CN111262881B - Method for hiding DNS domain name of server accessed by mobile phone APP - Google Patents
Method for hiding DNS domain name of server accessed by mobile phone APP Download PDFInfo
- Publication number
- CN111262881B CN111262881B CN202010120910.9A CN202010120910A CN111262881B CN 111262881 B CN111262881 B CN 111262881B CN 202010120910 A CN202010120910 A CN 202010120910A CN 111262881 B CN111262881 B CN 111262881B
- Authority
- CN
- China
- Prior art keywords
- dns
- server
- app
- domain name
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method and the system realize hiding of the DNS domain name of the server accessed by the mobile phone APP by arranging a plurality of DNS servers provided with encrypted tunnels; the method for hiding the DNS domain name of the server accessed by the mobile phone APP comprises the following steps: establishing a DNS server list, wherein the DNS server list comprises at least two DNS servers; establishing an encryption tunnel for each DNS server in the APP and DNS server list; the APP sends an encrypted DNS request to the DNS server in each encrypted tunnel; each DNS server returns encrypted DNS response information to the APP; screening DNS response information returned by each DNS server, and selecting the DNS response information with the highest repetition rate as an IP address of the enterprise server; the APP sends an HTTP request to the enterprise server IP address.
Description
Technical Field
The invention relates to the field of computers, in particular to a method for hiding a DNS (domain name server) domain name accessed by a mobile phone APP (application).
Background
In general, servers providing network services to the outside on the Internet have a public server domain name; a client APP accesses a server, and firstly, a domain name of the server is resolved into an IP address of the server; the APP then accesses the IP address of the server, completing the access to the server. Referring to fig. 1, the specific steps are as follows: (1) the APP firstly calls an Android/iOS operating system API, wherein gethostname is used for acquiring an IP address of a server corresponding to a domain name www.xxx.com; (2) a DNS processing module of the Android/iOS operating system assembles a DNS message and sends a DNS request to a public DNS server of the Internet, so as to obtain www.xxx.com the domain name and the corresponding IP address (which indicates that each Android/iOS mobile phone operating system has a default DNS server if the Android/iOS mobile phone operating system can access the Internet); (3) the public DNS server returns a DNS response; the iOS/Android operating system is informed of a DNS module, and the IP address corresponding to www.xxx.com is 74.86.12.172; (4) the iOS/Android operating system DNS module returns to the APP through the API, and the IP address corresponding to the domain name of www.xxx.com is 74.86.12.172; (5) the client APP sends an HTTP request to the enterprise server 74.86.12.172; (6) the enterprise server 74.86.12.172 returns an HTTP response. At this point, a complete HTTP request and response ends.
The prior scheme has the following defects: (1) the domain name of the server is exposed on the Internet when the mobile phone APP accesses the domain name of the server; (2) if a hacker initiates a DNS DDoS attack on a domain name (e.g., www.xxx.com) of a server, the DNS service provider will put the attacked domain name (e.g., www.xxx.com) in a black hole, resulting in a failure to access this domain name (www.xxx.com); (3) if a hacker carries out domain name hijacking or domain name pollution attack on the domain name of the server, the APP can access an error IP address, information is leaked, or the access is failed.
Interpretation of terms:
IP address: the IP address is a uniform address format provided by the IP protocol, and it allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.
The Domain Name (english: Domain Name), also called network Domain, is the Name of a certain computer or computer group on the Internet composed of a string of names separated by points, and is used for locating and identifying (sometimes also referred to as geographical location) the computer during data transmission. Because the IP address has the disadvantages of inconvenient memorization and incapability of displaying the Name and property of the address organization, people design a Domain Name and map the Domain Name and the IP address with each other through a Domain Name System (DNS), so that people can access the internet more conveniently without remembering the number string of the IP addresses which can be directly read by a machine.
DNS: the DNS (Domain Name System) is a service of the internet. It acts as a distributed database that maps domain names and IP addresses to each other, enabling people to more conveniently access the internet.
DDoS: DDoS (Distributed Denial of Service attack) refers to that multiple attackers in different positions simultaneously launch an attack to one or multiple targets, or that one attacker controls multiple machines in different positions and uses the machines to attack a victim simultaneously. Since the points of attack launch are distributed in different places, this type of attack is known as a distributed denial of service attack, in which there may be multiple attackers.
APP: english aplification is called APPlication software for short, and is usually referred to as mobile phone APPlication software such as iOS and Android
An API (APPlication Programming Interface) is a predefined function or convention for linking different components of a software system. The goal is to provide applications and developers the ability to access a set of routines based on certain software or hardware without having to access native code or understand the details of the internal workings.
Http (hypertext Transfer protocol): hypertext transfer protocol (HTTP) is an application-layer protocol for transferring hypermedia documents. It is designed for communication between a Web browser and a Web server, but can be used for other purposes as well. HTTP follows a classical client-server model, where a client opens a connection to make a request and then waits for it to receive a server-side response. HTTP is a stateless protocol, meaning that the server does not retain any data (state) between two requests.
TLS, Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are Security protocols to provide Security and data integrity for internet communications.
DoT: DNS over TLS (abbreviated: DoT) is a security protocol that encrypts and packages a Domain Name System (DNS) through a transport layer security protocol (TLS). This protocol is intended to prevent man-in-the-middle attacks and control DNS data to protect user privacy.
Domain name hijacking: domain hijacking is a mode of internet attack, and a domain name of a target website is resolved to an incorrect address by a method of attacking a domain name resolution server (DNS) or forging the domain name resolution server (DNS), so that the aim that a user cannot access the target website is fulfilled.
Domain name pollution: domain name server cache pollution (DNS cache pollution), also known as DNS cache poisoning, refers to the deliberate or inadvertent creation of domain name server data packets that direct domain names to incorrect IP addresses. Generally, there are reliable domain servers on the internet, but in order to reduce traffic pressure on the network, a general domain server temporarily stores resolution records obtained from an upstream domain server, and can immediately provide services when another machine requests resolution of a domain name next time. Once the local domain name server cache of the relevant domain becomes contaminated, the computers within the domain are directed to the wrong server or server's web address.
Disclosure of Invention
The invention aims to provide a method for hiding a DNS (domain name server) domain name accessed by a mobile phone APP (application), which is implemented by arranging a plurality of DNS servers provided with encrypted tunnels.
In order to achieve the above object, the main technical solution of the present invention is to provide a method for hiding a DNS domain name of a server accessed by a mobile APP, comprising the following steps:
s1, establishing a DNS server list, wherein the DNS server list comprises at least two DNS servers;
s2, establishing an encrypted tunnel by the APP and each DNS server in the DNS server list;
s3, the APP sends an encrypted DNS request to the DNS server in each encrypted tunnel;
s4, each DNS server returns encrypted DNS response information to the APP;
s5, screening DNS response information returned by each DNS, and selecting the DNS response information with the highest repetition rate as an IP address of the enterprise server;
s6, the APP sends the HTTP request to the IP address of the enterprise server.
And S7, the enterprise server returns an HTTP response.
Further, each of the DNS servers supports the DOT protocol.
Further, the APP establishes a TLS encrypted tunnel to each DNS server in the DNS server list.
The invention has the beneficial effects that:
(1) the domain name of the server can be prevented from being hijacked by the domain name; because the APP simultaneously sends a plurality of DNS requests to a plurality of DNS servers on the Internet, the scheme does not trust the single result returned by a single DNS server, but trusts the results of most DNS servers, and the probability that the domain name in most DNS servers is tampered is very low, so that the domain name of the server can be prevented from being hijacked by the domain name;
(2) the domain name pollution of the enterprise server can be prevented; the domain name pollution is generally caused by man-in-the-middle attack, the protocol used in the scheme is based on the TLS protocol, and the TLS can not be attacked by the man-in-the-middle attack;
(3) the domain name of a server accessed by the APP can be hidden, and the domain name of the server is prevented from being attacked by DDoS; because the DNS analysis process of the scheme is completely hidden in the TLS protocol, a hacker cannot analyze the DNS analysis process by capturing packets on the network or a mobile phone, the scheme can effectively hide the domain name of the server, thereby avoiding the problem that the domain name of the server cannot be accessed due to DDoS attack.
Drawings
Fig. 1 is a schematic flow diagram of an APP accessing an enterprise server in the prior art.
Fig. 2 is a schematic flowchart of an APP accessing an enterprise server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
It will be understood by those skilled in the art that in the present disclosure, the terms "longitudinal," "lateral," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are used in an orientation or positional relationship indicated in the drawings for ease of description and simplicity of description, and do not indicate or imply that the referenced devices or components must be constructed and operated in a particular orientation and thus are not to be considered limiting.
It is understood that the terms "a" and "an" should be interpreted as meaning that a number of one element or element is one in one embodiment, while a number of other elements is one in another embodiment, and the terms "a" and "an" should not be interpreted as limiting the number.
Referring to fig. 2, a method for hiding a DNS domain name of a server accessed by a mobile APP includes the following steps:
s1, establishing a DNS server list, wherein the DNS server list comprises at least two DNS servers;
s2, establishing TLS encrypted tunnel by the APP and each DNS server in the DNS server list;
s3, the APP sends an encrypted DNS request to the DNS server in each encrypted tunnel;
s4, each DNS server returns encrypted DNS response information to the APP;
s5, screening DNS response information returned by each DNS, and selecting the DNS response information with the highest repetition rate as an IP address of the enterprise server;
s6, the APP sends the HTTP request to the IP address of the enterprise server.
And S7, the enterprise server returns an HTTP response.
A standard HTTP access request and response using the DoT protocol is as follows:
(1) collecting and generating a DNS server list: collecting public known DNS servers supporting the DoT protocol on the Internet, so that a plurality of DNS servers can be collected to form a DNS server list; thus APP no longer sends DNS request to system default DNS server
(2) The APP and each DNS server establish an encrypted tunnel: the APP sends TLS request, and each server in the DNS server list collected in step 1 establishes a TLS encryption tunnel
(3) The DNS server responds that the encrypted tunnel is established successfully: DNS server returns encrypted tunnel establishment success
(4) The APP sends an encrypted DNS request in an encrypted tunnel: the APP self assembles a DNS request instead of calling an operating system API, the assembled request is used for inquiring www.xxx.com corresponding IP address, and the request is sent to each DNS server which establishes an encryption tunnel
(5) The DNS server returns an encrypted DNS response: each DNS server returns www.xxx.com the corresponding IP address in the encrypted tunnel
(6) Selecting an IP address of the enterprise server: according to the IP addresses returned by a plurality of DNS servers, selecting one IP address returned by most DNS servers as the IP address of the enterprise server
(7) Client APP sends HTTP request to enterprise server
(8) The enterprise server returns an HTTP response.
At this point, a complete HTTP request and response ends.
In the method, because the APP simultaneously sends a plurality of DNS requests to a plurality of DNS servers on the Internet, the method does not trust the single result returned by a single DNS server, but trusts the results of most DNS servers, and the probability that the domain names in most DNS servers are tampered is very low, so the method can prevent the domain names of the servers from being hijacked by the domain names.
The protocol used by the method is based on the TLS protocol, and the TLS can not be attacked by a man-in-the-middle, so that domain name pollution can not occur.
Because the DNS analysis process of the method is completely hidden in the TLS protocol, a hacker can not analyze the DNS analysis process by capturing packets on the network or a mobile phone, and can effectively hide the domain name of the server, thereby avoiding the problem that the domain name of the server cannot be accessed due to DDoS attack.
The present invention is not limited to the above-mentioned preferred embodiments, and any other products in various forms can be obtained by anyone in the light of the present invention, but any changes in the shape or structure thereof, which have the same or similar technical solutions as those of the present application, fall within the protection scope of the present invention.
Claims (3)
1. A method for hiding a DNS domain name of a server accessed by a mobile phone APP is characterized by comprising the following steps:
s1, establishing a DNS server list, wherein the DNS server list comprises at least two DNS servers;
s2, establishing an encrypted tunnel by the APP and each DNS server in the DNS server list;
s3, the APP sends an encrypted DNS request to the DNS server in each encrypted tunnel;
s4, each DNS server returns encrypted DNS response information to the APP;
s5, screening DNS response information returned by each DNS server, and selecting the IP address returned by most DNS servers as the IP address of the enterprise server;
s6, the APP sends an HTTP request to the IP address of the enterprise server;
and S7, the enterprise server returns an HTTP response.
2. The method of hiding a server DNS domain name for mobile phone APP access of claim 1, characterized in that: each of the DNS servers supports the DOT protocol.
3. The method of hiding a server DNS domain name for mobile phone APP access according to claim 1 or 2, characterized in that: the APP establishes a TLS encrypted tunnel to each DNS server in the DNS server list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010120910.9A CN111262881B (en) | 2020-02-26 | 2020-02-26 | Method for hiding DNS domain name of server accessed by mobile phone APP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010120910.9A CN111262881B (en) | 2020-02-26 | 2020-02-26 | Method for hiding DNS domain name of server accessed by mobile phone APP |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111262881A CN111262881A (en) | 2020-06-09 |
| CN111262881B true CN111262881B (en) | 2021-07-02 |
Family
ID=70949553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010120910.9A Active CN111262881B (en) | 2020-02-26 | 2020-02-26 | Method for hiding DNS domain name of server accessed by mobile phone APP |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111262881B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111901218A (en) * | 2020-06-23 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Message transmission method, SSLVPN proxy server, electronic device and storage medium |
| CN114286335A (en) * | 2020-09-17 | 2022-04-05 | 华为技术有限公司 | Server selection method and device |
| CN112667309A (en) * | 2020-12-22 | 2021-04-16 | 互联网域名系统北京市工程研究中心有限公司 | DoT supporting method and system on DNS authoritative server |
| CN113014561B (en) * | 2021-02-18 | 2022-09-06 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
| CN113301592B (en) * | 2021-05-28 | 2023-04-07 | 深圳市吉祥腾达科技有限公司 | Network detection method for optimizing internet experience of apple mobile phone by router |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262477A (en) * | 2007-03-09 | 2008-09-10 | 国际商业机器公司 | System and method for detecting multiple IP address |
| CN103685584A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Method and system of resisting domain name hijacking based on tunnelling |
| CN103957283A (en) * | 2011-09-29 | 2014-07-30 | 北京奇虎科技有限公司 | Optimal-application-server selection method and device for domain name system |
| CN105210330A (en) * | 2014-04-22 | 2015-12-30 | 柏思科技有限公司 | Methods and systems for processing a dns request |
| CN106716951A (en) * | 2014-06-26 | 2017-05-24 | 吉来特卫星网络有限公司 | Methods and apparatus for optimizing tunneled traffic |
| CN106888268A (en) * | 2017-03-24 | 2017-06-23 | 杭州迪普科技股份有限公司 | A kind of analysis method and device of domain name |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN108848201A (en) * | 2018-06-14 | 2018-11-20 | 深信服科技股份有限公司 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
| CN110602048A (en) * | 2019-08-14 | 2019-12-20 | 中国平安财产保险股份有限公司 | Method and device for preventing domain name hijacking and computer equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9699135B2 (en) * | 2012-06-20 | 2017-07-04 | Openvpn Technologies, Inc. | Private tunnel network |
| CN110166581B (en) * | 2019-04-30 | 2022-03-29 | 大唐软件技术股份有限公司 | Domain name resolution server access frequency ratio obtaining method and device |
-
2020
- 2020-02-26 CN CN202010120910.9A patent/CN111262881B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262477A (en) * | 2007-03-09 | 2008-09-10 | 国际商业机器公司 | System and method for detecting multiple IP address |
| CN103957283A (en) * | 2011-09-29 | 2014-07-30 | 北京奇虎科技有限公司 | Optimal-application-server selection method and device for domain name system |
| CN103685584A (en) * | 2012-09-07 | 2014-03-26 | 中国科学院计算机网络信息中心 | Method and system of resisting domain name hijacking based on tunnelling |
| CN105210330A (en) * | 2014-04-22 | 2015-12-30 | 柏思科技有限公司 | Methods and systems for processing a dns request |
| CN106716951A (en) * | 2014-06-26 | 2017-05-24 | 吉来特卫星网络有限公司 | Methods and apparatus for optimizing tunneled traffic |
| CN107547488A (en) * | 2016-06-29 | 2018-01-05 | 华为技术有限公司 | A kind of DNS tunnel detection methods and DNS tunnel detectors |
| CN106888268A (en) * | 2017-03-24 | 2017-06-23 | 杭州迪普科技股份有限公司 | A kind of analysis method and device of domain name |
| CN108848201A (en) * | 2018-06-14 | 2018-11-20 | 深信服科技股份有限公司 | Detection utilizes the method, system and device of DNS tunnel transmission secret data |
| CN110602048A (en) * | 2019-08-14 | 2019-12-20 | 中国平安财产保险股份有限公司 | Method and device for preventing domain name hijacking and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111262881A (en) | 2020-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111262881B (en) | Method for hiding DNS domain name of server accessed by mobile phone APP | |
| US11709945B2 (en) | System and method for identifying network security threats and assessing network security | |
| US10574698B1 (en) | Configuration and deployment of decoy content over a network | |
| US10834082B2 (en) | Client/server security by executing instructions and rendering client application instructions | |
| US8756697B2 (en) | Systems and methods for determining vulnerability to session stealing | |
| US8539224B2 (en) | Obscuring form data through obfuscation | |
| US20010034847A1 (en) | Internet/network security method and system for checking security of a client from a remote facility | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| US7685631B1 (en) | Authentication of a server by a client to prevent fraudulent user interfaces | |
| US9712532B2 (en) | Optimizing security seals on web pages | |
| CN107251528B (en) | Method and apparatus for providing data originating within a service provider network | |
| US8336087B2 (en) | Robust digest authentication method | |
| US20100235917A1 (en) | System and method for detecting server vulnerability | |
| CN111866124B (en) | Method, device, server and machine-readable storage medium for accessing webpage | |
| CN105187430A (en) | Reverse proxy server, reverse proxy system and reverse proxy method | |
| CN109617917A (en) | Address virtual Web application security firewall methods, devices and systems | |
| EP3334115A1 (en) | User authentication based on token | |
| CN111371811B (en) | Resource calling method, resource calling device, client and service server | |
| CN113301028A (en) | Gateway protection method and data labeling method | |
| Anderson et al. | Assessing and Exploiting Domain Name Misinformation | |
| KR20190036662A (en) | Network Securing Device and Securing method Using The Same | |
| US20230060323A1 (en) | How to confuse adversarial environment mapping tools | |
| Sy | Enhanced Performance and Privacy for Core Internet Protocols | |
| CN116938492A (en) | Network security protection method, device and storage medium | |
| UA148416U (en) | METHOD OF IDENTIFICATION OF ONLINE USER IN MOBILE NETWORK ON TARGET WEBSITES |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |