CN103179039B - A kind of method of effective filtration proper network packet - Google Patents
A kind of method of effective filtration proper network packet Download PDFInfo
- Publication number
- CN103179039B CN103179039B CN201210412125.6A CN201210412125A CN103179039B CN 103179039 B CN103179039 B CN 103179039B CN 201210412125 A CN201210412125 A CN 201210412125A CN 103179039 B CN103179039 B CN 103179039B
- Authority
- CN
- China
- Prior art keywords
- packet
- hash
- carry out
- address port
- chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
1), protocal analysis the invention provides a kind of method of effective filtration proper network packet, comprise the following steps:, to the classification of the packet captured; 2), normal discharge filter, the data traffic captured is filtered.This programme mainly utilizes the mode arranging clock to carry out periodic intervals detection.To same IP address to, same port between connection detect, all not there are abnormal conditions when detecting number of times and reaching the threshold value pre-set, the packet just this connection inherent of supposition regular hour section transmitted is all normal, just directly can filter out and need not consider this connection.This method mainly adopts the filtration of white list mode, and for the packet of differing transmission protocols type, their filter type is also different.
Description
Technical field
The carrying into execution a plan of filtration proper network packet that the present invention proposes, is the innovation of the carrying out in the traffic filtering technical foundation that uses in existing intruding detection system, belongs to computer safety field, provide a kind of method of effective filtration proper network packet.
Background technology
Intrusion detection is as a kind of technology of positive monitoring intrusion behavior, and one of core research contents now having become network safety filed, in the equipment with intrusion detection capability, filtering the packet captured from network is the operation often had.The stability of the network operation and be always the difficult problem that annoying network Development to the filtration of network attack, so the method for a kind of effective screen normal discharge data of necessary invention.
The About Intelligent Intrusion Detection Technology of flow Network Based has efficient detectability for the attack affecting network traffics, but filters also really not effective scheme to flow in current About Intelligent Intrusion Detection Technology.Such as: based on the intelligent intrusion detection model of BP neural net, the BP neural network module of this model uses the method that misuse detects and abnormality detection combines, first use misuse to detect the rule of the packet captured with known intrusion behavior is mated, just abnormality detection is carried out for what can not mate, then rule base is upgraded, that is: the new intrusion behavior detected is joined in the middle of intrusion rule base, normal data are put in normal behaviour rule base.This system all carries out misuse to all packets got detect or carry out abnormality detection, is not suitable for large-scale fast network like this.
Intrusion detection based on data mining mainly comprises network data Packet capturing, data prediction, protocal analysis, rule parsing, data mining, alarm output module, the attributive character value of the packet captured is carried out standardization by this system, then the rule in Sum fanction intrusion rule base is mated, just represent if matched and the intrusion behavior that in Sum fanction storehouse, existing intrusion behavior is corresponding detected, just give the alarm after what is said or talked about, if utilize the technology in data mining to learn without successful match, therefrom extract relevant learning rules and feature, and intrusion rule base is upgraded.This system carries out rule match to all packets captured in real time, can waste a large amount of Time and place like this.
Said method and existing additive method are substantially all need to detect capturing all packets in real time, and along with the quickening of network speed, these methods are just like infeasible.The method that the present invention proposes does not need to analyze for all packets, first judge that the transfer of data which connects just supposes that in certain hour interval be all normal normally, so just need not consider the packet in this time period, directly can filter out these normal data traffics and only carry out ensuing process for the data traffic of exception, because have in the data traffic captured more than 99% be all normal, processing time and space can be saved like this, and then improve system effectiveness.
Summary of the invention
Of the present inventionly be method and device thereof that a kind of effective filtration proper network packet is provided.
For the present invention to achieve these goals by the following technical solutions:
A method for effective filtration proper network packet, comprises the following steps:
1), protocal analysis, to the classification of the packet captured;
2), normal discharge filter, the data traffic captured is filtered;
Wherein, normal discharge described in described step 2 filters and comprises: UDP packet filtering step and TCP message filtration step;
Described UDP packet filtering step comprises:
31) first the packet that each the newly-established network got connects is differentiated according to the value of protocol fields in its IP header, based on udp protocol, just the source address in this message IP head, destination address, source port number, these four fields of destination slogan are extracted and carry out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, content in the chain that this cryptographic Hash is corresponding comprises: address port to, detect number of times and mark, and the initial value detecting number of times and mark is all 0;
32) value of first checkmark field, if be 0 just to analyze, carry out step 33); If be 1 just not analyze, the data within the clock cycle in this connection are all normal, just can directly filter out;
33) this address port is analyzed upper packet, just carry out step 34 if do not noted abnormalities), extremely carry out step 35 if detected);
34) address port is increased by 1 to the detection number of times in the chain of correspondence, time the value of detection number of times is increased to 10, just change the value of attribute field in chained list into 1;
35) extremely just address port corresponding for this Hash key is deleted from this hash chain if detected, and if only have in the chained list that this Hash key is linked during this address port pair, this Hash key is also deleted from Hash table, this Hash key is described cryptographic Hash;
36) then the packet next received first is checked that whether source IP address port numbers in its IP head and object IP address port be number consistent, carry out step 37 if just the same), carry out step 38 if not quite identical);
37) according to step 32)-35) in process operate;
38) according to step 31) in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and is still according to step 32)-35) in process operate accordingly;
Described TCP message filtration step comprises:
41) first the packet that each the newly-established network got connects is differentiated according to the value of protocol fields in its IP header, based on Transmission Control Protocol, just by the source address in this message IP head, destination address, source port number, these four fields of destination slogan extract carries out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, content in the chain that this cryptographic Hash is corresponding comprises: address port pair, wish the sequence number of the next packet received, detect number of times and mark, and the initial value detecting number of times and mark is all 0,
42) value of first checkmark field, if be 0 just to analyze, carry out step 43); If be 1 just not analyze, represent that the data within the clock cycle in this connection are all normal;
43) this address port is analyzed upper packet, if do not noted abnormalities just carry out step 44) if detect that exception or the packet received are that FIN packet carry out step 45);
44) this address port is increased by 1 to the detection number of times in corresponding chain, if time the value detecting number of times is increased to 10, just change the value of attribute field in chained list into 1;
45) address port corresponding for this Hash key is deleted from this ltsh chain table, and if only have in the chained list that this Hash key is linked during this address port pair, this Hash key is also deleted from Hash table, this Hash key is described cryptographic Hash;
46) then the packet next received first is checked that whether the address port existed in source IP address port numbers in its IP head and object IP address port number and chained list is consistent, if just the same, carry out step 47), inconsistent, carry out step 410);
47) check that whether the sequence number of this packet is the sequence number that the upper packet of this address port centering wishes to receive, if just carry out step 48), if not just carry out step 49), until that packet receiving hope is combined these packets deposited in the buffer more according to the order of sequence, be put into after a packet;
48) according to step 42)-46) in process operate;
49) this packet is left in the middle of buffer memory;
410) according to step 41) in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and is still according to step 42)-49) process operate accordingly.
The present invention has following beneficial effect:
Effectively filtering the method for proper network packet in the present invention, is the improvement carried out on existing filtering scheme basis.The packet that the present invention is directed to different agreement type carries out the filtration of different modes, but all carry out based on the clock cycle, the efficiency that system space can also improve whole system for monitoring intrusion can be saved like this, only need to analyze the carrying out of those exceptions because filtered out most normal data flow.
Accompanying drawing explanation
Fig. 1 is UDP Hash table of the present invention.
Fig. 2 is TCP Hash table of the present invention.
Embodiment
The implementation case teaches one in detail and realizes mode of the present invention, but protection scope of the present invention is not only confined to adopt in this way, and the execution mode of every employing inventive concept is all in protection scope of the present invention.
Protocal analysis
The packet that packet catcher captures is based on link layer, need first the IP packet of those bursts to be carried out recombinating and packet for those mistakes directly filters out, then classify according to the value of protocol fields in IP data packet header, be divided into: the packet based on Transmission Control Protocol and the packet based on udp protocol.Because the processing mode of the packet of different agreement type is slightly different, UDP message is towards connectionless, needs to provide orderly packet.
Normal discharge filters
Major part wooden horse is all adopt UDP or Transmission Control Protocol to carry out transfer of data, therefore this module only processes the packet of these two kinds of agreements, and is also different to the concrete processing method of TCP message and UDP message.
(1) UDP packet filtering mechanism
UDP is towards connectionless agreement, does not need the packet to it captures to recombinate in intruding detection system, for this situation, just each UDP message bag is regarded as one independently data process.First for our hypothesis A, B main frame between UDP message transmission set up an only mark, such as get hash value.Situation in the following example: the IP address of host A is 202.113.132.35, and port numbers is 899; And the IP address of host B is 222.197.181.2, port numbers is 80.Then hash is carried out to four data above, in Installed System Memory, sets up a ltsh chain table for UDP message, the content of this chained list comprise address port to and detect number of times and also have clock marks.When detecting number of times and arriving the thresholding preset, be just 1 by traffic sign placement, during tick interrupt generation, then the value of clock marks be set to 0.
(2) TCP message strobe utility
Tcp data wraps in order in transmitting procedure may there is entanglement, but needs for upper layer module provides orderly packet, is therefore necessary that setting up buffering carrys out store data bag, analyzes according to their normal transmission sequences.
First, need to connect each newly-established network to do Hash, still to carrying out Hash according to IP address and port, in the record field of Hash table, preserve following content: address port to, next packet sequence number, detect number of times, mark, buffer memory chained list, wherein buffer memory chained list buffer pointers is pointed to.
When the packet received is not next serial number data bag of specifying, just this data pack buffer is got up.If our packet of waiting for, then all the other continuous print data packet group in buffer memory are synthesized a new packet and be placed on after a upper packet, and put into shared drive pond.
If run into FIN packet, then this Hash mapping is deleted from Hash table.
First the packet captured from network is carried out protocal analysis, be divided into based on Transmission Control Protocol and based on udp protocol, concrete processing procedure is also divided into two kinds of different situations according to the difference of data pack protocol field value:
(1) UDP packet filtering step:
1. first the packet got is differentiated according to the value of protocol fields in its IP header, based on udp protocol, just by the source address order in this message IP head, address, source port number, these four fields of destination slogan extract and carry out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, and the content in the chain that this cryptographic Hash is corresponding comprises: address port to, detect number of times and mark.And the initial value detecting number of times and mark is all 0.
2. the value of first checkmark field, if be 0 just to analyze; If be 1 just not analyze, the data within the clock cycle in this connection are all normal.This address port is analyzed upper packet, if do not noted abnormalities just address port is increased by 1 to the detection number of times in the chain of correspondence; Abnormal just address port corresponding for this Hash key to be deleted from this hash chain if detected, and if only have during this address port pair in the chained list that is linked of this Hash key, this Hash key is also deleted from Hash table.If detect the value of number of times be increased to predetermined threshold value such as be 10 time, just the value of attribute field in chained list is revised as 1.
3. then the packet next received first is checked whether source IP address port numbers in its IP head and object IP address port number consistent, if just the same just according to step 2. in process operate; If not quite identical, with regard to be still according to step 1. in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and be still according to step 2. in process operate accordingly.
(2) TCP message filtration step:
1. first the packet got is differentiated according to the value of protocol fields in its IP header, based on Transmission Control Protocol, just by the source address order in this message IP head, address, source port number, these four fields of destination slogan extract and carry out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, and the content in the chain that this cryptographic Hash is corresponding comprises: address port to, wish the next packet received sequence number, detect number of times and mark.And the initial value detecting number of times and mark is all 0.
2. the value of first checkmark field, if be 0 just to analyze; If be 1 just not analyze, represent that the data within the clock cycle in this connection are all normal.This address port is analyzed upper packet, if do not noted abnormalities just this address port is increased by 1 to the detection number of times in corresponding chain; If detect that exception or the packet received are FIN packet; just address port corresponding for this Hash key is deleted from this hash chain, and if only have during this address port pair in the chained list that is linked of this Hash key, this Hash key is also deleted from Hash table.If detect the value of number of times be increased to predetermined threshold value such as be 10 time, just change the value of attribute field in chained list into 1.
3. then the packet next received first is checked whether source IP address port numbers in its IP head and object IP address port be number consistent, check that whether the sequence number of this packet is the sequence number that the upper packet of this address port centering wishes to receive again, if the same just according to step 2. in process operate; Just this packet is left in the middle of buffer memory if different, until that packet receiving hope is combined these packets deposited in the buffer more according to the order of sequence, be put into after a packet.
If 4. address port to chained list in exist all not quite identical, just according to step 1. in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and be still according to step 2. and 3. in process operate accordingly.
Large especially for incipient stage network traffics, if all carry out analysis to all packets just easily cause system crash, select a random algorithm to carry out a certain amount of packet of Stochastic choice here to analyze, set up white list, just do not re-use this random algorithm when white list covers all normal behaviours substantially.
Claims (1)
1. effectively filter a method for proper network packet, comprise the following steps:
1), protocal analysis, to the classification of the packet captured;
2), normal discharge filter, the data traffic captured is filtered;
Wherein, normal discharge described in described step 2 filters and comprises: UDP packet filtering step and TCP message filtration step;
Described UDP packet filtering step comprises:
31) first the packet that each the newly-established network got connects is differentiated according to the value of protocol fields in its IP header, based on udp protocol, just the source address in this message IP head, destination address, source port number, these four fields of destination slogan are extracted and carry out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, content in the chain that this cryptographic Hash is corresponding comprises: address port to, detect number of times and mark, and the initial value detecting number of times and mark is all 0;
32) value of first checkmark field, if be 0 just to analyze, carry out step 33); If be 1 just not analyze, the data within the clock cycle in this connection are all normal, just can directly filter out;
33) this address port is analyzed upper packet, just carry out step 34 if do not noted abnormalities), extremely carry out step 35 if detected);
34) address port is increased by 1 to the detection number of times in the chain of correspondence, time the value of detection number of times is increased to 10, just change the value of attribute field in chained list into 1;
35) extremely just address port corresponding for this Hash key is deleted from this hash chain if detected, and if only have in the chained list that this Hash key is linked during this address port pair, this Hash key is also deleted from Hash table, this Hash key is described cryptographic Hash;
36) then the packet next received first is checked that whether source IP address port numbers in its IP head and object IP address port be number consistent, carry out step 37 if just the same), carry out step 38 if not quite identical);
37) according to step 32)-35) in process operate;
38) according to step 31) in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and is still according to step 32)-35) in process operate accordingly;
Described TCP message filtration step comprises:
41) first the packet that each the newly-established network got connects is differentiated according to the value of protocol fields in its IP header, based on Transmission Control Protocol, just by the source address in this message IP head, destination address, source port number, these four fields of destination slogan extract carries out Hash based on certain Hash criterion, and set up corresponding ltsh chain table, keyword in chained list is cryptographic Hash, content in the chain that this cryptographic Hash is corresponding comprises: address port pair, wish the sequence number of the next packet received, detect number of times and mark, and the initial value detecting number of times and mark is all 0,
42) value of first checkmark field, if be 0 just to analyze, carry out step 43); If be 1 just not analyze, represent that the data within the clock cycle in this connection are all normal;
43) this address port is analyzed upper packet, if do not noted abnormalities just carry out step 44) if detect that exception or the packet received are that FIN packet carry out step 45);
44) this address port is increased by 1 to the detection number of times in corresponding chain, if time the value detecting number of times is increased to 10, just change the value of attribute field in chained list into 1;
45) address port corresponding for this Hash key is deleted from this ltsh chain table, and if only have in the chained list that this Hash key is linked during this address port pair, this Hash key is also deleted from Hash table, this Hash key is described cryptographic Hash;
46) then the packet next received first is checked that whether the address port existed in source IP address port numbers in its IP head and object IP address port number and chained list is consistent, if just the same, carry out step 47), inconsistent, carry out step 410);
47) check that whether the sequence number of this packet is the sequence number that the upper packet of this address port centering wishes to receive, if just carry out step 48), if not just carry out step 49), until that packet receiving hope is combined these packets deposited in the buffer more according to the order of sequence, be put into after a packet;
48) according to step 42)-46) in process operate;
49) this packet is left in the middle of buffer memory;
410) according to step 41) in process carry out Hash, if this cryptographic Hash is the same with the cryptographic Hash in the hash chain set up before, just the chain of this address port to correspondence is connected to after chain corresponding to a upper identical Hash key, and is still according to step 42)-49) process operate accordingly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210412125.6A CN103179039B (en) | 2012-10-25 | 2012-10-25 | A kind of method of effective filtration proper network packet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210412125.6A CN103179039B (en) | 2012-10-25 | 2012-10-25 | A kind of method of effective filtration proper network packet |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103179039A CN103179039A (en) | 2013-06-26 |
| CN103179039B true CN103179039B (en) | 2015-09-16 |
Family
ID=48638670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210412125.6A Active CN103179039B (en) | 2012-10-25 | 2012-10-25 | A kind of method of effective filtration proper network packet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103179039B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103581007A (en) * | 2013-10-28 | 2014-02-12 | 汉柏科技有限公司 | Message classifying and looking-up method |
| CN105187436B (en) * | 2015-09-25 | 2019-03-08 | 中国航天科工集团第二研究院七〇六所 | A kind of packet filtering mainframe network control method based on hash table |
| CN108183832B (en) * | 2017-11-28 | 2020-09-15 | 北京空间技术研制试验中心 | Network data acquisition method |
| CN108712462A (en) * | 2018-04-09 | 2018-10-26 | 阿里巴巴集团控股有限公司 | A kind of connection method for building up, device and equipment |
| CN110474789A (en) * | 2018-05-11 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Network state information processing method, device and system |
| CN109586845B (en) * | 2018-11-08 | 2021-11-16 | 中国船舶重工集团公司第七一九研究所 | Method and system for ocean vessel to shore based communication |
| CN109861881B (en) * | 2019-01-24 | 2021-11-19 | 大连理工大学 | Elephant flow detection method based on three-layer Sketch framework |
| CN111988239B (en) * | 2020-08-21 | 2022-07-15 | 哈尔滨工业大学 | Method for acquiring pure software flow for Android application |
| CN112491871B (en) * | 2020-11-25 | 2023-07-28 | 北京宝兰德软件股份有限公司 | TCP reorganization method, TCP reorganization device, electronic equipment and storage medium |
| CN112887300B (en) * | 2021-01-22 | 2022-02-01 | 北京交通大学 | Data packet classification method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
| CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
-
2012
- 2012-10-25 CN CN201210412125.6A patent/CN103179039B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101119321A (en) * | 2007-09-29 | 2008-02-06 | 杭州华三通信技术有限公司 | Network flux classification processing method and apparatus |
| CN101640666A (en) * | 2008-08-01 | 2010-02-03 | 北京启明星辰信息技术股份有限公司 | Device and method for controlling flow quantity facing to target network |
| CN101510873A (en) * | 2009-03-20 | 2009-08-19 | 扬州永信计算机有限公司 | Method for detection of mixed point-to-point flux based on vector machine support |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103179039A (en) | 2013-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103179039B (en) | A kind of method of effective filtration proper network packet | |
| CN103179105B (en) | The intelligent trojan horse detection devices and methods therefor of behavioural characteristic in a kind of flow Network Based | |
| CN105491017B (en) | The more equipment multi-protocol analysis method and system of RS485 buses | |
| CN1330131C (en) | System and method for detecting network worm in interactive mode | |
| CN103034807B (en) | Malware detection methods and device | |
| CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| CN103777613B (en) | Principal and subordinate's information realtime interactive method and system | |
| CN104796464A (en) | Multi-protocol conversion warning condition information remote transmission system and method based on MODBUS | |
| CN104702460A (en) | Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine) | |
| CN103618720A (en) | Method and system for Trojan network communication detecting and evidence obtaining | |
| CN103078760A (en) | Online diagnosis method for abnormal network flow | |
| CN116781347A (en) | Industrial Internet of things intrusion detection method and device based on deep learning | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN102946400B (en) | The magnanimity short message content safety filtering method and system that a kind of Behavior-based control is analyzed | |
| EP3101843A2 (en) | Capturing network data to provide to a data analyser | |
| CN104993977B (en) | Online data monitoring method and system based on IEC61968 standard | |
| CN104113871B (en) | A kind of invalid number detecting system and method based on various dimensions | |
| CN112866189A (en) | Attack modeling analysis method based on power terminal attack behavior characteristics | |
| CN206863567U (en) | The starting trouble-shooter of elevator | |
| CN107658976A (en) | A kind of new bus warning monitoring system | |
| CN201830395U (en) | Oil well monitoring system | |
| CN102780691A (en) | Method for detecting and avoiding network attack for mobile terminal | |
| CN105653207B (en) | A kind of real time parsing method and system of flash interface information | |
| CN204465598U (en) | A kind of multiprotocol conversion alert Information Remote Transmission System based on MODBUS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |