CN101820357A - Network security incident visualization system - Google Patents
Network security incident visualization system Download PDFInfo
- Publication number
- CN101820357A CN101820357A CN 201010109333 CN201010109333A CN101820357A CN 101820357 A CN101820357 A CN 101820357A CN 201010109333 CN201010109333 CN 201010109333 CN 201010109333 A CN201010109333 A CN 201010109333A CN 101820357 A CN101820357 A CN 101820357A
- Authority
- CN
- China
- Prior art keywords
- network
- subgraph
- module
- bunch
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a network security incident visualization system relating to the technical field of network security incident visualization. The invention solves the problem that the existing network security incident visualization technology is not suitable for large-scale network systems. In the invention, a data acquisition module actively measures to obtain the physical connection condition of the network to obtain topological data, exceptional data and whois orientation library information and form a network topological graph; the clustering module of the topological data is adopted to carry out clustering treatment on the topological data, and unique identification is distributed to the center of each cluster; the coordinate mapping module of the exceptional data is adopted to map the coordinate of the exceptional data onto the network topological graph, and the corresponding point of an exceptional incident is marked; the optimal module of the network topological graph is used for dividing and optimizing the network topological graph marked with the exceptional incidents to ensure that clusters are even; a stress layout control module is adopted to put and distribute the network topological graph according to the stress balance principle; and a visualization module is adopted for visualizing the distributed topological graph.
Description
Technical field
The present invention relates to the network security incident visualization technical field.
Background technology
Along with the continuous expansion of Internet scale and content and deeply, the effect that it is brought into play in people's live and work is also increasing, but have to also see that because Internet is an open system, its potential safety problem has produced the applications of computer network and had a strong impact on.Existing intruding detection system is just submitted warning message with the form of record to the keeper simply, and the keeper is difficult to draw the current unusual distribution situation of network from uninteresting record.Especially at the distributed attack of current large scale network,, formulate effective emergency response strategy for network manager strong macroscopic view foundation will be provided from the spatial distribution state of macroscopic view grasp security incident.
For this reason, a kind of system of defense based on active measurement and abnormality detection technology is proposed, this system's utilization initiatively measures the physical connection situation of network, according to this information abnormality detection is visited the warning message that point submits to and carries out secondary analysis, at last with the form of scheming will distribute unusually be presented in intuitively the keeper in face of.
In said system, in order to show whole topological diagram, the subgraph after must cutting apart it is effectively organized, and the contact that has between the subgraph less, the contact that has is tight relatively, has only rational tissue and put them, just can better show whole topological diagram.And the analysis of network data is inseparable with the visual of network data, and the visual of security incident is the important component part of large-scale network security macroscopic view early warning.
Summary of the invention:
The present invention provides a kind of network security incident visualization system that is applicable to the large scale network structure in order to solve the problem that existing network security incident visualization technique is not suitable for the large scale network system.
Network security incident visualization system is made up of the coordinate mapping module of optimal module, visualization model and the abnormal data of the sub-clustering module of data acquisition module, topological data, stressed layout control module, network topological diagram, wherein:
Data acquisition module is used for initiatively measuring the physical connection situation that obtains live network, thereby obtains network bottom layer router topological connection relation data, simultaneously, obtains abnormal data and whois location library information, forms network topological diagram;
The sub-clustering module of topological data is used for that the topological data that obtains is carried out sub-clustering and handles, and with each unique sign of central dispense that is bunch;
The coordinate mapping module of abnormal data, the sub-clustering module that the coordinate that is used for the abnormal data that will obtain is mapped to topological data is carried out the network topological diagram after the sub-clustering, and the point of anomalous event correspondence indicated, obtain to indicate the network topological diagram that anomalous event is arranged;
The optimal module of network topological diagram, the topological diagram after being used for sign had the network topological diagram of anomalous event to divide to optimize makes and can compare between each bunch evenly;
Stressed layout control module is used for putting the topological diagram after the acquisition layout according to the principle of stress balance with handling the network topological diagram that obtains through the optimal module 4 of network topological diagram;
Visualization model is used for carrying out the topological diagram after the layout visual.
Described visualization model is made up of plane visualization submodule, the visual submodule of cellular logic topological diagram, the network safety event macroscopic view visual submodule of distribution map and the visual submodule of control point distribution map, wherein:
The plane visualization submodule: the network topological diagram after being used to adopt the plane visualization algorithm of extensive non-directed graph that stressed layout control module is handled carries out plane visualization, and obtains vector file;
The visual submodule of cellular logic topological diagram: be used to adopt the vector quantization Display Technique of extensive non-directed graph, the form of the vector file of plane visualization submodule acquisition with polar plot shown, and realize roaming, electrodeless scaling;
The visual submodule of network safety event macroscopic view distribution map, the topology information that is used for plane visualization is a support, reads security incident from local data base, is presented on the Background;
The visual submodule of control point distribution map, the topology information that is used for plane visualization is a support, reads control information from local data base, and according to control information topology information is presented on the Background.
The present invention is according to the design feature of large-scale network topological, the treating method that macroscopic distribution and local detail to large-scale network security events carry out spatial visualization has been proposed, the last macroscopic view that effectively is applied to education network network security data shows, experimental results show that to the network manager provides intuitively display effect and for the whole situation of its awareness network security incident with formulate effective control strategy from overall angle strong foundation is provided.
Description of drawings
Fig. 1 system each several part module map.Fig. 2 is the operation principle schematic diagram of worm incident virtual level.Fig. 3 is a topological diagram data structure schematic diagram.Fig. 4 abnormal data obtains structural representation.Fig. 5 is the abnormal data process chart.Fig. 6 to Fig. 8 is three kinds of states that the line between two points that have now in the topological diagram may exist, wherein, Fig. 6 adopts straight line to connect between two points, the situation of having a few on its connecting line, Fig. 7 adopts camber line to connect between two points, the situation of having a few on its connecting line, Fig. 8 is that point-to-point transmission adopts camber line to connect, and does not have situation a little on the connecting line.Fig. 9 to Figure 11 is three kinds of connection status that exist between existing live network topological diagram mid point and the point, and wherein Fig. 9 is that linear pattern connects, and Figure 10 is ring-like connection, and Figure 11 is star-like connection.Figure 12 is that five subgraphs adopt mode disposing way at random to put the layout design sketch of acquisition, and Figure 13 is a layout design sketch of putting acquisition according to the degree of association between each subgraph; The layout of a 3X3 matrix of Figure 14.Figure 15 adopts the division of network security incident visualization system acquisition of the present invention and the network topological diagram that layout is finished, Figure 16 is the partial enlarged drawing in the network topological diagram shown in Figure 15, the figure shows out the distribution situation of anomalous event, the point that has color among the figure represents to have the position of anomalous event generation, Figure 17 is identical with zone shown in Figure 16, the figure shows the distribution situation of control route, the position of the control route that is comprised in the coloured region representation abnormal data among the figure.
Embodiment
The described network security incident visualization system of present embodiment comprises the coordinate mapping module 3 of optimal module 4, visualization model 6 and the abnormal data of the sub-clustering module 2 of data acquisition module 1, topological data, stressed layout control module 5, network topological diagram, wherein:
The sub-clustering module 2 of topological data is used for that the topological data that obtains is carried out sub-clustering and handles, and with each unique sign of central dispense that is bunch;
The coordinate mapping module 3 of abnormal data, the sub-clustering module 2 that the coordinate that is used for the abnormal data that will obtain is mapped to topological data is carried out the network topological diagram after the sub-clustering, and the point of anomalous event correspondence indicated, obtain to indicate the network topological diagram that anomalous event is arranged;
The optimal module 4 of network topological diagram, the topological diagram after being used for sign had the network topological diagram of anomalous event to divide to optimize makes and can compare between each bunch evenly;
Stressed layout control module 5 is used for putting the topological diagram after the acquisition layout according to the principle of stress balance with handling the network topological diagram that obtains through the optimal module 4 of network topological diagram;
Visualization model described in the present embodiment 6 can also adopt following technical proposals to realize:
Described visualization model 6 comprises plane visualization submodule (Plane Visualizing Sub-module), the visual submodule of cellular logic topological diagram (Topology visualizing Sub-module), the network safety event macroscopic view visual submodule of distribution map (Distribution visualizing Sub-module) and the visual submodule of control point distribution map, wherein:
The plane visualization submodule: the network topological diagram after being used to adopt the plane visualization algorithm of extensive non-directed graph that stressed layout control module 5 is handled carries out plane visualization, and obtains vector file;
The visual submodule of cellular logic topological diagram: be used to adopt the vector quantization Display Technique of extensive non-directed graph, the form of the vector file of plane visualization submodule acquisition with polar plot shown, and realize roaming, electrodeless scaling;
The visual submodule of network safety event macroscopic view distribution map, the topology information that is used for plane visualization is a support, reads security incident from local data base, is presented on the Background;
The visual submodule of control point distribution map, the topology information that is used for plane visualization is a support, reads control information from local data base, and according to control information topology information is presented on the Background.
Because what the unique needs of virtual level were known is exactly the identifier of incident, described event flag symbol can be used as array indexing.Adopt the event flag symbol as array indexing, can realize finding easily and efficiently the incident corresponding processing function.
Adopt the virtual level technology in the present embodiment, can produce the space waste,, but consider the kind of incident and few, be worth for this some loss of consideration of efficient because not necessarily all analytic engines are all handled all incidents.
In the described data acquisition module 1, be to the processing procedure of topology information:
At first, the data conversion in the topological file is become graphical information, and form core router file, non-core router file by graphical module;
Then, adopt network simulation module (Netsim) to call the network topology figure that graphical module forms; And call routing node to be controlled in the analysis and Control module and gather,
Adopt analysis and Control module (Analyze_contr) from database, to read routing node set to be controlled, and realize the network information analysis.
Topological diagram data structure in the present embodiment is referring to shown in Figure 3, and the content of described topological diagram data comprises: size of data (size), label list (nodelis), Ip tabulation (Iplist), graphical information (Graph), Host List (Hostlist).
Read information from database, as external interface, list structure is as follows
| Row are described | The row name | Type | Remarks |
| Sequence number | ??ID | ??Autoincrement | ??KEY |
| Event type | ??TYPE | ??NUMBER(10) | ??NOT?NULL |
| Router Distinguisher | ??ROUTER_ID | ??NUMBER(10) | ??NOT?NULL |
| The worm port | ??PORT | ??NUMBER(10) | ??NOT?NULL |
| Infect host ip | ??IP | ??NUMBER(10) | ??NOT?NULL |
| Flow (bag number) | ??PKTNUM | ??NUMBER(10) | ??NOT?NULL |
| Flow (byte number) | ??BYTENUM | ??NUMBER(10) | ??NOT?NULL |
| Time of fire alarming | ??ALERT_TIME | ??DATA | ??NOT?NULL |
The method that described data acquisition module 1 obtains abnormal data is:
Regularly from database, reading Message Record, when noting abnormalities incident, the information of described anomalous event is passed to virtual level, call the preliminary treatment function of anomalous event by described virtual level and collect message, after message collection is intact, call corresponding anomalous event processing function by virtual level anomalous event is handled, and result is write database.
Describedly call corresponding anomalous event by virtual level and handle function anomalous event is handled, be meant and find out unusual router, unusual router is carried out cluster, calculate the extent of injury, find out the control router, calculation control strategy etc.
With anomalous event is that the worm incident is that example illustrates that above-mentioned data module obtains the method for abnormal data:
After the program registration incident, regularly from database, read Message Record, if there is the worm incident to take place in the period at this section, to find that then a certain message (comprises the worm port, infect main frame ip and information flow-rate) pass to virtual level, call the preliminary treatment function of worm incident by virtual level and collect message, after message collection is intact, calling worm processing function by virtual level handles this message, described processing comprises finds out unusual router, unusual router is carried out cluster, calculate the extent of injury, find out control router and calculation control strategy etc., and result is write database.
Abnormal data obtains schematic diagram referring to Fig. 4.
The method that above-mentioned abnormal data is handled can adopt following flow process to realize, referring to Fig. 5:
Y1, read the current time assignment and give Stratime, wait for 60s then, give endtime the current time assignment;
Y2, judge whether the worm incident time of fire alarming between startime and endtime, if having, execution in step Y3 then; Otherwise return execution in step Y1;
Y3, read and write down worm incident relevant information, described information comprises event type, router sign, worm port, infects host ip and information flow-rate (number-of-packet);
Y4, judge whether information reads and finish, finish if read, then execution in step Y6; Otherwise, execution in step Y4;
Y5, the data that read are carried out preliminary treatment, abnormal host IP is added in the Hash table; Return execution in step Y3;
Y6, carry out the worm event handling, return execution in step Y1 then, wait for abnormal event alarming next time.
Wherein, the described worm event handler procedure of step Y6 is:
Y61, set up the route Hash table according to abnormal host IP Hash table;
Y62, breathe out the breath table according to the route of setting up and set up jumping figure table between route;
Y63, calculating obtain route cluster and distribute;
The extent of damage of the route cluster that Y64, calculating obtain;
Y65, calculation control strategy;
Y66, with the control strategy that calculates stored data base as a result;
Temporary variable in Y67, the cleaning computational process.
The sub-clustering module 2 of the topological data in the present embodiment is used for that the topological data that obtains is carried out sub-clustering to be handled, and with each for bunch the detailed process of method of the unique sign of central dispense be:
From the point of topological data concentrate select the number of degrees more than or equal to 25 o'clock as one bunch central point, obtains a plurality of bunches central point, then other put join respectively each central point place bunch in, detailed process is:
From put concentrate select the number of degrees greater than 25 o'clock as one bunch central point, obtain j bunch central point altogether;
Concentrate other i of the central point of not selected conduct bunch for point, seek with its apart from minimum bunch central point j, and described some i be added in the described central point j place bunch;
The number that keeps bunch is set and keeps bunch number, with other bunch merging to of not being set to keep bunch be set to keep bunch bunch in, concrete merging method is: for a bunch n who is not set to keep bunch, find out and the reservation bunch m that it has the limit to link to each other and continuous limit is maximum, the institute among bunch n is added to a little among bunch m;
Then, again the tuftlet of disperseing is merged into bigger bunch, the number that reduces bunch.
The coordinate mapping module 3 of described abnormal data with the process that the point of anomalous event correspondence indicates is:
From database, obtain abnormal data, and one by one the relevant point of each abnormal data is indicated according to the time in the abnormal data, described sign process is: each bunch that comprises in the abnormal data is provided with a kind of Show Color, the coordinate of the control route that comprises in the abnormal data is arranged to redness.
The time sequencing that the coordinate mapping module 3 of described abnormal data takes place according to network exception event, dynamically the coordinate with abnormal data is mapped on the network topological diagram, and then realizes dynamic display network anomalous event.Since abnormity point on the network topological diagram of choosing be with bunch form show, therefore the same cluster that comprises in the abnormal data is set to identical color, different bunches color is set to different colours, so that show differentiation, simultaneously, the control router of each also that abnormal data is relevant bunch is arranged to redness, so at topological diagram in procedure for displaying, can come into plain view to such an extent that see the relevant position and the state of abnormal data.
In the present embodiment, being the time sequencing that takes place according to network exception event shines upon the coordinate of abnormal data, therefore the demonstration of anomalous event also is explicit one by one according to the time of origin of anomalous event, can depict the diffusion process of a certain anomalous event so truly.
Display module branch incident, time segment in this enforcement side show the network exception event data, comprise static and dynamic two kinds of forms, specifically are divided into: single-point increases view and multipoint random view.
The IP address of each anomalous event all is mapped to a point in the drawings, each the point all be with map in a certain city coordinate one to one;
When the IP address of a plurality of anomalous events was arranged in the same city, the mode that can adopt single-point to increase view showed, promptly represents the increase of unusual IP quantity in a certain city by the radius that merely increases the map mid point; Can also adopt the mode of multipoint random view to show, promptly the city coordinate according to this place generates a coordinate at every turn again at random, judge whether whether newly-generated coordinate have a few in this region within the jurisdiction, city and on this coordinate, when this coordinate does not have point in the region within the jurisdiction, city and on the coordinate, on this coordinate, draw a little, otherwise continue to generate new coordinate at random, till the new coordinate that is generated satisfies above-mentioned condition.
In the above-mentioned Display Technique, it is to represent the extent of injury that is subjected in certain city by the area size of circle that single-point increases the view display mode, and multipoint random view display mode then is to represent that by the dense degree of point it is subjected to the extent of injury.
The dynamic display types of network exception event is to show in strict accordance with the time sequencing that incident takes place, thereby can depict the diffusion process of a certain incident truly.The display abnormality testing result, display abnormality point and abnormal area on the network topological diagram of choosing, abnormity point with bunch form show, show identical color, different bunches color difference with the abnormity point of cluster.Simultaneously, also show the control router of each abnormity point in the drawings, used red display.Abnormal information is to leave in the database, and worm event detection function is read abnormal information from database, promptly the information of each database table is read in the related data structure, is shown to the client area then.
Stressed layout control module 5 described in the present embodiment, being used for handling network topological diagram through the optimal module 4 of network topological diagram puts according to the principle of stress balance, the process that obtains new topological diagram is: at first according to the quality of each subgraph, according to quality order from big to small all subgraphs are arranged in the arrangement space, the big subgraph of elder generation's layout quality, the little subgraph of back layout quality, when i subgraph of layout, calculate the active force of preceding i-1 subgraph to i subgraph, adopt ergodic algorithm, the position of i the stressed minimum of subgraph is found in each position of Ergodic Matrices, fix i subgraph, then i+1 subgraph of layout.
Described principle according to stress balance can adopt existing network topological diagram placement algorithm based on repulsion-tension model, referring to the 3rd phase of " computer engineering " magazine in February, 2004, described in " based on the network topological diagram placement algorithm of repulsion-tension model " article that Cheng Yuan, Yan Wei and Li Xiaoming are delivered.
Because d ∝ | F|/m; D represents the distance between the subgraph in the formula, and m represents the quality of subgraph, and F represents the stressed of subgraph, and according to above-mentioned formula as can be known: the quality of subgraph is big more, and displacement is moved few more.Simultaneously, the number of degrees of subgraph are big more, layout influence to whole topological diagram is just big more, therefore, and according to the size of subgraph quality, the big subgraph of elder generation's layout quality, the position of the subgraph after the little subgraph of back layout quality, layout just no longer changes, and promptly it is fixed on the there, when layout next one subgraph, a subgraph that consideration has fixed gets final product its active force.Here adopt ergodic algorithm, the position of stressed minimum is found in each position of Ergodic Matrices, Here it is it near the position of balance, also be desired position.
Above-mentionedly subgraph is carried out the effect that the method for layout will reach be: the subgraph distribution distance is even, and the least possible limit intersects, and contact subgraph (be between subgraph limit more) relatively closely is distributed in a place as much as possible.
The process that realizes said method can be in process under the usefulness:
Represent arrangement space with a matrix, behavior x axle is classified the y axle as, and coordinate (x, y) the expression position is at the capable and j row of the i of matrix;
For any two subgraph G
a, G
b, define they degree of association κ (a, b) κ (a, b)=∑ e (u, v) u ∈ G
a∧ v ∈ G
b, in the formula, (u v) represents segmentation side to e, is the quantity of giving directions the fillet between u and the some v.
When κ (a, b)=0, subgraph G
a, G
bCorrelation degree the most weak, do not have the limit to be connected between them.
When κ (a, b)>κ (c, b), G then
aWith G
bCorrelation degree is higher than G
cWith G
bCorrelation degree.
Because the κ value is different between subgraph, this has just determined subgraph not put at random, and their mutual alignments and their κ value interrelate, and the subgraph that the κ value is big is put together and helped reducing the limit intersection.As shown in Figure 12 and Figure 13,5 subgraphs are arranged among the figure, Figure 12 is with described 5 results that subgraph is put at random, Figure 13 puts according to the degree of association between each subgraph, promptly put together getting in touch closely subgraph, can reduce the intersection on limit like this, simultaneously, also can clearly show the annexation between each subgraph.
Placement algorithm wishes to reach following effect: the subgraph distribution distance is even, and the least possible limit intersects, and promptly the subgraph that the κ value is high relatively is distributed in a place as much as possible.
(V, E), it is by m subgraph { G for the non-directed graph G of a given connection
m, G
M-1L L G
1And subgraph between the limit form.The matrix L of a m*m of definition
M*m, with the arrangement space of its presentation graphs G.For example figure below has provided the layout matrix of a figure who is made up of 3 subgraphs.Make i, j ∈ 0L L m-1}, L[i, j] equal k (k>1) expression subgraph G
kOccupy this zone, L[i, j] equal 0 the expression this zone do not taken by any subgraph.X[i] expression is the initial abscissa in the capable zone of i, Y[j] expression is the initial ordinate of j column region, L[i, j] regional abscissa scope be (X[i]=X[i]+Gi*length), the ordinate scope be (Y[i]=Y[i]+Gi*width).
The layout of subgraph also just is converted into layout in matrix, referring to shown in Figure 14 be the layout of 3*3, as can be seen from the figure, 3 triangular in shape putting of subgraph, and sub-figure number has been indicated the position of each subgraph on whole figure.
Intend the thing algorithm and be finding the physical world with original mathematical problem equivalence, and observe the vivid of the motion of matter in this world, therefrom be subjected to inspiring and inscribe in the hope of skill knowledge.
Can regard the layout matrix as a box, each treats that the subgraph of layout is that in the box one has the quality bead, rubber band is regarded on the limit that connects subgraph as, the κ value is different, coefficient of elasticity difference then, it has natural length (length when promptly not being subjected to external force), if be elongated, then show tension force, between any two beads repulsion is arranged.By introducing such physical system, the layout process of subgraph in matrix just be converted into bead in box by the mechanics regular movement, finally reach equilibrium process, the position during balance in the box of bead place is exactly the position of putting that subgraph will be in the layout matrix.
For topological diagram arbitrarily, each subgraph is regarded as a particle, it has the quality of oneself; A rubber band is regarded as in each bar limit, and it has natural length (length when promptly not being subjected to external force), if be elongated, then shows tension force; The effect of repulsion is arranged mutually between any two summits.A physical system like this, defined the formula of tension force and repulsion after, give position at random of each particle (summit) among the figure, just can allow it move voluntarily according to physics law; In each step, calculate making a concerted effort that each summit is subjected to, and allow this summit, until finally reaching balance along the certain distance of resultant direction displacement.According to physical significance, the result of algorithm satisfies the subgraph that has the limit to link to each other and can be distributed in together owing to the effect of pulling force, and the close subgraph of distance is evenly distributed the intersection on limit the least possible (repulsion effect).
Choosing of physical equation:
1) tension formula:
Above-mentioned formula table pilot v
iWith a v
jBetween the size of tension force, k is big more, Length is more little, layout is tight more.Wherein variable k represents the number of degrees of subgraph, e
iLimit, the e of expression node i
kLimit, k, the Length (e of expression node k
i) expression node i length just, Distance (v
i, v
j) expression expression v
iWith a v
jBetween distance, Tension (v
i, v
j, e
k) expression node v
iWith a v
jBetween fillet be e
kSituation under, the gravitation that produces.
2) repulsion formula:
Above-mentioned formula table pilot v
iWith a v
jBetween the size of repulsion, the f in the formula represents as Distance (v
i, v
j) be 0 o'clock, v
iWith a v
jBetween power, Mass (v
i) expression point v
iQuality, Mass (v
j) expression point v
jQuality.
The number of degrees that can consider quality and subgraph are directly proportional, and in contrast to hub-and-spoke configuration common in the network topology, and the number of degrees of central point are big more, and its quality is big more, and repulsion is big more, and summit just has more space to distribute around it.
Because layout can not be accurate as physical world in matrix, we adopt a kind of greedy algorithm, adopt orderly layout.Avoid the accurate Calculation in the actual physical world, can obtain effect preferably again simultaneously.
Described stressed layout control module 5 realizes that the process of above-mentioned functions can adopt following program to realize, the input information of this section program will be for handling the network topological diagram information that has through the optimal module 4 of network topological diagram, subgraph information after promptly dividing, and adjacency matrix between the subgraph
Each subgraph vi among for V
In painting canvas at random for vi distribute coordinate (xi, yi);
Force(vi)=0;
end?for
While has as yet the not subgraph of layout
From the subgraph of layout is not gathered as yet, select the subgraph vi of one quality maximum;
Each bar limit that for and vi are adjacent (vi, vj)
If vj is layout
Force (vi) +=Tension (vi, vj); // calculating pulling force
end?if
end?for
Each vertex v j among for V
If vj is layout
Force (vi) +=Repulsion (vi, vj); // calculating repulsion
end?if
end?for
ForceMin=Force(vi);
// traversal is found out the position of stressed minimum
Each position in for layout (xj, yj)
This position of if is unoccupied
That calculates this position makes a concerted effort Force (vi);
if?Force(vi)<ForceMin;
ForceMin=Force(vi);
Xi=xj; // write down stressed minimum position
yi=yj;
end?if
end?if
end?for
end?while
Handle through said procedure, the output result of acquisition is exactly that (xi yi), places each subgraph according to the location coordinate information of each subgraph that obtains to the location coordinate information of each subgraph of topological diagram then, whole topological diagram after the acquisition layout.
The method of above-mentioned layout, in order to show whole topological diagram, the subgraph after at first whole topological diagram being cut apart is effectively organized, and makes the contact that has between the subgraph few as far as possible, and the contact that has is tight relatively.Adopt rational layout to put them then, better show whole topological diagram.
Described plane visualization submodule is used to adopt the network topological diagram after the plane visualization algorithm of extensive non-directed graph is handled stressed layout control module 5 to carry out plane visualization, and the process that obtains vector file is:
Cut off getting in touch between each subgraph in the network topological diagram and other subgraph, an isolated subgraph is exactly a undirected connected graph, and it can regard the network topological diagram of a scale less than N as; One by one each subgraph is shown as plane graph then, and then draw connecting line between all subgraphs, at last, the coordinate of being had a few in each subgraph is reached connecting line between points, the vector file that the connecting line information between each subgraph forms network topological diagram.
Plane visualization process to each subgraph in the described plane visualization submodule is:
The layout of point:
Point with number of degrees maximum in the subgraph is that starting point travels through subgraph by breadth First, generates tree;
Then, begin to distribute coordinate from tree root, it is on the circumference or semicircle in the center of circle that child node is sequentially arranged in its father node by clockwise direction;
After described child node row expires a week, add long radius, remaining child node is arranged a circle again, till all child nodes of having arranged, determine the coordinate of each node, will determine that below each economize on electricity of coordinate is called the summit.
The arrangement principle of above-mentioned child node is: make the little child node of the number of degrees near the center of circle, the big child node of the number of degrees is away from the center of circle;
In the layout process of above-mentioned point, the child node that the number of degrees are big is arranged away from the center of circle, makes the big child node of the number of degrees have more space to distribute its child node like this.
In the described plane visualization submodule of present embodiment, consider three kinds of structures in the live network topology: line style, ring-like, star-like, extremely shown in Figure 11 as Fig. 9, more than in three kinds of structures, line style and ring-likely can regard star-like special circumstances as, simultaneously, hub-and-spoke configuration is a modal structure in the network topology, and this structure has good autgmentability, for example can expand a hub-and-spoke configuration again on the circumference a bit to be the center.Based on above consideration, the layout of present embodiment mid point adopts distribute point in the subgraph of hub-and-spoke configuration.
The layout on limit:
Judge on the connection straight line between two summits that connection is arranged mutually whether other point is arranged,, then adopt two summits of direct line if do not have; If have, then, continue to judge whether other point is arranged on the described camber line then adopting camber line to connect two summits, if have, the radius that then changes described camber line repaints camber line, continues to judge whether other point is arranged on the described camber line then, till not having other point on the camber line of being drawn.
In the layout process on above-mentioned limit, when drawing each bar connecting line, whether all to judge on the described connecting line node, when node, repaint connecting line, up on the connecting line of being drawn not till the point, and then do not put the situation of line overlap in the topological diagram that guarantees to be drawn, avoided fully because the situation of some line overlap influences the problem of visual effect.Simultaneously apt to be misleading, for example, shown in figure, the direct line between some a and the b can be takeed for a and be linked to each other with c through some c, and c links to each other with b, causes logic error.
The layout process on above-mentioned limit can adopt following program to realize:
#define?NUM?12
v
i=FindMaxDegree (G); // find the some v of number of degrees maximum
i
BFS (v
i); // from v
iFor the wide earlier traversal of root, set up tree structure
AllocCenterPt (v
i); // be v earlier
iDistribute coordinate
if(degree(v
i)<NUM)
AllocLessNum (v
i, R); If // v
iThe number of degrees only distribute a circle less than NUM
end?if
else
begin
Sort (v
i); // with v
iThe adjacent number of degrees of pressing sort
For j ← 1 to degree (v
i) // be and v
iAdjacent point distributes coordinate
v
j·x=v
i·x+R*cos(angle*π/180)
v
j·y=v
i·y-R*sin(angle*π/180)
The full circle of if (j%12==0) // row changes radius of circle, arranges next circle
R=R+step;
end?for
end
For k ← 1 to BranchNum (v
iOther layers of) // be distribute coordinate
AllocOtherBranch(k);
end?for
For every e (v
i, v
j) layout on ∈ E // limit
if(!conflict(v
i,v
j))
DrawLine (v
i, v
j); Do not have other points on the // point-to-point transmission line, directly draw straight line
Else // otherwise draw arc
repeat
Radius=Radius+iStep; The radius of // change arc
Until (conflict (v
i, v
j)) // up to arc without other points except that end points
DrawArc (v
i, v
j, R); // picture arc
end?for
Whether Fig. 6 to Fig. 8 has showed the process that connects 2 of a, b with this technology, at first have a few on the straight line connecting line between judging point a and the b, as can be seen from Figure 6, on the described straight line connecting line c is arranged; Revise connecting line then and become camber line,, a d is arranged on the described camber line referring to Fig. 7; Repaint connecting line once more, the radius that increases camber line repaints camber line, and referring to Fig. 8, without any point, the connecting line between some a and the some b is drawn and finished on the connecting line of being drawn this moment.
After in the plane visualization submodule plane visualization of each subgraph being finished, obtain coordinate of being had a few in each subgraph and the connecting line between the each point, draw the connecting line between the adjacent subgraph then, the process of the layout on the limit in drawing process and the subgraph is identical.
The described plane visualization submodule of present embodiment at first is for any one subgraph G
i=(V
i, E
i) plane visualization, with the point in the described subgraph and limit layout in the plane, make figure have flatness of the response, finally can show in the mode of plane graph, in the process that the plane shows, can guarantee following characteristic:
The alternative of point:, be the coordinate difference of its distribution for any 2 points.Otherwise, will cause some points to be capped in the plane.
The adjacency of point: if two points are adjacent, then they are distributed in together as far as possible, can better embody neighbouring relations a little like this.
The directrix plane on limit: annexation a little can better be embodied like this without other any summits except that the summit in a limit, averts misconceptions.
Claims (10)
1. network security incident visualization system, it is characterized in that, it is made up of the coordinate mapping module (3) of optimal module (4), visualization model (6) and the abnormal data of the sub-clustering module (2) of data acquisition module (1), topological data, stressed layout control module (5), network topological diagram, wherein:
Data acquisition module (1) is used for initiatively measuring the physical connection situation that obtains live network, thereby obtains network bottom layer router topological connection relation data, simultaneously, obtains abnormal data and whois location library information, forms network topological diagram;
The sub-clustering module (2) of topological data is used for that the topological data that obtains is carried out sub-clustering and handles, and with each unique sign of central dispense that is bunch;
The coordinate mapping module of abnormal data (3), the sub-clustering module (2) that the coordinate that is used for the abnormal data that will obtain is mapped to topological data is carried out the network topological diagram after the sub-clustering, and the point of anomalous event correspondence indicated, obtain to indicate the network topological diagram that anomalous event is arranged;
The optimal module of network topological diagram (4), the topological diagram after being used for sign had the network topological diagram of anomalous event to divide to optimize, making can be even between each bunch;
Stressed layout control module (5) is used for putting the topological diagram after the acquisition layout according to the principle of stress balance with handling the network topological diagram that obtains through the optimal module (4) of network topological diagram;
Visualization model (6) visualization model (6) is used for carrying out the topological diagram after the layout visual.
2. network security incident visualization system according to claim 1, it is characterized in that visualization model (6) visualization model (6) is made up of plane visualization submodule, the visual submodule of cellular logic topological diagram, the network safety event macroscopic view visual submodule of distribution map and the visual submodule of control point distribution map, wherein:
The plane visualization submodule: the network topological diagram after being used to adopt the plane visualization algorithm of extensive non-directed graph that stressed layout control module (5) is handled carries out plane visualization, and obtains vector file;
The visual submodule of cellular logic topological diagram: be used to adopt the vector quantization Display Technique of extensive non-directed graph, the form of the vector file of plane visualization submodule acquisition with polar plot shown, and realize roaming, electrodeless scaling;
The visual submodule of network safety event macroscopic view distribution map, the topology information that is used for plane visualization is a support, reads security incident from local data base, is presented on the Background;
The visual submodule of control point distribution map, the topology information that is used for plane visualization is a support, reads control information from local data base, and according to control information topology information is presented on the Background.
3. network security incident visualization system according to claim 1 is characterized in that described data acquisition module (1) adopts the virtual level technology, and concrete structure defines in each event processing module, adopts the event flag symbol as array indexing.
4. network security incident visualization system according to claim 1 is characterized in that described data acquisition module (1) to the processing procedure of topology information is:
At first, the data conversion in the topological file is become graphical information, and form core router file, non-core router file by graphical module;
Then, adopt network simulation module to call the network topology figure that graphical module forms; And call routing node to be controlled in the analysis and Control module and gather,
Adopt the analysis and Control module from database, to read routing node set to be controlled, and realize the network information analysis.
5. network security incident visualization system according to claim 1, it is characterized in that the method that described data acquisition module (1) obtains abnormal data is: regularly from database, reading Message Record, when noting abnormalities incident, the information of described anomalous event is passed to virtual level, call the preliminary treatment function of anomalous event by described virtual level and collect message, after message collection is intact, call corresponding anomalous event processing function by virtual level anomalous event is handled, and result is write database.
6. network security incident visualization system according to claim 1, the sub-clustering module (2) that it is characterized in that described topological data is used for that the topological data that obtains is carried out sub-clustering to be handled, and with each for bunch the detailed process of method of the unique sign of central dispense be:
From the point of topological data concentrate select the number of degrees more than or equal to 25 o'clock as one bunch central point, obtains a plurality of bunches central point, then other put join respectively each central point place bunch in, detailed process is:
From put concentrate select the number of degrees greater than 25 o'clock as one bunch central point, obtain j bunch central point altogether;
Concentrate other i of the central point of not selected conduct bunch for point, seek with its apart from minimum bunch central point j, and described some i be added in the described central point j place bunch;
The number that keeps bunch is set and keeps bunch number, with other bunch merging to of not being set to keep bunch be set to keep bunch bunch in, concrete merging method is: for a bunch n who is not set to keep bunch, find out and the reservation bunch m that it has the limit to link to each other and continuous limit is maximum, the institute among bunch n is added to a little among bunch m.
7. network security incident visualization system according to claim 1, the coordinate mapping module (3) that it is characterized in that described abnormal data with the process that the point of anomalous event correspondence indicates is:
From database, obtain abnormal data, and one by one the relevant point of each abnormal data is indicated according to the time in the abnormal data, described sign process is: each bunch that comprises in the abnormal data is provided with a kind of Show Color, the coordinate of the control route that comprises in the abnormal data is arranged to redness.
8. network security incident visualization system according to claim 1, it is characterized in that described stressed layout control module (5) is used for putting according to the principle of stress balance handling network topological diagram through the optimal module (4) of network topological diagram, the process that obtains new topological diagram is: at first according to the quality of each subgraph, according to quality order from big to small all subgraphs are arranged in the arrangement space, the big subgraph of elder generation's layout quality, the little subgraph of back layout quality, when i subgraph of layout, calculate the active force of preceding i-1 subgraph to i subgraph, adopt ergodic algorithm, each position of Ergodic Matrices, find the position of i the stressed minimum of subgraph, fix i subgraph, then i+1 subgraph of layout.
9. network security incident visualization system according to claim 1, it is characterized in that described plane visualization submodule is used to adopt the network topological diagram after the plane visualization algorithm of extensive non-directed graph is handled stressed layout control module (5) to carry out plane visualization, and the process that obtains vector file is:
Cut off getting in touch between each subgraph in the network topological diagram and other subgraph, an isolated subgraph is exactly a undirected connected graph, with it as the network topological diagram of a scale less than N; One by one each subgraph is shown as plane graph then, and then draw connecting line between all subgraphs, at last, the coordinate of being had a few in each subgraph is reached connecting line between points, the vector file that the connecting line information between each subgraph forms network topological diagram.
10. network security incident visualization system according to claim 9 is characterized in that the plane visualization process to each subgraph is in the described plane visualization submodule:
The layout of point:
Point with number of degrees maximum in the subgraph is that starting point travels through subgraph by breadth First, generates tree;
Then, begin to distribute coordinate from tree root, it is on the circumference or semicircle in the center of circle that child node is sequentially arranged in its father node by clockwise direction;
After described child node row expires a week, add long radius, remaining child node is arranged a circle again, till all child nodes of having arranged, determine the coordinate of each node, will determine that below each economize on electricity of coordinate is called the summit.
The arrangement principle of above-mentioned child node is: make the little child node of the number of degrees near the center of circle, the big child node of the number of degrees is away from the center of circle;
The layout on limit:
Judge on the connection straight line between two summits that connection is arranged mutually whether other point is arranged,, then adopt two summits of direct line if do not have; If have, then, continue to judge whether other point is arranged on the described camber line then adopting camber line to connect two summits, if have, the radius that then changes described camber line repaints camber line, continues to judge whether other point is arranged on the described camber line then, till not having other point on the camber line of being drawn.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109333A CN101820357B (en) | 2010-02-11 | 2010-02-11 | Network security incident visualization system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010109333A CN101820357B (en) | 2010-02-11 | 2010-02-11 | Network security incident visualization system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101820357A true CN101820357A (en) | 2010-09-01 |
| CN101820357B CN101820357B (en) | 2012-10-10 |
Family
ID=42655311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010109333A Active CN101820357B (en) | 2010-02-11 | 2010-02-11 | Network security incident visualization system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101820357B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN103297984A (en) * | 2013-05-29 | 2013-09-11 | 烽火通信科技股份有限公司 | System and method for WDM (wavelength division multiplexing) network topological structure vectorization |
| CN103324477A (en) * | 2013-06-04 | 2013-09-25 | 北京大学 | Element distributing method based on stress condition |
| CN104125084A (en) * | 2013-04-25 | 2014-10-29 | 江苏华维电力科技有限公司 | Intelligent network security incident visualization system for substation |
| WO2015131620A1 (en) * | 2014-10-15 | 2015-09-11 | 中兴通讯股份有限公司 | Flow visualization method and device thereof |
| CN105653214A (en) * | 2014-12-01 | 2016-06-08 | 株式会社理光 | Information processing apparatus, information processing method, and computer program |
| CN106503021A (en) * | 2015-09-08 | 2017-03-15 | 阿里巴巴集团控股有限公司 | A kind of data visualization method and equipment |
| CN106570104A (en) * | 2016-11-01 | 2017-04-19 | 南京理工大学 | Multi-partition clustering preprocessing method of stream data |
| CN108306748A (en) * | 2017-01-12 | 2018-07-20 | 阿里巴巴集团控股有限公司 | Network failure locating method, device and interactive device |
| CN109062653A (en) * | 2018-08-20 | 2018-12-21 | 珠海市筑巢科技有限公司 | Long graph text information display methods, computer installation and computer readable storage medium |
| CN110347544A (en) * | 2018-04-08 | 2019-10-18 | 微软技术许可有限责任公司 | Abnormal intellectual monitoring processing technique |
| WO2020024760A1 (en) * | 2018-08-01 | 2020-02-06 | Huawei Technologies Co., Ltd. | Interactive system for visualizing and maintaining large networks |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN113722576A (en) * | 2021-05-07 | 2021-11-30 | 北京达佳互联信息技术有限公司 | Network security information processing method, query method and related device |
| CN114039862A (en) * | 2022-01-10 | 2022-02-11 | 南京赛宁信息技术有限公司 | CTF problem solution detection node construction method and system based on dynamic topology analysis |
| CN114070744A (en) * | 2021-11-25 | 2022-02-18 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for generating node coordinates of network topology |
| CN115622796A (en) * | 2022-11-16 | 2023-01-17 | 南京南瑞信息通信科技有限公司 | Network security linkage response combat map generation method, system, device and medium |
| CN116976057A (en) * | 2023-08-17 | 2023-10-31 | 北京交航科技有限公司 | Automatic arrangement method for device layout |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007002380A2 (en) * | 2005-06-24 | 2007-01-04 | Tom Sawyer Software | System for arranging a plurality of relational nodes into graphical layout form |
| CN101557324A (en) * | 2008-12-17 | 2009-10-14 | 天津大学 | Real-time visual detection method for DDoS attack |
-
2010
- 2010-02-11 CN CN201010109333A patent/CN101820357B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007002380A2 (en) * | 2005-06-24 | 2007-01-04 | Tom Sawyer Software | System for arranging a plurality of relational nodes into graphical layout form |
| CN101557324A (en) * | 2008-12-17 | 2009-10-14 | 天津大学 | Real-time visual detection method for DDoS attack |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN104125084A (en) * | 2013-04-25 | 2014-10-29 | 江苏华维电力科技有限公司 | Intelligent network security incident visualization system for substation |
| CN103297984A (en) * | 2013-05-29 | 2013-09-11 | 烽火通信科技股份有限公司 | System and method for WDM (wavelength division multiplexing) network topological structure vectorization |
| CN103297984B (en) * | 2013-05-29 | 2016-04-13 | 烽火通信科技股份有限公司 | A kind of system and method for WDM network topology structure vector quantization |
| CN103324477B (en) * | 2013-06-04 | 2016-07-13 | 北京大学 | Element arrangement method based on stressing conditions |
| CN103324477A (en) * | 2013-06-04 | 2013-09-25 | 北京大学 | Element distributing method based on stress condition |
| WO2015131620A1 (en) * | 2014-10-15 | 2015-09-11 | 中兴通讯股份有限公司 | Flow visualization method and device thereof |
| CN105653214B (en) * | 2014-12-01 | 2019-06-28 | 株式会社理光 | Information processing apparatus, information processing method, and computer program |
| CN105653214A (en) * | 2014-12-01 | 2016-06-08 | 株式会社理光 | Information processing apparatus, information processing method, and computer program |
| CN106503021A (en) * | 2015-09-08 | 2017-03-15 | 阿里巴巴集团控股有限公司 | A kind of data visualization method and equipment |
| CN106570104A (en) * | 2016-11-01 | 2017-04-19 | 南京理工大学 | Multi-partition clustering preprocessing method of stream data |
| CN108306748A (en) * | 2017-01-12 | 2018-07-20 | 阿里巴巴集团控股有限公司 | Network failure locating method, device and interactive device |
| CN110347544A (en) * | 2018-04-08 | 2019-10-18 | 微软技术许可有限责任公司 | Abnormal intellectual monitoring processing technique |
| CN112514327A (en) * | 2018-08-01 | 2021-03-16 | 华为技术有限公司 | Interactive system for visualization and maintenance of large network |
| WO2020024760A1 (en) * | 2018-08-01 | 2020-02-06 | Huawei Technologies Co., Ltd. | Interactive system for visualizing and maintaining large networks |
| CN112514327B (en) * | 2018-08-01 | 2022-09-23 | 华为云计算技术有限公司 | Interactive system for visualization and maintenance of large network |
| CN109062653A (en) * | 2018-08-20 | 2018-12-21 | 珠海市筑巢科技有限公司 | Long graph text information display methods, computer installation and computer readable storage medium |
| CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN113722576A (en) * | 2021-05-07 | 2021-11-30 | 北京达佳互联信息技术有限公司 | Network security information processing method, query method and related device |
| CN114070744A (en) * | 2021-11-25 | 2022-02-18 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for generating node coordinates of network topology |
| CN114070744B (en) * | 2021-11-25 | 2024-04-19 | 杭州安恒信息技术股份有限公司 | Node coordinate generation method, device, equipment and medium of network topology |
| CN114039862A (en) * | 2022-01-10 | 2022-02-11 | 南京赛宁信息技术有限公司 | CTF problem solution detection node construction method and system based on dynamic topology analysis |
| CN115622796A (en) * | 2022-11-16 | 2023-01-17 | 南京南瑞信息通信科技有限公司 | Network security linkage response combat map generation method, system, device and medium |
| CN116976057A (en) * | 2023-08-17 | 2023-10-31 | 北京交航科技有限公司 | Automatic arrangement method for device layout |
| CN116976057B (en) * | 2023-08-17 | 2024-03-19 | 北京交航科技有限公司 | Automatic arrangement method for device layout |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101820357B (en) | 2012-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101820357B (en) | Network security incident visualization system | |
| Xu et al. | Environment sensitivity-based cooperative co-evolutionary algorithms for dynamic multi-objective optimization | |
| Hui et al. | A genetic algorithm for product disassembly sequence planning | |
| Jin et al. | Core maintenance in dynamic graphs: A parallel approach based on matching | |
| Kumar et al. | Data Cleaning-A thorough analysis and survey on unstructured data | |
| Downey | Spatial measurement, geography, and urban racial inequality | |
| Wu et al. | City expansion model based on population diffusion and road growth | |
| Agarwal et al. | A system for GIS polygonal overlay computation on linux cluster-an experience and performance report | |
| Jiang et al. | Large-scale taxi O/D visual analytics for understanding metropolitan human movement patterns | |
| CN107742169A (en) | A kind of Urban Transit Network system constituting method and performance estimating method based on complex network | |
| Zhao et al. | Analysis of road network pattern considering population distribution and central business district | |
| Rui et al. | Network-constrained and category-based point pattern analysis for Suguo retail stores in Nanjing, China | |
| CN106649391A (en) | Graph data processing method and apparatus | |
| Stephen et al. | Power domination in certain chemical structures | |
| CN110287415A (en) | A kind of content recommendation method, device and calculate equipment | |
| CN107133279A (en) | A kind of intelligent recommendation method and system based on cloud computing | |
| Shekhar et al. | Benchmarking spatial big data | |
| Kornaropoulos et al. | DAGView: an approach for visualizing large graphs | |
| Rong et al. | A review of research on low-carbon school trips and their implications for human-environment relationship | |
| Gupta et al. | Urban data integration using proximity relationship learning for design, management, and operations of sustainable urban systems | |
| Brandenburg | A first order logic definition of beyond-planar graphs | |
| Mustafa et al. | Gtraclus: A local trajectory clustering algorithm for gpus | |
| Lin et al. | A novel centrality-based method for visual analytics of small-world networks | |
| Forcey et al. | Phylogenetic networks as circuits with resistance distance | |
| Qiao et al. | Complex networks from time series data allow an efficient historical stage division of urban air quality information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |