding to the flow data packet is abnormal in communication, and performs communication control on the host corresponding to the flow data packet.
Further, the apparatus further comprises:
the storage module is further configured to build and store a second host device list, where the agent is not installed in a host in the second host device list;
a feature labeling module, configured to perform feature labeling on the traffic data packet when it is determined that the host of the traffic data packet is in the second host device list, where the feature labeling is used to indicate that the traffic data packet is communication traffic used by a specific device, so as to monitor and analyze one or more of the following information of the traffic data packet: quantity, frequency, data payload.
The present application further provides an auditing apparatus for traffic data packets, which is used for a network side node, the apparatus includes:
The first receiving module is used for receiving the flow data packets sent by each host;
a first parsing module, configured to obtain feature information used to characterize the traffic data packet from the traffic data packet, where the feature information includes address information, port information, and a data packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
a first sending module, configured to send feature information of the flow data packet to a monitoring platform, where the feature information is used to trigger the monitoring platform to determine, according to the address information, a host corresponding to the flow data packet and send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, related information of a host process that uses the flow data packet and all executable files related to the host process, and related information of a dynamic link library used by the host process, so that the monitoring platform constructs a flow data packet audit model by using correspondence between packet identifiers of the flow data packet and the host process, the executable files, and the dynamic link library, respectively;
And the host process determines the agent program installed on the host according to the port information, and the related information of the executable file and the related information of the dynamic link library are determined by the agent program according to the host process.
The application also provides an auditing device of flow data package for the host computer, the device includes:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending traffic data packets to a network side node, each traffic data packet comprises characteristic information used for representing the traffic data packet, the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number;
the first receiving module is used for receiving a first instruction sent by the monitoring platform;
an information extraction module, configured to obtain, according to port information in the first instruction, a host process that uses a traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process determines, according to the port information, an agent installed for the host, and the relevant information of the executable files and the relevant information of the dynamic link library determine, according to the host process, the agent;
And the second sending module is used for sending the host process using the flow data packet, the related information of all executable files related to the host process, the related information of the dynamic link library used by the host process to the monitoring platform, and triggering the monitoring platform to respectively construct a flow data packet auditing model by using the corresponding relation between the data packet identifier of the flow data packet and the host process, the executable files and the dynamic link library.
The application also provides an auditing system of the flow data packet, which comprises a network side node, a host connected with the network side node and a monitoring platform connected with the network side node;
the monitoring platform comprises the auditing device for the traffic data packet, the network side node comprises the auditing device for the traffic data packet, and the host comprises the auditing device for the traffic data packet.
The application also provides an auditing method of the flow data packet, which is used for a monitoring platform and comprises the following steps:
receiving characteristic information which is sent by a network side node and used for representing a flow data packet, wherein the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number;
Determining a host corresponding to the flow data packet according to the address information;
sending a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information, a host process using the traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process;
receiving the host process using the flow data packet, the related information of all executable files related to the host process and the related information of a dynamic link library used by the host process, which are sent by the host;
and constructing a flow data packet auditing model by utilizing the corresponding relation between the data packet identification of the flow data packet and a host process, an executable file and a dynamic link library respectively.
Further, for monitoring the platform, the method further comprises the steps of:
according to the address information and the network configuration information, judging whether a source device corresponding to a source address of the traffic data packet is an NAT device and/or judging whether a target device corresponding to a target address of the traffic data packet is an NAT device;
Determining the corresponding relation of the address information of the traffic data packets before and after translation by the NAT equipment;
and determining the characteristic information contained in the traffic data packet before the translation of the NAT equipment, thereby determining the host corresponding to the traffic data packet before the translation of the NAT equipment.
According to the method and the device for identifying the flow data packet, the problem that the communication characteristic change of the host process after version upgrading or other changes is difficult to track in the flow analysis method in the prior art is solved by accurately associating the flow data packet with the host process and/or the executable file of the sending and receiving flow.
Drawings
Fig. 1 is a flowchart of an auditing method for traffic packets according to an embodiment of the present application;
fig. 2 is a flowchart of an auditing method for traffic packets according to yet another embodiment of the present application;
fig. 3 is a structural framework diagram of an auditing apparatus for traffic packets according to an embodiment of the present application;
fig. 4 is a structural framework diagram of an auditing apparatus for traffic packets according to still another embodiment of the present application;
fig. 5 is a structural framework diagram of an auditing apparatus for traffic packets according to an embodiment of the present application;
fig. 6 is a structural framework diagram of an auditing apparatus for traffic packets according to an embodiment of the present application;
Fig. 7 is a structural framework diagram of an auditing system for traffic packets according to an embodiment of the present application.
Detailed Description
The present invention will be described in detail with reference to the specific embodiments shown in the drawings, which are not intended to limit the present invention, and structural, methodological, or functional changes made by those skilled in the art according to the specific embodiments are included in the scope of the present invention.
As shown in fig. 1, which shows a flowchart of an auditing method of traffic data packets provided by an embodiment of the present application, the method includes the following steps:
s101, receiving characteristic information which is sent by a network side node and used for representing a flow data packet, wherein the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number. The packet identifier is a unique identifier of the traffic packet, and may be used to refer to the traffic packet.
S102, determining a host corresponding to the flow data packet according to the address information;
103, sending a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information, a host process using the traffic data packet, related information of all executable files related to the host process, and related information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the related information of the executable files and the related information of the dynamic link library are determined by the agent according to the host process;
S104, receiving the host process using the flow data packet sent by the host, the relevant information of all executable files related to the host process, and the relevant information of a dynamic link library used by the host process;
and S105, constructing a flow data packet auditing model by utilizing the corresponding relation between the data packet identification of the flow data packet and the host process, the executable file and the dynamic link library respectively.
As an optional implementation manner, acquiring a plurality of traffic data packets received by a network side node may be implemented by deploying one or more traffic analysis devices at the network side node. The traffic analysis device may abstract the characteristic information of the traffic data packet according to the traffic data packet. The characteristic information of the traffic data packet comprises one or more of the following information: the receiving time of the flow data packet, the source address, the source port number, the destination address, the destination port number, the protocol type of the flow data packet, and the data packet load of the flow data packet.
Specifically, for example, for the TCP/UDP communication stream which is most widely used in the network, the traffic analysis device may abstract the five-tuple information of the traffic packet, where the five-tuple information includes the source IP address, the source port number, the destination IP address, the destination port number, and the protocol type of the traffic packet. For three-layer communication protocols based on ethernet, such as GOOSE, the traffic analysis device can abstract the source MAC address, the destination MAC address and the protocol type of the traffic data packet.
In the feature information about the traffic packets abstracted by the traffic analysis device, the host corresponding to each traffic packet can be determined according to the source address and/or the destination address in the feature information. Specifically, for example, for a TCP/UDP communication flow, the quintuple information of the traffic packet includes a source IP address and a destination IP address, and a host using the traffic packet can be determined according to the source IP address and the destination IP address.
As an alternative implementation manner, when the host using the traffic data packet is determined by the feature information, the agent installed on the host may collect network communication information of each host process on the host, and related information of all executable files related to each host process, and related information of the dynamic link library used by the host process.
Specifically, for example, for a TCP communication flow whose source IP address is a certain host, the agent determines, according to the source port number in the feature information, the specific host process in the host that uses the traffic packet, and determines, using an interface provided by an operating system of the host, information about all executable files related to the host process and information about a dynamic link library used by the host process.
As an optional implementation manner, the related information of the executable file includes one or more of the following information: the name of the executable file, the characteristic value of the executable file obtained through a hash algorithm, the digital signature of the executable file and the version number information of the executable file. The relevant information of the dynamic link library comprises one or more of the following information: name of the dynamic link library, and saving path of the dynamic link library.
The method and the device use the data packet identification of the flow data packet to refer to the flow data packet, and use the corresponding relation between the data packet identification of the flow data packet and the host process, the executable file and the dynamic link library to construct a flow data packet audit model.
As an optional implementation manner, when a network side node receives a traffic data packet, the monitoring platform may construct a corresponding relationship between a data packet identifier of the traffic data packet and a host process, an executable file, and a dynamic link library according to the above procedure, perform comparative analysis on the corresponding relationship and the traffic data packet audit model provided in the embodiment of the present application, and output an analysis result. The flow data packet auditing model provided by the embodiment of the application is generated by performing statistical analysis on a host process, an executable file related to the host process and a dynamic link library in the historical operation process of the device provided by the application.
Specifically, for example, the following analysis results may be obtained: if the process to which the traffic packet belongs is not found on the host, the traffic packet is suspected to be forged by other hosts. The traffic data packet comes from an unknown program which has not been recorded before, and a plurality of traffic data packets from the program are found at the same time, so that the traffic data packet is suspected to be scanning attack behavior. Corresponding process and executable file information are obtained, but the characteristics (data stream size, content, communication time, communication duration and the like) of the flow data packet are completely different from the communication characteristics of the same program in the prior art, and the flow data packet is suspected to be used as a springboard. Corresponding process and executable file information is obtained, but the executable file is modified compared with a previous file with the same name in the same position, the signature is changed or is lost, and the executable file is suspected to be infected by malicious codes. The corresponding process and executable file information are obtained, but the communication characteristics (data stream size, content, communication time, communication duration and the like) of the data stream are completely different from those of the same executable files on other hosts, and the data stream is suspected to be used as a springboard. From an executable program without a signature or with a self-signature, the communication behavior is strange and is suspected of malicious code.
According to the auditing method for the flow data packet, the granularity of flow analysis is refined from the host to the program running on the host, and communication auditing is carried out based on the host process and all executable files related to the host process, so that abnormal program communication can be found in time. The method realizes the tracking of the communication characteristic change of the host process after version upgrade or other changes. The method realizes the establishment of the flow baseline based on the communication condition of the host process, and discovers the communication abnormality of the host process.
In the traditional traffic data packet analysis method, the use value of the traffic baseline is weakened because the host process/executable file cannot be distinguished from long-term operation or accidental use. As an alternative implementation, the present application refines the granularity of traffic analysis from the host to the program running on the host, and distinguishes whether the host process in the host is running for a long time or is being used by chance.
Specifically, the method for auditing the traffic data packet provided by the present application further includes:
and acquiring a network flow log and/or a system application log of the host, and constructing a communication baseline based on the network flow log and/or the system application log, wherein the communication baseline is used for judging whether a flow data packet is abnormal or not.
Judging whether the running time of the host process and/or the executable file is larger than a preset threshold value or not based on the network flow log and/or the system application log of the host,
if the running time is longer than the preset threshold value, judging that a flow data packet used by the host process and/or the executable file is a fixed characteristic flow, and auditing the fixed characteristic flow based on the communication baseline;
if the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal. The analyzing of the accidental traffic may specifically be analyzing a traffic data packet, and completing the processes of data packet analysis, communication protocol analysis, communication stream reassembly, and application protocol analysis. According to the analysis result of the flow data packet, possible abnormal communication behaviors (such as port scanning) are found, and possible application layer attack behaviors are judged according to the communication data and the attack characteristic library of the application layer.
For the same host process, if the versions are different, the communication characteristics of the host process may change. Therefore, as an optional implementation manner, the method for auditing the flow data packet provided by the application can also perform correlation analysis on communication behaviors of the same host process on different hosts. Wherein the versions of the same host process on different hosts may be the same or different.
In actual use, there may be some host devices that do not have or cannot have agents installed. These devices are usually dedicated network communication devices, dedicated industrial control devices, etc. which are in view of device security issues and are not allowed to install the agent program at will, which means that the information related to the host process, the executable file and the dynamic link library in the host cannot be further confirmed by the agent program. However, for some hosts installed with an agent program, if a communication abnormality occurs, there is a problem that the host process, the related information of the executable file and the related information of the dynamic link library in the host cannot be further confirmed through the agent program. Therefore, it is necessary to distinguish between a host on which an agent is installed and a host on which an agent is not installed.
As an optional implementation manner, the method for auditing the traffic data packet provided by the present application further includes constructing a first host device list. And the host in the first host equipment list is provided with the agent program.
And when the host in the first host equipment list cannot acquire the host process, or the related information of the executable file, or the related information of the dynamic link library through the agent program, judging that the host corresponding to the flow data packet is abnormal in communication, and performing communication control on the host corresponding to the flow data packet.
Specifically, the host using the traffic data packet may be determined according to the source address and/or the target address in the feature information of the traffic data packet, and whether the host to which the source address and/or the target address points exists in the first host device list is detected. If the host process exists, whether the host process, or the related information of the executable file, or the related information of the dynamic link library can be obtained through the agent program is further judged. If the obtaining fails, judging that the host corresponding to the flow data packet is abnormal in communication, and performing communication control on the host corresponding to the flow data packet.
As an optional implementation manner, the method for detecting a traffic data packet provided by the present application further includes constructing a second host device list, where the agent is not installed in the hosts in the second host device list.
When the host using the traffic data packet is in the second host device list, performing further feature labeling on the traffic data packet, where the feature labeling is used to indicate that the traffic data packet is communication traffic used by a specific device, for example, the specific device may be communication traffic used by a dedicated network communication device, a dedicated industrial control device, or the like. Because the information of the host process in the host cannot be acquired through the agent program, the application monitors and analyzes one or more of the following information of the traffic data packet when the host in the second host device list is subjected to traffic auditing: quantity, frequency, data load, etc.
As an alternative implementation manner, for some packets that are difficult to be associated with a specific program and provide basic support for network communication, such as an address resolution protocol ARP, a spanning tree protocol STP, etc., monitoring and analysis may be performed according to the number, frequency, content, etc. of communication packets according to a conventional traffic packet identification method.
A Network Address Translation (NAT) technology is a common means for solving the problems of insufficient IP addresses and intranet security in an IPv4(Internet Protocol version 4) scenario. Generally, the method is divided into Source address translation (Source NAT, SNAT) and Destination address translation (Destination NAT, DNAT).
In the SNAT scene, an intranet IP address accesses a network packet of the IP address on the Internet, and the source address of the intranet IP address is converted into the public network address of the NAT equipment on the NAT equipment. In the DNAT scenario, an IP address on the Internet accesses a network packet of a public network address on the NAT device, and a destination address of the IP address on the NAT device is converted into a certain IP address in an intranet. In a SNAT scenario, multiple intranet IP addresses may be translated to public network IP addresses on one or more NAT devices. In a DNAT scenario, public network IP addresses on one or more NAT devices may translate to multiple internal network IP addresses.
Because the traffic data packet received by the network side node may have IP address translation, the source address and/or the destination address abstracted from the traffic data packet by the traffic analysis device may not be able to directly find a specific host.
Therefore, as shown in fig. 2, which shows a flowchart of an auditing method of traffic data packets according to another embodiment of the present application, includes the following steps:
s201, receiving characteristic information which is sent by a network side node and used for representing a flow data packet, wherein the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number.
S202, according to the address information and the network configuration information, whether a source device corresponding to a source address of the traffic data packet is an NAT device or not and/or whether a target device corresponding to a target address of the traffic data packet is an NAT device or not are judged, the corresponding relation of the address information of the traffic data packet before and after translation through the NAT device is determined, feature information contained in the traffic data packet before translation through the NAT device is determined, and therefore a host corresponding to the traffic data packet before translation through the NAT device is determined.
S203, sending a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information, a host process using the traffic data packet, related information of all executable files related to the host process, and related information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the related information of the executable files and the related information of the dynamic link library are determined by the agent according to the host process.
S204, receiving the host process using the flow data packet sent by the host, the relevant information of all executable files related to the host process, and the relevant information of the dynamic link library used by the host process.
S205, establishing a flow data packet auditing model by utilizing the corresponding relation between the data packet identification of the flow data packet and the host process, the executable file and the dynamic link library respectively.
As described in step S202, when the source address of the traffic data packet is from the NAT device and/or the destination address is to the NAT device, it is necessary to determine the correspondence between the traffic data packets before and after translation by the NAT device, that is, which intranet IP the captured post-SNAT traffic corresponds to, and which intranet IP the captured pre-DNAT traffic corresponds to.
As an optional implementation manner, for a DNAT scenario, since a source IP address and a source port number on the Internet do not change after a request of the source IP address and the source port number is translated by the NAT device, the translated target IP address and the target port number can be determined by filtering downlink traffic of the NAT device having the same source IP address and source port number, and accurate calculation of a front-back traffic association relationship can be directly achieved.
However, in the SNAT scenario, a certain public network IP address on the Internet may have multiple intranet IPs accessing it at the same time, and since the SNAT device may change the source IP and the source Port, the correspondence between the front and rear flows of the SNAT device cannot be accurately determined from the flow quintuple layer.
As another optional implementation manner, the traffic correspondence may be determined by using a method for obtaining an address translation table of the NAT device, for example, a Connection tracking table of the NAT device implemented by Linux Netfilter is obtained.
After determining the corresponding relationship between the traffic data packets before and after the translation by the NAT device, the feature information contained in the traffic data packets before the translation by the NAT device can be obtained, so that the corresponding relationship between the traffic data packets before the translation by the NAT device and the host process, the executable file and the dynamic link library is determined.
And constructing a corresponding relation between the flow data packet before NAT equipment translation and the host process, the executable file and the dynamic link library.
The traditional network flow analysis method has the problems that the source and the target of a data packet are judged only based on the source and/or target address information of a communication protocol, and the authenticity of the source and/or target address cannot be confirmed. Compared with the traditional network flow analysis method, the identification method of the flow data packet provided by the application integrates the address translation mapping condition obtained on the NAT equipment, installs the proxy program on the host, and collects the network communication condition of each host process in the host, the related information of all executable files related to the host process and the related information of the dynamic link library called by the host process through the proxy program. According to the method and the device for identifying the flow data packets, the flow data packets received by the network side node are matched and associated with each host process on the host one by one, and the granularity of flow analysis is refined from the host to a program running on the host. The method and the device realize the functions of finding the possible flow data packet of a forged communication source, assisting in positioning an attack source and more accurately judging the source of the threat flow.
As shown in fig. 3, which illustrates a structural framework diagram of an auditing apparatus for traffic data packets provided in an embodiment of the present application, where the auditing apparatus for traffic data packets may be used for a monitoring platform, the apparatus includes: the system comprises a first receiving module 301, a host positioning module 302, a first sending module 303, a second receiving module 304 and a storage module 305.
The first receiving module 301 is configured to receive feature information that is sent by a network side node and used to characterize a traffic data packet, where the feature information includes address information, port information, and a packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number.
A host location module 302, configured to determine a host corresponding to the traffic data packet according to the address information.
A first sending module 303, configured to send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, a host process using the traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process.
A second receiving module 304, configured to receive information about a host process that uses the traffic data packet and about all executable files related to the host process, which are sent by the host, and information about a dynamic link library used by the host process.
The storage module 305 is configured to construct a traffic data packet audit model by using the data packet identifier of the traffic data packet and the corresponding relationship between the host process, the executable file and the dynamic link library.
Fig. 4 is a block diagram illustrating a structural framework of an auditing apparatus for traffic packets provided by another embodiment of the present application, where the auditing apparatus for traffic packets can be used for a monitoring platform. The application provides an audit device of flow data package still includes: an auditing module 306, a traffic matching module 307, a second sending module 308, and a third receiving module 309.
The traffic matching module 307 is configured to determine, according to the address information and the network configuration information, whether a source device corresponding to a source address of the traffic data packet is an NAT device and/or determine whether a target device corresponding to a target address of the traffic data packet is an NAT device.
The second sending module 308 is configured to send a second instruction to the NAT device, where the second instruction is used to trigger the NAT device to query the address information correspondence between before and after translation of the traffic data packet.
The third receiving module 309 is configured to determine, according to a correspondence between address information before and after translation of a received traffic data packet from the NAT device, feature information of the traffic data packet before translation, and trigger the host location module to determine a host corresponding to the traffic data packet.
As shown in fig. 4, the auditing apparatus for traffic data packets provided in the present application further includes: a fourth receiving module 310.
A fourth receiving module 310, configured to obtain a network traffic log and/or a system application log sent by a host, and trigger the storage module 305 to construct a communication baseline based on the network traffic log and/or the system application log, where the communication baseline is used to determine whether a traffic data packet is abnormal;
an auditing module 306, which determines whether the running time of the host process and/or executable file is longer than a preset threshold value based on the network flow log and/or system application log of the host,
if the running time is longer than the preset threshold value, judging that a flow data packet used by the host process and/or the executable file is a fixed characteristic flow, and auditing the fixed characteristic flow based on the communication baseline;
if the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal.
As shown in fig. 4, the auditing apparatus for traffic data packets provided in the present application further includes: a feature labeling module 311, configured to perform feature labeling on the traffic data packet when it is determined that the host of the traffic data packet is in the second host device list, where the feature labeling is used to indicate that the traffic data packet is communication traffic used by a specific device, so as to monitor and analyze one or more of the following information of the traffic data packet: quantity, frequency, data load.
As an optional implementation manner, the storage module 305 is further configured to build and store a first host device list, where the agent program is installed in a host in the first host device list;
when the second receiving module 304 fails to acquire the host process of the host in the first host device list, or the related information of the executable file, or the related information of the dynamic link library, the auditing module 306 determines that the host corresponding to the traffic data packet is abnormal in communication, and performs communication control on the host corresponding to the traffic data packet;
the storage module 305 is further configured to build and store a second host device list, where the agent is not installed in the host in the second host device list;
When the host location module determines that the host using the traffic data packet is in the second host device list, the feature tagging module 311 performs further feature tagging on the traffic data packet.
As shown in fig. 5, which illustrates a structural framework diagram of an auditing apparatus of a traffic data packet provided in an embodiment of the present application, the auditing apparatus of the traffic data packet may be used in a network side node, and the apparatus includes:
a first receiving module 501, configured to receive traffic data packets sent by each host, where each traffic data packet includes feature information used to characterize the traffic data packet, where the feature information includes address information and port information, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
a first parsing module 502, configured to obtain feature information used to characterize the traffic data packet from the traffic data packet, where the feature information includes address information, port information, and a data packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
A first sending module 503, configured to send characteristic information of the flow data packet to a monitoring platform, where the characteristic information is used to trigger the monitoring platform to determine a host corresponding to the flow data packet according to the address information and send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, related information of a host process using the flow data packet and all executable files related to the host process, and related information of a dynamic link library used by the host process, so that the monitoring platform uses correspondence between packet identifiers of the flow data packet and the host process, the executable files, and the dynamic link library to construct a flow data packet audit model, and performs a comparative analysis on the newly constructed flow data packet audit model and a flow data packet audit model pre-stored in the monitoring platform, and outputting an analysis result;
and the host process determines the agent program installed on the host according to the port information, and the related information of the executable file and the related information of the dynamic link library are determined by the agent program according to the host process.
As shown in fig. 6, it shows a structural framework diagram of an auditing apparatus of traffic data packets provided by an embodiment of the present application, the auditing apparatus of traffic data packets is applicable to a host, and the apparatus includes:
a first sending module 601, configured to send traffic data packets to a network side node, where each traffic data packet includes feature information used to characterize the traffic data packet, where the feature information includes address information, port information, and a data packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
a first receiving module 602, configured to receive a first instruction sent by a monitoring platform;
an information extraction module 603, configured to obtain, according to port information in the first instruction, relevant information of a host process that uses a traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process;
A second sending module 604, configured to send, to the monitoring platform, relevant information of a host process that uses a flow data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, and trigger the monitoring platform to construct a flow data packet audit model by using a correspondence relationship between a packet identifier of the flow data packet and the host process, the executable files, and the dynamic link library, respectively.
As shown in fig. 7, it illustrates a structural framework diagram of an auditing system for traffic data packets according to an embodiment of the present application, where the auditing system for traffic data packets includes: the network side node 701, the host 702 connected to the network side node, and the monitoring platform 703 connected to the network side node are described above.
To sum up, the auditing apparatus, system and method for traffic data packets provided by the present application integrate the address translation mapping obtained on the NAT device, install the agent on the host, and collect the network communication status of each host process in the host, the related information of all executable files related to the host process, and the related information of the dynamic link library called by the host process through the agent. According to the method and the device for identifying the flow data packets, the multiple flow data packets received by the network side node are matched and associated with each host process on the host one by one, and the granularity of flow analysis is refined from the host to a program running on the host.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that the following descriptions of the preferred embodiments are provided for illustration purposes only, and not for the purpose of limiting the invention as defined by the appended claims: rather, the invention is to cover all modifications, alternatives, combinations and simplifications which may be included within the spirit and scope of the invention as defined by the appended claims.
Claims (9)
1. An auditing apparatus for a traffic data packet, configured to monitor a platform, the apparatus comprising:
the first receiving module is configured to receive feature information used for characterizing a traffic data packet and sent by a network side node, where the feature information includes address information, port information, and a data packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
the host positioning module is used for determining a host corresponding to the flow data packet according to the address information;
a first sending module, configured to send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, a host process using the traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process;
A second receiving module, configured to receive relevant information of a host process that uses the traffic data packet and all executable files related to the host process and that is sent by the host, and relevant information of a dynamic link library used by the host process;
the storage module is used for respectively establishing a flow data packet auditing model by the corresponding relation between the data packet identification of the flow data packet and a host process, an executable file and a dynamic link library;
the fourth receiving module is used for acquiring a network flow log and/or a system application log sent by a host, and triggering the storage module to construct a communication baseline based on the network flow log and/or the system application log, wherein the communication baseline is used for judging whether a flow data packet is abnormal or not;
the auditing module is used for judging whether the running time of the host process and/or the executable file is larger than a preset threshold value or not based on the network flow log and/or the system application log of the host,
if the running time is longer than the preset threshold value, judging that a flow data packet used by the host process and/or the executable file is a fixed characteristic flow, and auditing the fixed characteristic flow based on the communication baseline;
If the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal.
2. The apparatus for auditing of traffic data packets according to claim 1, further comprising:
the flow matching module is used for judging whether a source device corresponding to a source address of the flow data packet is an NAT device and/or judging whether a target device corresponding to a target address of the flow data packet is an NAT device according to the address information and the network configuration information;
the second sending module is configured to send a second instruction to the NAT device when the traffic matching module determines that the source device corresponding to the source address of the traffic data packet is the NAT device and/or determines that the target device corresponding to the target address of the traffic data packet is the NAT device, where the second instruction is used to trigger the NAT device to query the address information correspondence relationship before and after translation of the traffic data packet;
and the third receiving module is used for determining the characteristic information of the traffic data packet before translation according to the corresponding relationship of the address information before and after translation of the received traffic data packet from the NAT equipment, and triggering the host positioning module to determine the host corresponding to the traffic data packet.
3. The apparatus according to claim 2, wherein the storage module is further configured to build and store a first host device list, and the agent is installed in a host in the first host device list;
when the second receiving module fails to acquire the host process of the host in the first host equipment list, or the related information of the executable file, or the related information of the dynamic link library, the auditing module judges that the host corresponding to the flow data packet is abnormal in communication, and performs communication control on the host corresponding to the flow data packet.
4. The apparatus for auditing of traffic data packets according to claim 2, further comprising:
the storage module is further configured to build and store a second host device list, where the agent is not installed in a host in the second host device list;
a feature labeling module, configured to perform feature labeling on the traffic data packet when it is determined that the host of the traffic data packet is in the second host device list, where the feature labeling is used to indicate that the traffic data packet is communication traffic used by a specific device, so as to monitor and analyze one or more of the following information of the traffic data packet: quantity, frequency, data payload.
5. An auditing device for a traffic data packet, the auditing device being used for a network side node, the device comprising:
the first receiving module is used for receiving the flow data packets sent by each host;
a first parsing module, configured to obtain feature information used to characterize the traffic data packet from the traffic data packet, where the feature information includes address information, port information, and a data packet identifier, the address information includes a source address and/or a destination address, and the port information includes a source port number and/or a destination port number;
a first sending module, configured to send feature information of the traffic data packet to a monitoring platform, where the feature information is used to trigger the monitoring platform to determine a host corresponding to the traffic data packet according to the address information and send a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information in the first instruction, relevant information of a host process that uses the traffic data packet and relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, so that the monitoring platform constructs a traffic data packet audit model by using correspondence between packet identifiers of the traffic data packet and the host process, the executable files, and the dynamic link library, respectively;
The device forwards a network flow log and/or a system application log sent by the host to the monitoring platform, triggers the monitoring platform to construct a communication baseline based on the network flow log and/or the system application log, the communication baseline is used for judging whether a flow data packet is abnormal or not, judges whether the running time of the host process and/or the executable file is greater than a preset threshold or not based on the network flow log and/or the system application log of the host, judges that the flow data packet used by the host process and/or the executable file is a fixed characteristic flow if the running time is greater than the preset threshold, audits the fixed characteristic flow based on the communication baseline, and judges that the flow data packet used by the host process and/or the executable file is an accidental flow if the running time is less than the preset threshold, analyzing the accidental flow and judging whether the accidental flow is abnormal or not;
and determining the host process as an agent program installed on the host according to the port information, and determining the relevant information of the executable file and the relevant information of the dynamic link library as the agent program according to the host process.
6. An auditing apparatus for a traffic data packet, the apparatus for use with a host, the apparatus comprising:
the system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for sending traffic data packets to a network side node, each traffic data packet comprises characteristic information used for representing the traffic data packet, the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number;
the first receiving module is used for receiving a first instruction sent by the monitoring platform;
an information extraction module, configured to obtain, according to port information in the first instruction, a host process that uses a traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process determines, according to the port information, an agent installed for the host, and the relevant information of the executable files and the relevant information of the dynamic link library determine, according to the host process, the agent;
a second sending module, configured to send, to the monitoring platform, relevant information of a host process that uses a flow data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, and trigger the monitoring platform to construct a flow data packet audit model using correspondence between packet identifiers of the flow data packet and the host process, the executable files, and the dynamic link library, respectively;
The monitoring platform is triggered to establish a communication baseline based on the network flow log and/or the system application log, and the communication baseline is used for judging whether a flow data packet is abnormal or not;
the monitoring platform judges whether the running time of the host process and/or the executable file is greater than a preset threshold value or not based on the network flow log and/or the system application log of the host, if the running time is greater than the preset threshold value, the monitoring platform judges that a flow data packet used by the host process and/or the executable file is fixed characteristic flow, and audits the fixed characteristic flow based on the communication baseline;
if the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal.
7. The system is characterized by comprising a network side node, a host connected with the network side node and a monitoring platform connected with the network side node;
The monitoring platform comprises an auditing device for traffic data packets according to any of claims 1 to 4, the network side node comprises an auditing device for traffic data packets according to claim 5, and the host comprises an auditing device for traffic data packets according to claim 6.
8. An auditing method for a traffic data packet, for use in a monitoring platform, the method comprising the steps of:
receiving characteristic information which is sent by a network side node and used for representing a flow data packet, wherein the characteristic information comprises address information, port information and a data packet identifier, the address information comprises a source address and/or a target address, and the port information comprises a source port number and/or a target port number;
determining a host corresponding to the flow data packet according to the address information;
sending a first instruction to the host, where the first instruction is used to trigger the host to obtain, according to port information, a host process using the traffic data packet, relevant information of all executable files related to the host process, and relevant information of a dynamic link library used by the host process, where the host process is determined by an agent installed in the host according to the port information, and the relevant information of the executable files and the relevant information of the dynamic link library are determined by the agent according to the host process;
Receiving the host process using the flow data packet, the related information of all executable files related to the host process and the related information of a dynamic link library used by the host process, which are sent by the host;
establishing a flow data packet auditing model by utilizing the corresponding relation between the data packet identification of the flow data packet and a host process, an executable file and a dynamic link library respectively;
acquiring a network flow log and/or a system application log sent by a host, and constructing a communication baseline based on the network flow log and/or the system application log, wherein the communication baseline is used for judging whether a flow data packet is abnormal or not;
judging whether the running time of the host process and/or the executable file is larger than a preset threshold value or not based on the network flow log and/or the system application log of the host,
if the running time is longer than the preset threshold value, judging that a flow data packet used by the host process and/or the executable file is a fixed characteristic flow, and auditing the fixed characteristic flow based on the communication baseline;
if the running time is less than the preset threshold, judging that the flow data packet used by the host process and/or the executable file is sporadic flow, analyzing the sporadic flow, and judging whether the sporadic flow is abnormal.
9. The method of auditing a traffic data packet according to claim 8 for a monitoring platform, the method further comprising the steps of:
according to the address information and the network configuration information, judging whether a source device corresponding to a source address of the traffic data packet is an NAT device and/or judging whether a target device corresponding to a target address of the traffic data packet is an NAT device;
determining the corresponding relation of the address information of the traffic data packets before and after translation by the NAT equipment;
and determining the characteristic information contained in the traffic data packet before the translation of the NAT equipment, thereby determining the host corresponding to the traffic data packet before the translation of the NAT equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210388763.2A CN114500115B (en) | 2022-04-14 | 2022-04-14 | Auditing device, system and method for flow data packet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210388763.2A CN114500115B (en) | 2022-04-14 | 2022-04-14 | Auditing device, system and method for flow data packet |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114500115A CN114500115A (en) | 2022-05-13 |
CN114500115B true CN114500115B (en) | 2022-07-29 |
Family
ID=81488476
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210388763.2A Active CN114500115B (en) | 2022-04-14 | 2022-04-14 | Auditing device, system and method for flow data packet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114500115B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230308470A1 (en) * | 2022-03-25 | 2023-09-28 | Cisco Technology, Inc. | Systems and Methods for Deriving Application Security Signals from Application Performance Data |
CN115361319B (en) * | 2022-10-20 | 2023-01-13 | 科来网络技术股份有限公司 | SNMP-based network equipment performance analysis method, device and equipment |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106033514B (en) * | 2015-03-20 | 2019-08-09 | 阿里巴巴集团控股有限公司 | A kind of detection method and device of suspicious process |
US10812497B2 (en) * | 2015-12-07 | 2020-10-20 | Prismo Systems Inc. | Systems and methods for detecting and responding to security threats using application execution and connection lineage tracing |
US11190420B2 (en) * | 2018-10-31 | 2021-11-30 | Salesforce.Com, Inc. | Generating events from host based logging for consumption by a network logging host |
CN111563024B (en) * | 2020-07-15 | 2020-10-16 | 北京升鑫网络科技有限公司 | Method and device for monitoring container process on host machine and computing equipment |
CN113114636A (en) * | 2021-03-26 | 2021-07-13 | 西安交大捷普网络科技有限公司 | Process flow auditing method and system of controlled host |
-
2022
- 2022-04-14 CN CN202210388763.2A patent/CN114500115B/en active Active
Non-Patent Citations (1)
Title |
---|
《基于安全基线的数据库安全综合监管系统》;郑瑜瑾;《CNKI优秀硕士学位论文全文库》;20190515;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN114500115A (en) | 2022-05-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114500115B (en) | Auditing device, system and method for flow data packet | |
US10567405B1 (en) | System for detecting a presence of malware from behavioral analysis | |
US20080044018A1 (en) | Method and system to detect and prevent computer network intrusion | |
US20180367556A1 (en) | Automated forensics of computer systems using behavioral intelligence | |
US8015605B2 (en) | Scalable monitor of malicious network traffic | |
US11032301B2 (en) | Forensic analysis | |
US8631499B2 (en) | Platform for analyzing the security of communication protocols and channels | |
CN111800412B (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
US7646728B2 (en) | Network monitoring and intellectual property protection device, system and method | |
US20060083180A1 (en) | Packet analysis system | |
US20120005743A1 (en) | Internal network management system, internal network management method, and program | |
US20110016528A1 (en) | Method and Device for Intrusion Detection | |
US20080196103A1 (en) | Method for analyzing abnormal network behaviors and isolating computer virus attacks | |
US20070016670A1 (en) | Determining data flows in a network | |
US10348751B2 (en) | Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs | |
CN115208634A (en) | Supervision engine of network assets | |
JP6783261B2 (en) | Threat information extraction device and threat information extraction system | |
US20090122721A1 (en) | Hybrid network discovery method for detecting client applications | |
CN114124516A (en) | Situation awareness prediction method, device and system | |
CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
WO2017217247A1 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
KR20120137326A (en) | Method and apparatus to detect malicious domain | |
US20050259657A1 (en) | Using address ranges to detect malicious activity | |
CN116723020A (en) | Network service simulation method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |