CN114710392B - Event information acquisition method and device - Google Patents

Event information acquisition method and device Download PDF

Info

Publication number
CN114710392B
CN114710392B CN202210295157.6A CN202210295157A CN114710392B CN 114710392 B CN114710392 B CN 114710392B CN 202210295157 A CN202210295157 A CN 202210295157A CN 114710392 B CN114710392 B CN 114710392B
Authority
CN
China
Prior art keywords
information
entity
event
alarm
access behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210295157.6A
Other languages
Chinese (zh)
Other versions
CN114710392A (en
Inventor
王翎霁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202210295157.6A priority Critical patent/CN114710392B/en
Publication of CN114710392A publication Critical patent/CN114710392A/en
Application granted granted Critical
Publication of CN114710392B publication Critical patent/CN114710392B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/0636Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis based on a decision tree analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/064Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving time analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

One or more embodiments of the present disclosure provide a method and an apparatus for acquiring event information, where the method includes: acquiring an entity identifier of a target entity generating an alarm event and an event occurrence time of the alarm event; based on the entity identification and the event occurrence time, acquiring the associated information of the alarm event in a knowledge graph according to an information query condition; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.

Description

Event information acquisition method and device
Technical Field
One or more embodiments of the present disclosure relate to the field of network security technologies, and in particular, to a method and an apparatus for acquiring event information.
Background
With the vigorous development of cloud computing, the cloud computing system can provide computing, network, storage and other capabilities for cloud users through hardware resources and software resources of a cloud platform, can reduce the computing cost of the cloud users, and improves the reliability of data. The cloud computing brings convenience to users, and meanwhile, the safety problem is also very important. Network security in a cloud computing environment can be protected through various security protection products so as to monitor various network attack behaviors and potential safety hazards.
In the related art, when a security product monitors an alarm event, for example, a malicious network attack, a malicious command execution, etc., security operators generally search various log files, and manually trace back the alarm event according to the log files to find the occurrence cause of the alarm event. But this way of backtracking is inefficient.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a method and apparatus for acquiring event information.
In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present disclosure, there is provided a method for acquiring event information, the method including:
acquiring an entity identifier of a target entity generating an alarm event and an event occurrence time of the alarm event;
based on the entity identification and the event occurrence time, acquiring the associated information of the alarm event in a knowledge graph according to an information query condition; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.
According to a second aspect of one or more embodiments of the present specification, there is provided an acquisition apparatus of event information, the apparatus including:
the information acquisition module is used for acquiring the entity identification of the target entity with the alarm event and the event occurrence time of the alarm event;
the search processing module is used for acquiring the associated information of the alarm event from the knowledge graph according to the information query condition based on the entity identification and the event occurrence time; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.
According to a third aspect of one or more embodiments of the present specification, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the methods of any of the embodiments of the present specification by executing the executable instructions.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method of any of the embodiments of the present specification.
According to the method and the device for acquiring the event information, the associated information of the alarm event is acquired through searching based on the data in the knowledge graph, and the fact that the external entity triggers the occurrence of the alarm event through the weak point of the target entity can be obtained through the associated information, so that the efficiency of backtracking investigation on the alarm event is improved; in addition, the method classifies the data of the knowledge graph into three types of entity/relationship/attribute storage, thereby more conveniently and rapidly retrieving the access behavior information or the alarm information of the entity.
Drawings
In order to more clearly illustrate the technical solutions of one or more embodiments of the present disclosure or related technologies, the following description will briefly describe the drawings that are required to be used in the embodiments or related technology descriptions, and it is apparent that the drawings in the following description are only some embodiments described in one or more embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
Fig. 1 is a flowchart of a method for acquiring event information according to an exemplary embodiment.
FIG. 2 is a schematic diagram of a data categorization process provided by an exemplary embodiment.
Fig. 3 is a flowchart of a method for acquiring event information according to an exemplary embodiment.
Fig. 4 is a schematic diagram of an event occurrence link provided by an exemplary embodiment.
Fig. 5 is a flowchart of a method for acquiring event information according to an exemplary embodiment.
Fig. 6 is a schematic diagram of an event occurrence link provided by an exemplary embodiment.
Fig. 7 is a schematic structural diagram of an apparatus for acquiring event information according to an exemplary embodiment.
Fig. 8 is a block diagram of an apparatus for acquiring event information according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
The method for acquiring event information provided by the embodiment of the specification is used for backtracking and investigating an alarm event to acquire the reason of the occurrence of the alarm event. For example, the alert event may include, but is not limited to, the following: the firewall detects that a malicious command execution occurs on the server of the IP-1; or detect one Http attack on the IP-2 host, etc. By the method of the embodiment of the present specification, it can be traced to why the above alarm event was triggered.
First, the method for acquiring the event information may be based on a knowledge graph, and thus, generation of the knowledge graph involved in the method is described first as follows.
The knowledge graph in the embodiments of the present disclosure is a graph-based data structure, and when the data in the knowledge graph is displayed in the form of a graph, nodes and edges may be included in the graph. Where each node may represent an "entity" and each edge may represent an "entity-to-entity relationship". In popular terms, a knowledge graph is a network of relationships that is obtained by linking together a plurality of different kinds of information. The present embodiment may store the data in the knowledge-graph in the form of an entity/relationship/attribute triplet table.
(1) Body table: the entity table may have stored therein an entity identification.
For example, the entity identifier may be an IP address, or a cloud account, or a combination of a cloud account and a key, etc.
(2) Relationship table: the relationship table may store access behavior information between entities.
The access behavior information may include: the connection protocol corresponding to the access behavior is alternatively referred to as a connection mode. For example, five-tuple link, SSH (Secure Shell) login, RDP (Remote Desktop Protocol) login, http access, remote database access, cloud account login, smb (Server Message Block) connection, and the like.
The access behavior information of the present embodiment is associated with an entity. For example, the access behavior of one SSH login will involve two entities, entity S1 and entity S2, for example. Wherein the entity identification of the entity S1 is the IP address "IP-1", and the entity identification of the entity S2 is the IP address "IP-2". The two entity identities "IP-1" and "IP-2" may be stored in an entity table, and the access behavior information stored in the relationship table may include "SSH login, and IP-1 accesses IP-2, and access time t1", and this information is associated with the entity identities "IP-1" and "IP-2" in the entity table.
Of course, the above example is given by taking the IP address as the entity identifier as an example, and the access behavior information in the relationship table may be associated with the account information in the entity table. For example, the access behavior of a cloud account login may be associated with a cloud account in an entity table.
(3) Attribute table: the information stored in the attribute table may include alert information for the entity.
In this embodiment, the alarm information may include information corresponding to an alarm event that has occurred in the entity.
For example, assuming that an alarm event of malicious command execution occurs on a server, information of the current alarm event may be recorded, including "malicious command execution, event occurrence time t2", and the alarm information is associated with the entity identifier IP-3 of the server in the entity table, that is, the alarm event occurs on the entity of the IP-3.
The alert information may include at least one of the following types: malicious processes, malicious files, malicious scripts, malicious command execution, risk connections, risk account login, vulnerability information, or weak password information. The malicious files may be, for example, virus files, back door files, malicious binary files, and the like. The risk connection can be various network attack behaviors such as mining communication, web attack, zombie central control link and the like, access to malicious domain names and the like. The risk account login can be that the cloud account is abnormally logged in, and the vulnerability information can comprise middleware vulnerabilities, application framework vulnerabilities, host vulnerabilities and the like. The alarm information in the attribute table of the present embodiment is not limited to the above example.
Fig. 1 is a data preprocessing flow in a method for acquiring event information according to an exemplary embodiment, where the flow is used to describe a process of performing data processing on a data source and storing the processed data in a knowledge graph. As shown in fig. 1, the method may include the following processes:
in step 100, a security-related data source is obtained, where the security-related data source includes at least one of the following data: entity identification, access behavior information, and alert information.
The security related data source refers to any data required for tracing back an alarm event, for example, account information, alarm logs, etc. Referring to FIG. 2 in combination, FIG. 2 illustrates categorizing data in data sources, where several types of data sources are illustrated.
As shown in fig. 2, the security related data sources acquired in this embodiment may include, but are not limited to: SSH log, RDP log, security alarm log, five-tuple log, process network link log, http log, firewall log, account information and vulnerability information. Regardless of the type of information, the present embodiment can obtain three types of data from the information: entity identification, access behavior information, or alert information.
For example:
for example, the SSH log may include: entity S1 with IP address "IP-1" logs in to entity S2 with IP address "IP-2" in SSH, and the login time is t1. From this log, the entity identities "IP-1" and "IP-2" can be obtained, and also the access behavior information "IP-1 accessed IP-2, and the access time t1" can be obtained.
For another example, based on content included in a firewall log: it is detected at time t2 that a malicious command execution has occurred at the server of IP-3. Accordingly, the entity identifier "IP-3" can be acquired, the alarm information "malicious command execution" can also be acquired, and the time t2 "is detected.
Wherein, the alarm information can include at least one of the following types: malicious files, malicious scripts, malicious command execution, risk connection, risk account login, vulnerability information, or weak password information.
Further, examples of content included by other data sources are as follows:
safety alarm log: for example, may include malicious binary or script files, malicious command execution, encrypted powershell execution, mine pool links, C & C links, and the like.
Quintuple log: for example, the protocol may include a transport layer protocol, a source ip, a source port, a destination ip, and a destination port.
HTTP log: the accesslog is used for carrying out IP statistics on the access quantity, checking the IP connection number of a certain time period and identifying the http attack.
Firewall log: web attacks, remote overflow attacks, etc.
Account information: cloud account information (uid, ram rights, ak/sk information, organization, etc.), cloud host account.
Vulnerability information: for example, middleware vulnerabilities, application framework vulnerabilities, host vulnerabilities, and the like may be included.
In step 102, an entity tag is set for the entity identifier, a relationship tag is set for the access behavior information, and an entity attribute tag is set for the alarm information.
In this step, the data in the data source in step 100 may be classified and marked.
For example, an entity tag may be set for the entity identifier therein, a relationship tag may be set for the access behavior information, and an entity attribute tag may be set for the alert information.
For example, "IP-1" in the SSH log may be set as an entity tag, access behavior information "IP-1 in the SSH log accesses IP-2, and access time t1" may be set as a relationship tag. For another example, the alarm information "malicious command execution in the firewall log, the detection time t2" may be set as the entity attribute tag.
In step 104, according to the label, data with the entity label is stored in the entity table in the knowledge graph, data with the relationship label is stored in the relationship table in the knowledge graph, and data with the entity attribute label is stored in the attribute table in the knowledge graph.
In this step, three types of data may be respectively stored in the entity table, the relationship table, and the attribute table according to the data tag marked in step 102, where the entity table may store the entity identifier, the relationship table may store the access behavior information, the attribute table may store the alarm information, and the access behavior information and the alarm information are both associated with the entity identifier in the entity table.
After the data classification storage of the entity table/relation table/attribute table is completed, the generation of the knowledge graph is completed, and the follow-up tracing of the alarm event can be performed based on the knowledge graph. In addition, in order to keep the data in the knowledge graph as comprehensive as possible, the data can be classified and stored into an entity table/relationship table/attribute table as soon as possible when the data of the various data sources are generated, so that the latest data can be obtained when the event is traced, and the data is comprehensive, thereby being beneficial to more accurate search results.
As described above, the data in the knowledge graph of the embodiment includes access behavior information of multiple connection modes such as SSH and quintuple, and also includes multiple types of alarm information such as malicious processes, malicious files, malicious scripts, malicious command execution, risk connection, vulnerability information, and the like, so that the types of data sources are very rich, and the information related to the alarm event can be obtained more comprehensively from multiple dimensions, thereby being beneficial to improving the accuracy of the traceability result of the alarm event.
Fig. 3 is a flowchart of a method for acquiring event information according to an exemplary embodiment. The method may be performed by an event investigation engine that performs a retrospective investigation of alarm events. As shown in fig. 3, the method may include the following processes:
in step 300, an entity identification of a target entity that has an alarm event, and an event occurrence time of the alarm event, are obtained.
For example, a server with an IP address of "IP-3" has a malicious command execution at time t2. The malicious command is executed as an alarm event, the target entity is the server, and the entity identifier of the target entity can be the IP address "IP-3" of the server. The event occurrence time of the alarm event is t2.
In this step, the manner in which the event investigation engine executing the method of this embodiment obtains the entity identifier and the event occurrence time is not limited in this embodiment. Several ways are illustrated as follows:
for example, after an alarm event occurs, the security protection product on the server of "IP-3" sends the entity identifier and the event occurrence time related to the alarm event to the event investigation engine, and the engine further executes the acquisition of event information of the subsequent steps according to the entity identifier and the event occurrence time.
For another example, the entity identification and event occurrence time of the alarm event occurring on the server of "IP-3" may be input to the event investigation engine by the security operator.
For another example, the event investigation engine can be used as a security protection product of the server of the IP-3, and can monitor the occurrence of an alarm event executed by a malicious command on the server and acquire the entity identification and the event occurrence time.
In addition, in another example, not all alarm events may be traced, and the user of the event investigation engine may configure which alarm events need to be traced, and may change the alarm event that needs to be traced into an event to be traced. Thus, when the event investigation engine receives the entity identification of the target entity related to an alarm event and the event occurrence time of the alarm event, the event investigation engine can also receive more alarm information of the alarm event, such as whether malicious command execution or malicious script exists, and the like. So that the event survey engine can determine whether or not to perform trace back based on the alert information.
The following examples are not limited to the following ways of determining the event to be traced:
example one: and determining according to the event type of the alarm event.
For example, an alarm event for "malicious command execution" may be configured, the trace back of the event occurrence link is performed, and the cause of the occurrence of the alarm event is found. Otherwise, no trace back is done for other types of alarm events.
Example two: and determining according to the entity associated with the alarm event.
For example, it may be configured that event trace back is performed for all alarm events that occur on an entity whose IP address is "IP-3". For alarm events that occur on other entities, no trace back is done.
Example three: and determining according to the event occurrence time of the alarm event.
For example, alarm events occurring within a certain time frame may be configured to perform an event trace back survey.
In the event that it is determined that trace back is to be performed on the alarm event, step 302 may continue to be performed; otherwise, even if an alarm event occurs, the trace back of the alarm event may not be performed.
In step 302, based on the entity identifier and the event occurrence time, the associated information of the alarm event is obtained from the knowledge graph according to the information query condition.
In this step, the event investigation engine may obtain the association information of the alarm event in the knowledge graph according to the entity identifier and the event occurrence time obtained in step 300. The knowledge graph may include: entity identification of a plurality of entities, access behavior information between any two entities, and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entity.
The searching in the knowledge graph can be based on information query conditions. The information query condition may be for defining which information is to be obtained from the knowledge-graph. For example, a time range determined based on an event occurrence time of an alarm event may be defined, and information within the time range is acquired. For another example, information types of access behavior information and/or alarm information associated with a target entity where the alarm event is located may also be defined, access behavior information or alarm information corresponding to the information types may be obtained, and so on. According to the information query condition, the associated information of the alarm event obtained from the knowledge graph may include: access behavior information and/or alert information associated with the target entity within a time frame determined based on the event occurrence time.
As the following examples are given for obtaining the associated information of the alarm event according to the information query condition, it is understood that the present invention is not limited thereto:
1) The information inquiry condition can limit the access behavior information of the target entity to be tried to log in within 3 hours from the occurrence time of the event.
For example, assume that the event occurrence time of the alarm event is t2, and that the server of the target entity "IP-3" logs in with SSH within a time range of 3 hours before t2, where the src_ip is the entity identifier of the associated entity having an access behavior relationship with the target entity.
For example, the src_ip of the successful target entity can be logged in an RDP manner within the time frame of 3 hours before t 2.
For another example, src_ip, which is five-tuple accessed with the target entity, is obtained within a time frame 3 hours forward of t 2.
For another example, src_ip that has Http attack with the target entity in the time frame 3 hours forward of t2 may also be obtained.
As can be seen from the above examples, the access behavior information searched from the knowledge graph may include access behaviors of various connection protocols, such as SSH connection, RDP connection, and the like, and also includes entity identifiers of associated entities having access behavior relationships with the target entity, such as src-ip of the login target entity.
2) The information inquiry condition can limit the alarm information existing on the target entity at the time of acquiring the event.
The time range determined based on the event occurrence time in this embodiment may be not only a predetermined time range before the event occurrence time but also the event occurrence time itself.
For example, according to the occurrence time of the event, the alarm information existing on the target entity when the alarm event occurs can be obtained from the knowledge graph. Wherein, the alarm information can include at least one of the following: malicious files, malicious scripts, malicious command execution, risk connections, risk account login, vulnerability information, or weak password information.
For example, upon occurrence of an alarm event, a malicious process or chain of processes that exists on the target entity.
For another example, a process or chain of processes for a malicious file write operation that exists on the target entity upon occurrence of an alert event.
Also for example, upon occurrence of an alarm event, an proactively-aliased process is on the target entity.
For another example, when an alarm event occurs, vulnerability information or weak password information exists on the target entity.
The entity may record the time when the alarm information such as the malicious process or the vulnerability information is detected, for example, the initial detection time and the detection end time of the alarm information may be recorded. For example, an entity detects that vulnerability information exists on the entity at 13 point 08 on 1 month and 2 days, and detects that vulnerability information has been repaired at 19 point 30 on 1 month and 2 days, i.e. the vulnerability information no longer exists. Then, it can be inferred that the vulnerability information on the entity exists in a time period between 13:08 and 19:30 on 1 month and 2 days. Thus, if the event occurrence time of the alarm event occurring on the entity is 16 points 10 minutes of 1 month and 2 days, it is possible to obtain that the vulnerability information exists on the entity at the event occurrence time.
3) The information query condition can also limit the information type of the access behavior information and/or the alarm information associated with the target entity.
The access behavior relationship between entities has various types, such as SSH login, five-tuple connection, etc., and the types of alarm information are also numerous, such as virus files, malicious command execution, vulnerability information, etc. When information is acquired from the knowledge graph according to the information query condition, certain specific types of information can be limited to be acquired through the information query condition.
For example: when the access behavior information is acquired, access behaviors of only two modes of SSH login and RDP login can be limited. Alternatively, when the alert information is acquired, it may be defined that only three types of alert information, i.e., a "process/process chain", "file", and "script" therein, are acquired, and that the types of information, i.e., the "vulnerability information" or the weak password information "are not acquired any more. The types of information acquired are specifically defined, and may be determined by a user of the event survey engine according to actual requirements, which are not limited by the embodiments of the present specification.
In combination with the data structure of the knowledge graph of the embodiment, the data in the knowledge graph is stored as a triplet table of entity table/relationship table/attribute table, and the three tables are related, for example, the access behavior relationship in the relationship table is related to the entity identifier in the entity table, and the entity attribute in the attribute table is also related to the entity identifier in the entity table.
Then, when the entity identification of the target entity where the alarm event is located is acquired, the entity identification is stored in the entity table. If the access behavior information is to be searched, the access behavior information associated with the entity identifier in the relationship table can be searched, and the access behavior information of a specific type can be used as a search result in the relationship table according to the information type of the access behavior information defined in the information query condition.
For example, taking the entity identifier of the target entity as "IP-3" as an example, assume that there are multiple pieces of access behavior information associated with the target entity found in the relationship table, for example, may include SSH login, five-tuple connection and RDP login, and according to the information query condition, only the source IP address of the SSH login of the target entity may be obtained.
In addition, if the alarm information is to be searched, the alarm information associated with the entity identification in the attribute table may be searched, and the alarm information of a specific type may be used as a search result in the attribute table according to the information type of the alarm information defined in the information query condition.
For example, still taking the entity identifier of the target entity as "IP-3" as an example, assume that there are multiple pieces of alarm information associated with the target entity found in the attribute table, for example, the alarm information may include malicious processes, backdoor files, malicious domain name access, malicious scripts and weak password information, and according to the information query condition, only the malicious processes and the malicious scripts therein may be obtained as search results.
As can be seen from the above examples, in the event information obtaining method of the present embodiment, not only the data sources of the knowledge graph according to which the information is queried are very rich, which is helpful for making the search information more comprehensive and accurate; in addition, the data of the data source are classified and stored into three types of entity, relation and attribute, so that when the associated information of the alarm event is searched, the alarm information or the access behavior information associated with the target entity can be more conveniently and rapidly acquired; in addition, the information query conditions can be set more flexibly, the specific type of information in the knowledge graph can be conveniently obtained as a search result by limiting the type of the information to be obtained, and the user requirements can be met flexibly.
4) The information inquiry condition can also limit the link hierarchy of the event occurrence link to be inquired when the event occurrence link of the alarm event is inquired.
Wherein the link hierarchy may be a number of entities across the entity on the link defining the event occurrence.
For example, assuming that the target entity is a server of "IP-3", searching for access behavior information associated with the target entity includes: if the host with the IP address of "IP-2" is connected to the target entity in a five-tuple access manner, it can be obtained that "IP-2 logs in to IP-3 in a five-tuple manner at time t1, which can be called a single-layer event occurrence link, i.e. a directly associated entity is traced back from the target entity.
The two layers of event occurrence links can be queried through information query condition setting. Still for the above example, in addition to the query that "IP-2 logs in to IP-3 in five-tuple at time t 1", the query may further query access behavior information associated with IP-2 to obtain "IP-1 logs in to IP-2 in RDP at time t 2", so as to obtain an event occurrence link of "IP-1" > IP-2 "> IP-3" that spans three entities, which may be referred to as a two-layer link because two entities are traced back before the target entity IP-3. The link hierarchy of the query is specifically set, and can be determined by a user according to actual requirements.
The entity table/relationship table/attribute table in the knowledge graph is stored in a database table, and when the event investigation engine searches the association information of the alarm event in the knowledge graph, the event investigation engine can search in a query mode of SQL (Structured Query Language ).
In addition, the information query condition in this embodiment may be preconfigured in the event investigation engine, where when the event investigation engine obtains the entity identifier of the target entity that generates the alarm event and the event occurrence time of the alarm event, the event investigation engine may search, based on the entity identifier and the event occurrence time, for a plurality of pieces of associated information corresponding to the information query condition from the knowledge graph according to the preconfigured information query condition. Such associated information searched according to the preconfigured information query condition may be referred to as a secure knowledge base. The preconfigured information query conditions correspond to default query conditions.
For example: assuming that the preconfigured information condition includes "for the entity identifier of the target entity that occurs the alarm event, access behavior information associated with the entity identifier is obtained, and access behavior information within 5 minutes before the event occurrence time of the alarm event is obtained", then the event investigation engine obtains, in the knowledge graph, the access behavior information associated with the "IP-3" and occurring within 5 minutes before t2, for example, the host of the "IP-2" successfully logs in the "IP-3" in the SSH manner within the above time range when obtaining the entity identifier "IP-3" of the target entity and the event occurrence time t 2. The set of access behavior information associated with these "IP-3" that occurs within 5 minutes prior to t2 may be referred to as a secure knowledge base.
If the security operator considers that the related information in the security knowledge base does not meet the requirement, the security operator wants to obtain more related information, and can directly write a custom SQL query statement, namely, can customize information query conditions. The specific content of the customized information query condition may be described in the foregoing embodiments, and will not be described in detail. For example, the type of alarm information to be acquired may be defined, or a time range based on the event occurrence time of the alarm event may be defined, etc. The event investigation engine can acquire the associated information from the knowledge graph according to the information query condition defined by the user.
In another example, after the event investigation engine acquires the associated information of the alarm event in the knowledge graph, the search result may be presented in the form of a graph. Thus, the user can conveniently check the search result in a visual mode, and the search result is more visual.
For example: assume that a search result includes a plurality of pieces of associated information:
association information one: at time t4, 2 minutes before the event occurrence time, host IP-2 successfully logs in to target entity IP-3 in RDP fashion. The host IP-2 may be referred to as an associated entity of the target entity.
Association information two: at time t5, 3 minutes before the event occurrence time, the host IP-4 successfully logs in to the target entity IP-3 in quintuple. The host IP-4 may be referred to as an associated entity of the target entity.
And association information III: at the time of event occurrence, there is a malicious process p1 on the target entity IP-3.
As described above, according to the above three kinds of association information, an event occurrence link diagram of the alarm event illustrated in fig. 4 can be obtained. As shown in fig. 4, the graph includes three physical nodes: node a, node B, and node C. Wherein node A is the target entity, node B represents host IP-2, and node C represents host IP-4. There is a directional connection edge between node B and node a pointing to node a, indicating that the entity of node B logs in to the entity of node a in RDP. Similarly, a directional connection edge pointing to the node A is arranged between the node C and the node A, and the entity representing the node C logs in the entity of the node A in a five-tuple mode. In addition, fig. 4 also shows that the target entity characterized by the node a has a malicious process p1 at the time of occurrence of the event.
As can be seen from the above diagram, the entities in the event occurrence link diagram having access behavior relationship have directional connection edges therebetween, and the direction of the directional connection edges represents the access connection direction. For example, the direction of the directional connection edge between node B and node A is "from node B to node A", indicating that the access connection direction is "node B logs in to connect node A". And, the alarm information can be displayed as the entity attribute of the entity. For example, the alarm information "malicious process p1" may be used as an entity attribute of the entity node a where it is located.
Further, fig. 4 is merely an example of an event occurrence link diagram, and the present invention is not limited thereto in practical implementation. For example, the event occurrence link graph may include more or fewer physical nodes. For another example, the event occurrence link diagram may only access behavior information, no alert information is presented, and so on.
Fig. 5 is a flowchart of a method for acquiring event information according to an exemplary embodiment. The method illustrates an example of information acquisition that may be performed by an event survey engine that performs retrospective surveys of alert events. As shown in fig. 5, the method may include the following processes:
In step 500, an entity identification ID1 of a target entity that has an alarm event, and an event occurrence time T1 of the alarm event are acquired.
For example, the alert event may be "malicious command execution found". The target entity that has the alarm event is entity 1, and the event occurrence time of the alarm event is T1.
In step 502, based on the entity ID1 and the event occurrence time T1, acquiring association information of the alarm event in a knowledge graph according to a preconfigured information query condition; the association information includes: access behavior information associated with the target entity within a time range determined based on the event occurrence time, and alert information.
In this step, the preconfigured information query condition may include "acquire access behavior information of the access target entity within 5 minutes from the occurrence time of the event, and acquire alarm information existing on the target entity when the alarm event occurs".
According to the information query condition, the acquiring the associated information of the alarm event from the knowledge graph may include:
1) Entity 2 accesses entity 1 in five tuples at 2 minutes from the time of event occurrence.
2) When an alarm event occurs, vulnerability information exists on the entity 1.
In step 504, an event occurrence link diagram of the alert event described above is graphically illustrated.
As illustrated in fig. 6, the association information obtained in step 502 may be presented as an event occurrence link map. Through the link diagram, a user can visually see what weaknesses are on the target entity with the alarm event and which associated entities are connected with the target entity, so that the occurrence reason of the alarm event is primarily known.
According to the event information acquisition method, the associated information of the alarm event is acquired through searching based on the data in the knowledge graph, and the fact that the external entity triggers the occurrence of the alarm event through the weak point of the target entity can be obtained through the associated information, so that the efficiency of backtracking investigation on the alarm event is improved; in addition, the method classifies the data of the knowledge graph into three types of entity/relationship/attribute storage, thereby more conveniently and rapidly retrieving the access behavior information or the alarm information of the entity, and also conveniently setting information inquiry modes aiming at different types of access behavior information or alarm information, so that the inquiry is more flexible and rapid; furthermore, the knowledge graph of the embodiment has rich data sources, thereby being beneficial to more comprehensively and accurately tracing the alarm event and improving the effect of event tracing.
In order to implement the method for acquiring the event information in any embodiment of the present disclosure, the embodiment of the present disclosure further provides an apparatus for acquiring the event information. Fig. 7 is a schematic structural diagram of an apparatus for acquiring event information according to an exemplary embodiment, and as shown in fig. 7, the apparatus may include: an information acquisition module 71 and a search processing module 72.
The information obtaining module 71 is configured to obtain an entity identifier of a target entity that generates an alarm event, and an event occurrence time of the alarm event.
A search processing module 72, configured to obtain, based on the entity identifier and the event occurrence time, association information of the alarm event in a knowledge graph according to an information query condition; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.
In one example, the search processing module 72, when configured to obtain, based on the entity identifier and the event occurrence time, the associated information of the alarm event in the knowledge graph according to the information query condition, includes: acquiring access behavior information of the target entity in a knowledge graph according to an information query condition, wherein the access behavior corresponding to the access behavior information occurs in a preset time range before the event occurrence time, and the access behavior information comprises: the access behavior comprises a connection protocol corresponding to the access behavior and an entity identification of an associated entity having an access behavior relation with the target entity.
In one example, the search processing module 72, when configured to obtain, based on the entity identifier and the event occurrence time, the associated information of the alarm event in the knowledge graph according to the information query condition, includes: and acquiring the alarm information existing on the target entity at the occurrence time of the event in the knowledge graph according to the information query condition.
In one example, as shown in fig. 8, the apparatus may further include: a data display module 73, configured to acquire a plurality of pieces of associated information acquired in the knowledge graph; according to the access behavior information in the associated information, an event occurrence link diagram of the alarm event is displayed, wherein the event occurrence link diagram comprises at least two nodes and a directed connecting edge between the two nodes; the at least two nodes correspond to the entity associated with the access behavior information, and the direction of the directional connecting edge represents the access connecting direction; according to the access behavior information in the associated information, an event occurrence link diagram of the alarm event is displayed, wherein the event occurrence link diagram comprises at least two nodes and a directed connecting edge between the two nodes; and the at least two nodes correspond to the entity associated with the access behavior information, and the direction of the directional connecting edge represents the access connecting direction.
In one example, the information obtaining module 71 is further configured to receive the information query condition, where the information query condition includes at least one of the following: a time range based on the event occurrence time; the information type of the access behavior information and/or the alarm information associated with the target entity; and the link layer of the event occurrence link of the alarm event.
In one example, as shown in fig. 8, the apparatus may further include: a data processing module 74, configured to obtain a security related data source, where the security related data source includes at least one of the following data: entity identification, access behavior information and alarm information; setting an entity tag for the entity identifier, setting a relationship tag for the access behavior information, and setting an entity attribute tag for the alarm information; according to the labels, storing the data with the entity labels into an entity table in the knowledge graph, storing the data with the relationship labels into a relationship table in the knowledge graph, and storing the data with the entity attribute labels into an attribute table in the knowledge graph.
In one example, the alert information in the security-related data source includes at least one of the following types: malicious processes, malicious files, malicious scripts, malicious command execution, risk connections, risk account login, vulnerability information, or weak password information.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
The present embodiment provides an electronic device, which may include: a processor; a memory for storing processor-executable instructions; the processor executes the executable instructions to implement the method for acquiring event information according to any embodiment of the present disclosure.
The present embodiment provides a computer-readable storage medium having stored thereon computer instructions that, when executed by a processor, implement the method for acquiring event information described in any of the embodiments of the present specification.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transshipment) such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims (12)

1. A method for acquiring event information, the method comprising:
acquiring an entity identifier of a target entity generating an alarm event and an event occurrence time of the alarm event;
based on the entity identification and the event occurrence time, acquiring the associated information of the alarm event in a knowledge graph according to an information query condition; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.
2. The method according to claim 1, wherein the obtaining, based on the entity identifier and the event occurrence time, the association information of the alarm event in the knowledge graph according to the information query condition includes:
Acquiring access behavior information of the target entity in a knowledge graph according to an information query condition, wherein the access behavior corresponding to the access behavior information occurs in a preset time range before the event occurrence time, and the access behavior information comprises: the access behavior comprises a connection protocol corresponding to the access behavior and an entity identification of an associated entity having an access behavior relation with the target entity.
3. The method according to claim 1, wherein the obtaining, based on the entity identifier and the event occurrence time, the association information of the alarm event in the knowledge graph according to the information query condition includes:
and acquiring the alarm information existing on the target entity at the occurrence time of the event in the knowledge graph according to the information query condition.
4. The method of claim 3, wherein the step of,
the alert information includes at least one of the following types: malicious processes, malicious files, malicious scripts, malicious command execution, risk connections, risk account login, vulnerability information, or weak password information.
5. The method according to claim 1, wherein the obtaining, based on the entity identifier and the event occurrence time, the association information of the alarm event in the knowledge graph according to the information query condition includes:
And responding to the alarm event is a preset event to be traced, and acquiring the associated information of the alarm event from a knowledge graph according to an information query condition based on the entity identification and the event occurrence time.
6. The method according to claim 1, wherein the method further comprises:
acquiring a plurality of pieces of associated information acquired in the knowledge graph;
according to the access behavior information in the associated information, an event occurrence link diagram of the alarm event is displayed, wherein the event occurrence link diagram comprises at least two nodes and a directed connecting edge between the two nodes; the at least two nodes correspond to the entity associated with the access behavior information, and the direction of the directional connecting edge represents the access connecting direction;
and/or displaying the alarm information in the associated information as the entity attribute of the entity in which the alarm information is located in the event occurrence link diagram.
7. The method according to claim 1, wherein the method further comprises:
receiving the information query condition, wherein the information query condition comprises at least one of the following:
a time range based on the event occurrence time;
The information type of the access behavior information and/or the alarm information associated with the target entity;
and the link layer of the event occurrence link of the alarm event.
8. The method according to claim 1, wherein the method further comprises:
acquiring a safety-related data source, wherein the safety-related data source comprises at least one of the following data: entity identification, access behavior information and alarm information;
setting an entity tag for the entity identifier, setting a relationship tag for the access behavior information, and setting an entity attribute tag for the alarm information;
according to the labels, storing the data with the entity labels into an entity table in the knowledge graph, storing the data with the relationship labels into a relationship table in the knowledge graph, and storing the data with the entity attribute labels into an attribute table in the knowledge graph.
9. The method of claim 8, wherein the step of determining the position of the first electrode is performed,
the alarm information in the safety-related data source comprises at least one type of the following:
malicious processes, malicious files, malicious scripts, malicious command execution, risk connections, risk account login, vulnerability information, or weak password information.
10. An apparatus for acquiring event information, the apparatus comprising:
the information acquisition module is used for acquiring the entity identification of the target entity with the alarm event and the event occurrence time of the alarm event;
the search processing module is used for acquiring the associated information of the alarm event from the knowledge graph according to the information query condition based on the entity identification and the event occurrence time; the knowledge graph comprises: entity identification of a plurality of entities, access behavior information between any two entities and entity attributes of any entity, wherein the entity attributes comprise alarm information existing on the entities; the association information includes: and in a time range determined based on the event occurrence time, access behavior information and/or alarm information associated with the target entity.
11. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of claims 1-9 by executing the executable instructions.
12. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method according to any of claims 1-9.
CN202210295157.6A 2022-03-23 2022-03-23 Event information acquisition method and device Active CN114710392B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210295157.6A CN114710392B (en) 2022-03-23 2022-03-23 Event information acquisition method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210295157.6A CN114710392B (en) 2022-03-23 2022-03-23 Event information acquisition method and device

Publications (2)

Publication Number Publication Date
CN114710392A CN114710392A (en) 2022-07-05
CN114710392B true CN114710392B (en) 2024-03-12

Family

ID=82169953

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210295157.6A Active CN114710392B (en) 2022-03-23 2022-03-23 Event information acquisition method and device

Country Status (1)

Country Link
CN (1) CN114710392B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN109933633A (en) * 2019-04-02 2019-06-25 北京睿至大数据有限公司 A kind of O&M knowledge mapping construction method based on time and scene dimension
CN111949803A (en) * 2020-08-21 2020-11-17 深圳供电局有限公司 Method, device and equipment for detecting network abnormal user based on knowledge graph
WO2021114977A1 (en) * 2019-12-12 2021-06-17 深圳前海微众银行股份有限公司 Method and device for positioning fundamental cause of abnormal event
CN113157536A (en) * 2021-05-26 2021-07-23 中国银行股份有限公司 Alarm analysis method, device, equipment and storage medium
CN113377567A (en) * 2021-06-28 2021-09-10 东南大学 Distributed system fault root cause tracing method based on knowledge graph technology
CN114208128A (en) * 2019-09-11 2022-03-18 华为技术有限公司 Data processing method and device and computer storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN109933633A (en) * 2019-04-02 2019-06-25 北京睿至大数据有限公司 A kind of O&M knowledge mapping construction method based on time and scene dimension
CN114208128A (en) * 2019-09-11 2022-03-18 华为技术有限公司 Data processing method and device and computer storage medium
WO2021114977A1 (en) * 2019-12-12 2021-06-17 深圳前海微众银行股份有限公司 Method and device for positioning fundamental cause of abnormal event
CN111949803A (en) * 2020-08-21 2020-11-17 深圳供电局有限公司 Method, device and equipment for detecting network abnormal user based on knowledge graph
CN113157536A (en) * 2021-05-26 2021-07-23 中国银行股份有限公司 Alarm analysis method, device, equipment and storage medium
CN113377567A (en) * 2021-06-28 2021-09-10 东南大学 Distributed system fault root cause tracing method based on knowledge graph technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于知识图谱的DDoS攻击源检测研究;陈佳;;信息安全研究(第01期);全文 *

Also Published As

Publication number Publication date
CN114710392A (en) 2022-07-05

Similar Documents

Publication Publication Date Title
US10885393B1 (en) Scalable incident-response and forensics toolkit
US11196756B2 (en) Identifying notable events based on execution of correlation searches
US20220311794A1 (en) Monitoring a software development pipeline
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN114679329B (en) System for automatically grouping malware based on artifacts
US20230075355A1 (en) Monitoring a Cloud Environment
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
US20220303295A1 (en) Annotating changes in software across computing environments
US10984111B2 (en) Data driven parser selection for parsing event logs to detect security threats in an enterprise system
US20230275917A1 (en) Identifying An Attack Surface Of A Cloud Deployment
US11568053B2 (en) Automated malware monitoring and data extraction
US10262133B1 (en) System and method for contextually analyzing potential cyber security threats
US11290473B2 (en) Automatic generation of detection alerts
Islam et al. An ontology-driven approach to automating the process of integrating security software systems
CN110298179B (en) Open source framework security vulnerability detection method and device
EP3232358A1 (en) Correlation-based detection of exploit activity
CN111371757A (en) Malicious communication detection method and device, computer equipment and storage medium
US10423618B2 (en) Method and system for enforcing user policy on database records
CN114710392B (en) Event information acquisition method and device
CN110224975B (en) APT information determination method and device, storage medium and electronic device
CN114363002B (en) Method and device for generating network attack relation diagram
US20210182453A1 (en) Application behavior identification
Suciu et al. Mobile devices forensic platform for malware detection
CN113806169A (en) Method and device for processing business exception

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant