CN112839054A - Network attack detection method, device, equipment and medium - Google Patents
Network attack detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN112839054A CN112839054A CN202110142372.8A CN202110142372A CN112839054A CN 112839054 A CN112839054 A CN 112839054A CN 202110142372 A CN202110142372 A CN 202110142372A CN 112839054 A CN112839054 A CN 112839054A
- Authority
- CN
- China
- Prior art keywords
- domain name
- data
- dns
- preset
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 172
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 59
- 238000005516 engineering process Methods 0.000 claims abstract description 53
- 230000007774 longterm Effects 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 21
- 230000000694 effects Effects 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 230000008859 change Effects 0.000 claims description 13
- 230000004083 survival effect Effects 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a network attack detection method, a device, equipment and a medium. The method comprises the following steps: acquiring DNS data to be detected through a Hive data warehouse tool; determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks; and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data. According to the method, DNS data of a Hive data warehouse tool acquisition amount is read, the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack can be detected from different angles of the DNS data according to preset detection rules, a set of complete detection method taking DNS data streams as detection data is formed, and the detection capabilities of the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack are improved.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a network attack detection method, apparatus, device, and medium.
Background
Botnet attacks and Advanced Persistent Threat (APT) attacks are common and complex network attacks at present and are extremely harmful, so that the problem that how to detect botnet attacks and Advanced Persistent Threat attacks and further prevent losses caused by attacks is currently widely concerned is. Currently, technologies for detecting botnets mainly include Intrusion Detection Systems (IDS), honeypot technologies, and DNS traffic analysis. The IDS detection rule mainly depends on a request header of an HTTP protocol, and the IDS detection rule has the basic principle that the request header is brought when a botnet infects a host and searches for other targets for scanning, the characteristics of the request header of each botnet are different, so the detection mode is not universal, and the IDS rule is simple in grammar, and when the botnet flow relates to more complex detection logic or unseen botnet characteristics, the detection is difficult to detect. The honeypot technology attracts attacks through elaborately arranging attacked targets, and once an attacker invades, the attack can be traced to a certain degree, but the technology has a good effect, needs a large amount of deployment, and is easy to be used as an attack springboard by a high-level hacker. In general technologies, a single detection mode is usually adopted to detect certain types of attacks, such as Fast-Flux botnet detection, DNS tunnel detection and DGA detection based on machine learning, but the detection mode has a small detection range and a single type and cannot meet the requirements of practical applications.
Disclosure of Invention
In view of this, the present invention provides a network attack detection method, apparatus, device and medium, which can improve the detection capability of botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks. The specific scheme is as follows:
in a first aspect, the present application discloses a network attack detection method, including:
acquiring DNS data to be detected through a Hive data warehouse tool;
determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks;
and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data.
Optionally, the obtaining of the DNS data traffic to be detected by the Hive data warehouse tool includes:
connecting a Spark big data platform, and acquiring DNS flow data in a preset time window from a corresponding Hive data warehouse tool; the DNS flow data comprises domain name data, corresponding resolution IP, source IP, survival time and response result state;
and filtering the DNS traffic data according to a white list to obtain the DNS data to be detected.
Optionally, the detecting the DNS data to be detected by using the preset detection rule corresponding to the target attack type to determine dangerous DNS data includes:
detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP;
detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP;
detecting the DNS data to be detected by using a third preset detection rule corresponding to the advanced long-term threat attack so as to determine the advanced long-term threat attack based on the DNS tunnel;
the first preset detection rule is a detection rule constructed based on an analytic IP (Internet protocol), a primary domain name, survival time, a domain name entropy value, a domain name access record time interval and a sub-domain name; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state; the third preset detection rule is a detection rule constructed based on the domain name entropy value, the time interval of the domain name access record and the sub-domain name.
Optionally, the detecting the DNS data to be detected by using a first preset detection rule corresponding to the botnet based on the Fast-Flux technology to determine the botnet domain name and the corresponding resolved IP based on the Fast-Flux technology includes:
calculating the number of resolution IPs of each first-level domain name in the DNS data to be detected, and if the number of resolution IPs is smaller than a preset number threshold, removing the DNS data corresponding to the first-level domain name to obtain first data;
calculating the average survival time of each first-level domain name in the first data, and if the average survival time is smaller than a preset time threshold, removing DNS data corresponding to the first-level domain name to obtain second data;
calculating the change rate of the resolution IP corresponding to each first-level domain name in the second data, and if the change rate of the resolution IP is smaller than a preset change rate threshold, removing DNS data corresponding to the first-level domain name to obtain third data;
calculating a domain name entropy value of each domain name in the third data, and removing DNS data corresponding to the domain name to obtain fourth data if the domain name entropy value is smaller than a preset entropy value threshold;
calculating the time interval of each domain name access record in the fourth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing DNS data corresponding to the domain name to obtain fifth data;
calculating the length of each sub-domain name in the fifth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain sixth data;
calculating the capital English letter proportion of each sub-domain name in the sixth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain seventh data;
and calculating the sub-domain name similarity of each first-level domain name in the seventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing the DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and the resolution IP so as to determine the botnet domain name based on the Fast-Flux technology and the corresponding resolution IP.
Optionally, the detecting the DNS data to be detected by using a second preset detection rule corresponding to the botnet based on the domain name generation algorithm to determine the botnet domain name based on the domain name generation algorithm and the corresponding resolved IP includes:
filtering the DNS data to be detected by using a preset detection model to obtain DNS data generated based on the domain name generation algorithm;
calculating the activity of each primary domain name in the DNS data generated based on the domain name generation algorithm, and if the activity is higher than a preset activity threshold value, removing the DNS data corresponding to the primary domain name to obtain filtered data;
and checking the response result state corresponding to each first-level domain name in the filtered data, screening out the response result state conforming to preset state parameters, and taking the corresponding first-level domain name and the resolution IP as the botnet domain name based on the domain name generation algorithm and the corresponding resolution IP.
Optionally, the detecting the DNS data to be detected by using a third preset detection rule corresponding to the high-level long-term threat attack to determine the high-level long-term threat attack based on the DNS tunnel includes:
calculating a domain name entropy value of each domain name in the DNS data to be detected, and if the domain name entropy value is smaller than a preset entropy value threshold, removing the DNS data corresponding to the domain name to obtain eighth data;
calculating the time interval of each domain name access record in the eighth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing the DNS data corresponding to the domain name to obtain ninth data;
calculating the length of each sub-domain name in the ninth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain tenth data;
calculating the capital English letter proportion of each sub-domain name in the tenth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain eleventh data;
calculating the sub-domain name similarity of each first-level domain name in the eleventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and an analyzed IP;
encrypting the source IP corresponding to the filtered primary domain name by using an information abstract algorithm to obtain encrypted source IP data;
and performing data matching on the encrypted source IP data and the sample data, and determining the high-level long-term threat attack based on the DNS tunnel according to a matching result.
In a second aspect, the present application discloses a network attack detection apparatus, including:
the acquisition module is used for acquiring DNS data to be detected through a Hive data warehouse tool;
the attack type determining module is used for determining the target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks;
and the detection module is used for detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data.
Optionally, the detection module includes:
the first detection module is used for detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP;
the second detection module is used for detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP;
the third detection module is used for detecting the DNS data to be detected by using a third preset detection rule corresponding to the high-level long-term threat attack so as to determine the high-level long-term threat attack based on the DNS tunnel;
the first preset detection rule is a detection rule constructed based on analysis IP parameters, a first-level domain name, a survival time value, a change rate of the analysis IP, a domain name entropy value, a time interval of domain name access records and sub-domain name related parameters; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state; the third preset detection rule is a detection rule constructed based on domain name entropy, time interval of domain name access records and sub-domain name related parameters.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the network attack detection method described above.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the network attack detection method as described above.
In the application, DNS data to be detected is obtained through a Hive data warehouse tool; determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks; and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data. Therefore, the DNS data of the amount obtained by reading the Hive data warehouse tool can be detected from different angles of the DNS data according to the preset detection rule, the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack are simultaneously detected, a set of complete detection method taking the DNS data stream as the detection data is formed, and the detection capabilities of the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a network attack detection method provided in the present application;
fig. 2 is a flowchart of a specific network attack detection method provided in the present application;
fig. 3 is a schematic structural diagram of a network attack detection apparatus provided in the present application;
fig. 4 is a block diagram of an electronic device provided in the present application.
Detailed Description
In the prior art, a certain type of attack, such as Fast-Flux botnet detection, DNS tunnel detection and DGA detection based on machine learning, is detected by a single detection method, but the detection method has a small detection range and a single type, and has a poor effect in practical application. In order to overcome the problems, the application provides a network attack detection method based on a Spark big data platform, which can improve the detection capability of botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks.
The embodiment of the application discloses a network attack detection method, and as shown in fig. 1, the method can comprise the following steps:
step S11: and acquiring DNS data to be detected through a Hive data warehouse tool.
In this embodiment, DNS (Domain Name System) data to be detected is first acquired by reading a Hive data warehouse tool. Obtaining the DNS traffic to be detected through the Hive data warehouse tool may include: connecting a Spark big data platform, and acquiring DNS flow data in a preset time window from a corresponding Hive data warehouse tool; the DNS traffic data includes domain name data, and corresponding resolved IP, source IP, lifetime, and response result status (i.e., Reply-code); and filtering the DNS traffic data according to a white list to obtain the DNS data to be detected. It can be understood that, by connecting to the Spark big data platform, the DNS traffic data in the corresponding time window is extracted from Hive according to the time field, and then the domain name white list is read, and the DNS traffic data is filtered according to the white list.
Step S12: determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks.
In this embodiment, the target attack types include, but are not limited to, botnets based on Fast-Flux technology, botnets based on domain name generation algorithm, and advanced long-term threat attacks; it can be understood that the botnet based on the Fast-Flux technology is a botnet constructed based on the Fast-Flux technology, the Fast-Flux technology includes two types, namely Single-Flux and Double-Flux, the Single-Flux means that a controller provides a bottom domain name server, and the server returns frequently changing C & C server (Command and Control server) IP addresses. The Double-Flux means that a controller can continuously modify the IP address of the corresponding bottom-layer domain name server in the top-level domain name server by deploying a plurality of C & C server domain name servers, and the bottom-layer domain name server for resolving the domain name of the C & C server changes every time. The target attack types include botnets formed based on Domain name Generation algorithms (i.e., DGAs), and include advanced long-term threat attacks.
Step S13: and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data.
In this embodiment, the preset detection rule corresponding to the target type is used to detect the DNS data to be detected, so as to determine dangerous DNS data, that is, a botnet domain name and a corresponding resolution IP based on the Fast-Flux technology, a botnet domain name and a corresponding resolution IP based on the domain name generation algorithm, and a high-level long-term threat attack based on the DNS tunnel. It can be understood that, the detection is performed for different types of attacks and a plurality of combination strategies formed from different characteristics of DNS data to be detected, so that the detection of a plurality of attacks based on the DNS data is realized, and the detection process can be realized by writing a UDF (User Define Function) in a Spark big data platform. Moreover, it should be noted that the method and the device can be implemented through a multi-attack detection model constructed based on a Spark big data platform, so that botnet and APT attacks can be systematically detected through distributed processing and massive DNS data calculation, the expandability is good, the operation is more flexible, and corresponding single detection units are flexibly combined together according to target attack types, so that botnet and APT attacks can be detected by taking DNS data flow as the center.
As can be seen from the above, in this embodiment, DNS data to be detected is acquired by a Hive data warehouse tool; determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks; and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data. Therefore, the DNS data of the amount obtained by reading the Hive data warehouse tool can be detected from different angles of the DNS data according to the preset detection rule, the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack are simultaneously detected, a set of complete detection method taking the DNS data stream as the detection data is formed, and the detection capabilities of the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm and the high-level long-term threat attack are improved.
The embodiment of the application discloses a specific network attack detection method, and as shown in fig. 2, the method may include the following steps:
step S21: and acquiring DNS data to be detected through a Hive data warehouse tool.
Step S22: determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks.
Step S23: detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP; the first preset detection rule is a detection rule constructed based on an analytic IP, a first-level domain name, survival time, a domain name entropy value, a domain name access record time interval and a sub-domain name.
Specifically, the detecting the DNS data to be detected by using a first preset detection rule corresponding to the botnet based on the Fast-Flux technology to determine the botnet domain name and the corresponding resolved IP based on the Fast-Flux technology may include: calculating the number of resolution IPs of each level of domain name in the DNS data to be detected, and if the number of resolution IPs is smaller than a preset number threshold, removing the DNS data corresponding to the level of domain name to obtain first data, wherein the preset number threshold can be 20.
Calculating the average Time To Live (TTL) of each primary domain name in the first data, and if the average Time to live is smaller than a preset Time threshold, removing DNS data corresponding to the primary domain name to obtain second data; the preset time threshold may be 3600 s.
Calculating the change rate of an analysis IP corresponding to each primary domain name (for example, ". com") in the second data, and if the change rate of the analysis IP is smaller than a preset change rate threshold value, removing DNS data corresponding to the primary domain name to obtain third data; the threshold value of the rate of change may be 0.3.
Calculating a domain name entropy value of each domain name in the third data, and removing DNS data corresponding to the domain name to obtain fourth data if the domain name entropy value is smaller than a preset entropy value threshold; for example, the entropy, i.e., degree of confusion, of the domain name https:// www.nature.com/articles/s 41467-020-.
Calculating the time interval of each domain name access record in the fourth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing DNS data corresponding to the domain name to obtain fifth data; the preset time interval may be 10s, and the time interval of each domain name access record is the time interval of all communications between a single source IP host and the server.
Calculating the length of each sub-domain name in the fifth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain sixth data; the preset length threshold may be 50.
Calculating the capital English letter proportion of each sub-domain name in the sixth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain seventh data; the predetermined proportion interval may be 0.1 to 0.7.
And calculating the sub-domain name similarity of each first-level domain name in the seventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing the DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and the resolution IP so as to determine the botnet domain name based on the Fast-Flux technology and the corresponding resolution IP. The similarity threshold may be 0.2.
It should be noted that the filtering sequence is a preferred scheme for implementing botnet detection, and may also be adjusted according to actual application situations.
Step S24: detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state.
Specifically, in this embodiment, the detecting the DNS data to be detected by using the second preset detection rule corresponding to the botnet based on the domain name generation algorithm to determine the botnet domain name based on the domain name generation algorithm and the corresponding resolved IP may include: filtering the DNS data to be detected by using a preset detection model to obtain DNS data generated based on the domain name generation algorithm; it is to be appreciated that a primary domain name can be detected by the detection model, and DNS data not generated based on the domain name generation algorithm described above can be filtered out.
Then, calculating the activity of each primary domain name in the DNS data generated based on the domain name generation algorithm, and if the activity is higher than a preset activity threshold value, removing the DNS data corresponding to the primary domain name to obtain filtered data; the activity threshold may be 0.2, so that CDN domain names may be filtered out.
Checking the response result state corresponding to each first-level domain name in the filtered data, screening out the response result state conforming to preset state parameters, and taking the corresponding first-level domain name and the resolution IP as the botnet domain name based on the domain name generation algorithm and the corresponding resolution IP; the above-described response result state may be 3.
Step S25: detecting the DNS data to be detected by using a third preset detection rule corresponding to the advanced long-term threat attack so as to determine the advanced long-term threat attack based on the DNS tunnel; the third preset detection rule is a detection rule constructed based on the domain name entropy value, the time interval of the domain name access record and the sub-domain name.
Specifically, in this embodiment, the detecting the DNS data to be detected by using a third preset detection rule corresponding to the advanced long-term threat attack to determine the advanced long-term threat attack based on the DNS tunnel may include: calculating a domain name entropy value of each domain name in the DNS data to be detected, and if the domain name entropy value is smaller than a preset entropy value threshold, removing the DNS data corresponding to the domain name to obtain eighth data; the domain name entropy value may be 4.9. In this embodiment, the data is named only to distinguish data obtained by different processes, and the order of the data is not limited.
Calculating the time interval of each domain name access record in the eighth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing the DNS data corresponding to the domain name to obtain ninth data; the preset time interval may be 10 s.
Calculating the length of each sub-domain name in the ninth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain tenth data; the preset length threshold may be 50.
Calculating the capital English letter proportion of each sub-domain name in the tenth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain eleventh data; the predetermined proportion interval may be 0.1 to 0.7.
Calculating the sub-domain name similarity of each first-level domain name in the eleventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and an analyzed IP; the similarity threshold may be 0.2.
Finally, encrypting the source IP corresponding to the filtered primary domain name by using an information abstract algorithm to obtain encrypted source IP data; and performing data matching on the encrypted source IP data and the sample data, and determining the high-level long-term threat attack based on the DNS tunnel according to a matching result. The source IP corresponding to the filtered first-level domain name is encrypted by using an information digest algorithm (MD5), then the encrypted source IP data can be sent to a server storing a core asset IP MD5, the server can be off-line or on-line according to a security requirement), then the matched source IP data is returned to a Spark big data platform, and corresponding DNS data is output to serve as flow data of the high-level long-term threat attack based on the DNS tunnel.
After determining the botnet domain name and the corresponding resolved IP based on Fast-Flux technology, the botnet domain name and the corresponding resolved IP based on a domain name generation algorithm, and the high-level long-term threat attack based on the DNS tunnel, the detection result can be written into a Hive and/or Elastic Search database for storage. It should be noted that the execution sequence of the above steps S23, S24 and S25 may be simultaneous execution.
For the specific processes of step S21 and step S22, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
As can be seen from the above, in the present embodiment, the DNS data to be detected is detected by using a first preset detection rule constructed based on an analytic IP, a first-level domain name, a lifetime, a domain name entropy, a time interval of a domain name access record, and a sub-domain name, so as to determine a botnet domain name and a corresponding analytic IP based on the Fast-Flux technique; detecting the DNS data to be detected by using a second preset detection rule constructed based on a preset detection model, domain activity and response result state so as to determine a botnet domain name based on a domain name generation algorithm and a corresponding resolution IP; and detecting the DNS data to be detected by using a third preset detection rule constructed based on the domain name entropy, the time interval of domain name access records and the sub-domain name so as to determine the advanced long-term threat attack based on the DNS tunnel. From different angles of DNS data, botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks are detected simultaneously.
Correspondingly, an embodiment of the present application further discloses a network attack detection apparatus, as shown in fig. 3, the apparatus includes:
the acquisition module 11 is used for acquiring the DNS data to be detected through a Hive data warehouse tool;
an attack type determining module 12, configured to determine a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks;
and the detection module 13 is configured to detect the DNS data to be detected by using a preset detection rule corresponding to the target attack type, so as to determine dangerous DNS data.
As can be seen, in the embodiment, DNS data of an amount obtained by reading a Hive data warehouse tool can be detected from different angles of DNS data according to preset detection rules, and a botnet based on the Fast-Flux technology, a botnet based on the domain name generation algorithm, and a high-level long-term threat attack are simultaneously detected, so that a set of complete detection method using a DNS data stream as detection data is formed, and the detection capabilities of the botnet based on the Fast-Flux technology, the botnet based on the domain name generation algorithm, and the high-level long-term threat attack are improved.
In some specific embodiments, the detection module 13 may specifically include:
the first detection module is used for detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP;
the second detection module is used for detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP;
the third detection module is used for detecting the DNS data to be detected by using a third preset detection rule corresponding to the high-level long-term threat attack so as to determine the high-level long-term threat attack based on the DNS tunnel;
the first preset detection rule is a detection rule constructed based on analysis IP parameters, a first-level domain name, a survival time value, a change rate of the analysis IP, a domain name entropy value, a time interval of domain name access records and sub-domain name related parameters; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state; the third preset detection rule is a detection rule constructed based on domain name entropy, time interval of domain name access records and sub-domain name related parameters.
Further, the embodiment of the present application also discloses an electronic device, which is shown in fig. 4, and the content in the drawing cannot be considered as any limitation to the application scope.
Fig. 4 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the network attack detection method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the memory 22 is used as a carrier for storing resources, and may be a read-only memory, a random access memory, a magnetic disk, an optical disk, or the like, where the stored resources include an operating system 221, a computer program 222, data 223 including DNS data to be detected, and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the network attack detection method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
Further, an embodiment of the present application further discloses a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and when the computer-executable instructions are loaded and executed by a processor, the steps of the network attack detection method disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The network attack detection method, device, equipment and medium provided by the invention are introduced in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the above embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A network attack detection method is characterized by comprising the following steps:
acquiring DNS data to be detected through a Hive data warehouse tool;
determining a target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks;
and detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data.
2. The method according to claim 1, wherein the obtaining of the DNS data traffic to be detected by the Hive data warehouse tool comprises:
connecting a Spark big data platform, and acquiring DNS flow data in a preset time window from a corresponding Hive data warehouse tool; the DNS flow data comprises domain name data, corresponding resolution IP, source IP, survival time and response result state;
and filtering the DNS traffic data according to a white list to obtain the DNS data to be detected.
3. The network attack detection method according to claim 2, wherein the detecting the DNS data to be detected by using the preset detection rule corresponding to the target attack type to determine dangerous DNS data includes:
detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP;
detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP;
detecting the DNS data to be detected by using a third preset detection rule corresponding to the advanced long-term threat attack so as to determine the advanced long-term threat attack based on the DNS tunnel;
the first preset detection rule is a detection rule constructed based on an analytic IP (Internet protocol), a primary domain name, survival time, a domain name entropy value, a domain name access record time interval and a sub-domain name; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state; the third preset detection rule is a detection rule constructed based on the domain name entropy value, the time interval of the domain name access record and the sub-domain name.
4. The network attack detection method according to claim 3, wherein the detecting the DNS data to be detected by using a first preset detection rule corresponding to the botnet based on the Fast-Flux technology to determine the botnet domain name and the corresponding resolved IP based on the Fast-Flux technology comprises:
calculating the number of resolution IPs of each first-level domain name in the DNS data to be detected, and if the number of resolution IPs is smaller than a preset number threshold, removing the DNS data corresponding to the first-level domain name to obtain first data;
calculating the average survival time of each first-level domain name in the first data, and if the average survival time is smaller than a preset time threshold, removing DNS data corresponding to the first-level domain name to obtain second data;
calculating the change rate of the resolution IP corresponding to each first-level domain name in the second data, and if the change rate of the resolution IP is smaller than a preset change rate threshold, removing DNS data corresponding to the first-level domain name to obtain third data;
calculating a domain name entropy value of each domain name in the third data, and removing DNS data corresponding to the domain name to obtain fourth data if the domain name entropy value is smaller than a preset entropy value threshold;
calculating the time interval of each domain name access record in the fourth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing DNS data corresponding to the domain name to obtain fifth data;
calculating the length of each sub-domain name in the fifth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain sixth data;
calculating the capital English letter proportion of each sub-domain name in the sixth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain seventh data;
and calculating the sub-domain name similarity of each first-level domain name in the seventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing the DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and the resolution IP so as to determine the botnet domain name based on the Fast-Flux technology and the corresponding resolution IP.
5. The method according to claim 3, wherein the detecting the DNS data to be detected by using a second preset detection rule corresponding to the botnet based on the domain name generation algorithm to determine the botnet domain name based on the domain name generation algorithm and the corresponding resolved IP comprises:
filtering the DNS data to be detected by using a preset detection model to obtain DNS data generated based on the domain name generation algorithm;
calculating the activity of each primary domain name in the DNS data generated based on the domain name generation algorithm, and if the activity is higher than a preset activity threshold value, removing the DNS data corresponding to the primary domain name to obtain filtered data;
and checking the response result state corresponding to each first-level domain name in the filtered data, screening out the response result state conforming to preset state parameters, and taking the corresponding first-level domain name and the resolution IP as the botnet domain name based on the domain name generation algorithm and the corresponding resolution IP.
6. The network attack detection method according to claim 3, wherein the detecting the DNS data to be detected by using a third preset detection rule corresponding to the advanced long-term threat attack to determine the advanced long-term threat attack based on the DNS tunnel comprises:
calculating a domain name entropy value of each domain name in the DNS data to be detected, and if the domain name entropy value is smaller than a preset entropy value threshold, removing the DNS data corresponding to the domain name to obtain eighth data;
calculating the time interval of each domain name access record in the eighth data, and if the time interval is not a fixed time interval and/or is greater than a preset time interval, removing the DNS data corresponding to the domain name to obtain ninth data;
calculating the length of each sub-domain name in the ninth data, and if the length is smaller than a preset length threshold, removing DNS data corresponding to the sub-domain name to obtain tenth data;
calculating the capital English letter proportion of each sub-domain name in the tenth data, and if the capital English letter proportion is not in a preset proportion interval, removing DNS data corresponding to the sub-domain name to obtain eleventh data;
calculating the sub-domain name similarity of each first-level domain name in the eleventh data, and if the sub-domain name similarity is higher than a preset similarity threshold, removing DNS data corresponding to the first-level domain name to obtain the filtered first-level domain name and an analyzed IP;
encrypting the source IP corresponding to the filtered primary domain name by using an information abstract algorithm to obtain encrypted source IP data;
and performing data matching on the encrypted source IP data and the sample data, and determining the high-level long-term threat attack based on the DNS tunnel according to a matching result.
7. A cyber attack detecting apparatus, comprising:
the acquisition module is used for acquiring DNS data to be detected through a Hive data warehouse tool;
the attack type determining module is used for determining the target attack type; the target attack types comprise botnets based on Fast-Flux technology, botnets based on domain name generation algorithm and advanced long-term threat attacks;
and the detection module is used for detecting the DNS data to be detected by using a preset detection rule corresponding to the target attack type so as to determine dangerous DNS data.
8. The cyber attack detecting apparatus according to claim 7, wherein the detecting module includes:
the first detection module is used for detecting the DNS data to be detected by utilizing a first preset detection rule corresponding to the botnet based on the Fast-Flux technology so as to determine the botnet domain name based on the Fast-Flux technology and a corresponding analytic IP;
the second detection module is used for detecting the DNS data to be detected by utilizing a second preset detection rule corresponding to the botnet based on the domain name generation algorithm so as to determine the botnet domain name based on the domain name generation algorithm and a corresponding resolution IP;
the third detection module is used for detecting the DNS data to be detected by using a third preset detection rule corresponding to the high-level long-term threat attack so as to determine the high-level long-term threat attack based on the DNS tunnel;
the first preset detection rule is a detection rule constructed based on analysis IP parameters, a first-level domain name, a survival time value, a change rate of the analysis IP, a domain name entropy value, a time interval of domain name access records and sub-domain name related parameters; the second preset detection rule is a detection rule constructed based on a preset detection model, domain name activity and response result state; the third preset detection rule is a detection rule constructed based on domain name entropy, time interval of domain name access records and sub-domain name related parameters.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the network attack detection method according to any one of claims 1 to 6.
10. A computer-readable storage medium for storing a computer program; wherein the computer program, when executed by the processor, implements the network attack detection method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110142372.8A CN112839054A (en) | 2021-02-02 | 2021-02-02 | Network attack detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110142372.8A CN112839054A (en) | 2021-02-02 | 2021-02-02 | Network attack detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112839054A true CN112839054A (en) | 2021-05-25 |
Family
ID=75932694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110142372.8A Pending CN112839054A (en) | 2021-02-02 | 2021-02-02 | Network attack detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112839054A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN114726623A (en) * | 2022-04-08 | 2022-07-08 | 北京天融信网络安全技术有限公司 | Advanced threat attack evaluation method and device, electronic equipment and storage medium |
| CN116319113A (en) * | 2023-05-23 | 2023-06-23 | 阿里云计算有限公司 | Domain name resolution abnormality detection method and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN108667854A (en) * | 2018-06-29 | 2018-10-16 | 北京奇虎科技有限公司 | Network hole detection method and device, network hole automated pubilication system |
| CN108683686A (en) * | 2018-06-21 | 2018-10-19 | 中国科学院信息工程研究所 | A kind of Stochastic subspace name ddos attack detection method |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN111031068A (en) * | 2019-12-27 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | DNS analysis method based on complex network |
| CN111181932A (en) * | 2019-12-18 | 2020-05-19 | 广东省新一代通信与网络创新研究院 | DDOS attack detection and defense method, device, terminal equipment and storage medium |
| US20200396201A1 (en) * | 2018-01-15 | 2020-12-17 | Shenzhen Leagsoft Technology Co., Ltd. | C&c domain name analysis-based botnet detection method, device, apparatus and mediumc&c domain name analysis-based botnet detection method, device, apparatus and medium |
-
2021
- 2021-02-02 CN CN202110142372.8A patent/CN112839054A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| US20200396201A1 (en) * | 2018-01-15 | 2020-12-17 | Shenzhen Leagsoft Technology Co., Ltd. | C&c domain name analysis-based botnet detection method, device, apparatus and mediumc&c domain name analysis-based botnet detection method, device, apparatus and medium |
| CN108683686A (en) * | 2018-06-21 | 2018-10-19 | 中国科学院信息工程研究所 | A kind of Stochastic subspace name ddos attack detection method |
| CN108667854A (en) * | 2018-06-29 | 2018-10-16 | 北京奇虎科技有限公司 | Network hole detection method and device, network hole automated pubilication system |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
| CN111181932A (en) * | 2019-12-18 | 2020-05-19 | 广东省新一代通信与网络创新研究院 | DDOS attack detection and defense method, device, terminal equipment and storage medium |
| CN111031068A (en) * | 2019-12-27 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | DNS analysis method based on complex network |
Non-Patent Citations (3)
| Title |
|---|
| 李骏韬等: "基于DNS流量和威胁情报的APT检测", 《信息安全与通信保密》 * |
| 章思宇: "基于DNS流量的恶意软件域名挖掘", 《中国优秀硕士学位论文全文数据库》 * |
| 谷勇浩等: "基于网络流量的Fast-Flux僵尸网络域名检测方法", 《信息安全研究》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN114726623A (en) * | 2022-04-08 | 2022-07-08 | 北京天融信网络安全技术有限公司 | Advanced threat attack evaluation method and device, electronic equipment and storage medium |
| CN114726623B (en) * | 2022-04-08 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Advanced threat attack assessment method and device, electronic equipment and storage medium |
| CN116319113A (en) * | 2023-05-23 | 2023-06-23 | 阿里云计算有限公司 | Domain name resolution abnormality detection method and electronic equipment |
| CN116319113B (en) * | 2023-05-23 | 2023-08-11 | 阿里云计算有限公司 | Domain name resolution abnormality detection method and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10791131B2 (en) | Processing network data using a graph data structure | |
| US8260914B1 (en) | Detecting DNS fast-flux anomalies | |
| Yin et al. | ConnSpoiler: Disrupting C&C communication of IoT-based botnet through fast detection of anomalous domain queries | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| US20180034837A1 (en) | Identifying compromised computing devices in a network | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| CN107547495B (en) | System and method for protecting a computer from unauthorized remote management | |
| CN108353083B (en) | System and method for detecting Domain Generation Algorithm (DGA) malware | |
| JP7045050B2 (en) | Communication monitoring system and communication monitoring method | |
| WO2017039602A1 (en) | Collecting domain name system traffic | |
| US11270001B2 (en) | Classification apparatus, classification method, and classification program | |
| Hu et al. | BAYWATCH: robust beaconing detection to identify infected hosts in large-scale enterprise networks | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN111488572A (en) | User behavior analysis log generation method and device, electronic equipment and medium | |
| US11019083B2 (en) | System for coordinating distributed website analysis | |
| Soleymani et al. | A novel approach for detecting DGA-based botnets in DNS queries using machine learning techniques | |
| Han et al. | The role of cloud services in malicious software: Trends and insights | |
| CN110392032B (en) | Method, device and storage medium for detecting abnormal URL | |
| Leita et al. | HARMUR: Storing and analyzing historic data on malicious domains | |
| Mimura et al. | Leaving all proxy server logs to paragraph vector | |
| Schales et al. | Scalable analytics to detect DNS misuse for establishing stealthy communication channels | |
| CN111371917B (en) | Domain name detection method and system | |
| CN112367340B (en) | Intranet asset risk assessment method, device, equipment and medium | |
| CN115567237A (en) | Network security assessment method based on knowledge graph | |
| Virmani et al. | Entropy deviation method for analyzing network intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210525 |
|
| RJ01 | Rejection of invention patent application after publication |