CN109413071A - A kind of anomalous traffic detection method and device - Google Patents
A kind of anomalous traffic detection method and device Download PDFInfo
- Publication number
- CN109413071A CN109413071A CN201811291061.2A CN201811291061A CN109413071A CN 109413071 A CN109413071 A CN 109413071A CN 201811291061 A CN201811291061 A CN 201811291061A CN 109413071 A CN109413071 A CN 109413071A
- Authority
- CN
- China
- Prior art keywords
- traffic
- characteristic
- dimension
- under
- actual flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the present application provides a kind of anomalous traffic detection method and device, method includes: to extract the history feature variable of historical traffic data each historical juncture under multiple characteristic dimensions, the traffic characteristic vector under each characteristic dimension is obtained, the history feature variable in traffic characteristic vector is according to time-sequencing;Future time instance corresponding future values of historical traffic data under each characteristic dimension are predicted using regression algorithm according to the traffic characteristic vector under each characteristic dimension;Obtain the weight of each characteristic dimension;According to the future values under the weight of each characteristic dimension and each characteristic dimension, the corresponding future traffic value of future time instance historical traffic data is determined;The actual flow data in future time instance are obtained, according to the actual flow value of future traffic value and actual flow data, determine whether actual flow data are abnormal.Using technical solution provided by the embodiments of the present application, the flexibility of abnormal traffic detection is improved, reduces the False Rate of abnormal traffic detection.
Description
Technical field
This application involves technical field of network security, more particularly to a kind of anomalous traffic detection method and device.
Background technique
With the fast development and extensive use of computer and Internet technology, the system of computer network is counted safely
Various threats such as calculation machine virus and hacker attack are increasing, often will lead to Network Abnormal.For the safety for improving network
Property, how to detect the abnormal flow in network, is increasingly becoming the key of research.
Currently, network management personnel rule of thumb sets flow threshold when abnormal traffic detection.If actual flow is greater than stream
Measure threshold value, it is determined that Traffic Anomaly.If actual flow is not more than flow threshold, it is determined that flow is normal.The flow threshold of the setting
Value is fixed value, does not take into account that temporal regularity and business characteristic, flexibility is smaller, and False Rate is higher.
Summary of the invention
The embodiment of the present application is designed to provide a kind of anomalous traffic detection method and device, to improve abnormal flow inspection
The flexibility of survey reduces the False Rate of abnormal traffic detection.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of anomalous traffic detection method, which comprises
Obtain historical traffic data;
The history feature variable for each historical juncture of the historical traffic data being extracted under multiple characteristic dimensions, obtains each
Traffic characteristic vector under characteristic dimension, the history feature variable in the traffic characteristic vector is according to time-sequencing;
Predict future time instance in each characteristic dimension using regression algorithm according to the traffic characteristic vector under each characteristic dimension
Under the corresponding future values of the historical traffic data;
Obtain the weight of each characteristic dimension;
According to the future values under the weight of each characteristic dimension and each characteristic dimension, determines and gone through described in the future time instance
The corresponding future traffic value of history data on flows;
The actual flow data in the future time instance are obtained, the actual flow data and the historical traffic quantity have
There is identical message information, according to the actual flow value of the future traffic value and the actual flow data, determines the reality
Whether border data on flows is abnormal.
In second aspect, the embodiment of the present application provides a kind of abnormal traffic detection device, and described device includes:
First acquisition unit, for obtaining historical traffic data;
Extraction unit, the history for each historical juncture of extracting the historical traffic data under multiple characteristic dimensions are special
Levy variable, obtain the traffic characteristic vector under each characteristic dimension, the history feature variable in the traffic characteristic vector according to when
Between sort;
Predicting unit, for predicting future time instance using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of the historical traffic data under each characteristic dimension;
Second acquisition unit, for obtaining the weight of each characteristic dimension;
First determination unit is determined for the future values under the weight and each characteristic dimension according to each characteristic dimension
The corresponding future traffic value of historical traffic data described in the future time instance;
Second determination unit, for obtaining the actual flow data in the future time instance, the actual flow data with
The historical traffic quantity message information having the same, according to the reality of the future traffic value and the actual flow data
Flow value determines whether the actual flow data are abnormal.
In the third aspect, the embodiment of the present application provides a kind of network equipment, including processor and machine readable storage are situated between
Matter, the machine readable storage medium are stored with the machine-executable instruction that can be executed by the processor, the processor
Promoted by the machine-executable instruction: realizing any method and step that first aspect provides.
In fourth aspect, the embodiment of the present application provides a kind of machine readable storage medium, is stored with the executable finger of machine
It enables, when being called and being executed by processor, the machine-executable instruction promotes the processor: realizing what first aspect provided
Any method and step.
In anomalous traffic detection method and device provided by the embodiments of the present application, future traffic value is according to each characteristic dimension
Under traffic characteristic vector determine, the feature in traffic characteristic vector is according to time-sequencing.Due to determining future traffic value
When, it is contemplated that the factors such as the temporal regularity of data on flows and business characteristic, it is thus determined that future traffic value can with the time and
The variation of business and change, without being fixed and invariable.In turn, determining whether actual flow data are different according to future traffic value
Chang Shi can be improved the flexibility of abnormal traffic detection, and reduce the False Rate of abnormal traffic detection.Certainly, implement the application
Any product or method must be not necessarily required to reach all the above advantage simultaneously.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the first flow diagram of anomalous traffic detection method provided by the embodiments of the present application;
Fig. 2 is second of flow diagram of anomalous traffic detection method provided by the embodiments of the present application;
Fig. 3 is the third flow diagram of anomalous traffic detection method provided by the embodiments of the present application;
Fig. 4 is a kind of structural schematic diagram of abnormal traffic detection device provided by the embodiments of the present application;
Fig. 5 is a kind of structural schematic diagram of the network equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
Currently, network management personnel rule of thumb sets flow threshold when abnormal traffic detection.If actual flow is greater than stream
Measure threshold value, it is determined that Traffic Anomaly.If actual flow is not more than flow threshold, it is determined that flow is normal.The flow threshold of the setting
Value is fixed value.To improve internet security, network management personnel can be by the lower of flow threshold setting, this will lead to a large amount of nothings
Wrong report information.Occur a large amount of useless wrong report information in order to prevent, network management personnel flow threshold can be arranged compared with
Height, this, which will will cause, can not find abnormal flow caused by malicious attack.As it can be seen that when existing abnormal traffic detection, flow threshold
It is set according to demand by network management personnel, does not consider temporal regularity and business characteristic, flexibility is smaller, and False Rate is higher.
For the flexibility for improving abnormal traffic detection, the False Rate of abnormal traffic detection is reduced, the embodiment of the present application provides
A kind of anomalous traffic detection method.This method can be applied in any network equipment.The network equipment includes but is not limited to road
By equipment such as device, interchangers.
In this method, the network equipment obtains historical traffic data;It is each under multiple characteristic dimensions to extract historical traffic data
The history feature variable of a historical juncture obtains the traffic characteristic vector under each characteristic dimension, the history in traffic characteristic vector
Characteristic variable is according to time-sequencing;Future time instance is predicted using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of historical traffic data under each characteristic dimension;Obtain the weight of each characteristic dimension;According to each characteristic dimension
Weight and each characteristic dimension under future values, determine the corresponding future traffic value of future time instance historical traffic data;It obtains
The actual flow data in future time instance, actual flow data and historical traffic quantity message information having the same are taken, according to
The actual flow value of future traffic value and actual flow data determines whether actual flow data are abnormal.
As it can be seen that future traffic value is according to the flow under each characteristic dimension in technical solution provided by the embodiments of the present application
What feature vector determined, the feature in traffic characteristic vector is according to time-sequencing.Due to when determining future traffic value, it is contemplated that
The factors such as the temporal regularity of data on flows and business characteristic, it is thus determined that future traffic value can be with the variation of time and business
And change, without being fixed and invariable.It in turn, can when determining whether actual flow data are abnormal according to future traffic value
The flexibility of abnormal traffic detection is improved, and reduces the False Rate of abnormal traffic detection.
Below by specific embodiment, the application is described in detail.For ease of understanding, below using executing subject as net
It is illustrated for network equipment.
With reference to Fig. 1, Fig. 1 is the first flow diagram of anomalous traffic detection method provided by the embodiments of the present application.It should
Method includes the following steps.
Step 101, historical traffic data is obtained.
In the embodiment of the present application, the network equipment can count the flow at each moment by traffic statistics tool.Specifically
, the historical traffic data before network equipment acquisition current time in preset time period.In one example, the network equipment can be with base
The historical traffic data before current time in preset time period is obtained in modes such as traffic mirroring, NetStream.
In an optional embodiment, the network equipment gets a large amount of historical traffic data, according to the report of data on flows
Literary information is grouped, and obtains multiple groups historical traffic data.Every group of historical traffic data carries out abnormal traffic detection respectively.One
In example, message information can be triplet information, five-tuple information or seven tuple informations.
For example, the network equipment gets historical traffic data 1-10.The message information of historical traffic data 1-3 is message
Information 1, the message information of historical traffic data 4-7 are message information 2, and the message information of historical traffic data 8-10 is report
Literary information 3.Historical traffic data 1-3 can be divided into one group of historical traffic data by the network equipment, by historical traffic data 4-7
It is divided into one group of historical traffic data, historical traffic data 8-10 is divided into one group of historical traffic data, obtains 3 groups of history streams
Measure data.
In the embodiment of the present application, the correlation of the identical data on flows of message information is stronger, the different stream of message information
The correlation for measuring data is weaker.In an implementation, multiple groups historical traffic data that can be different to message information carries out exception respectively
Flow detection improves the accuracy of abnormal flow prediction.
Step 102, the history feature variable for extracting historical traffic data each historical juncture under multiple characteristic dimensions, obtains
Traffic characteristic vector under to each characteristic dimension.Wherein, the history feature variable in traffic characteristic vector is according to time-sequencing.
In the embodiment of the present application, characteristic dimension includes but is not limited to: total flow value, upstream magnitude, downstream magnitude, word
It is joint number, message number, source IP (Internet Protocol, network protocol) address value, purpose IP address value, connection number, concurrent
Number, newly-built connection number, disconnect number, TCP (Transmission Control Protocol, transmission control protocol) accounting,
UDP (User Datagram Protocol, User Datagram Protocol) accounting, ICMP (Internet Control Message
Protocol, network-control message protocol) message number, HTTP (Hyper Text Transport Protocol, hypertext biography
Defeated agreement) message number, DNS (Domain Name System, domain name system) message number and FTP (File Transmission
Protocol, File Transfer Protocol) message number etc..The characteristic value of historical traffic data a certain historical juncture under a characteristic dimension
I.e. are as follows: the history feature variable of historical traffic data historical juncture under this feature dimension.
After the network equipment gets historical traffic data, historical traffic data each history under multiple characteristic dimensions is extracted
The history feature variable at moment.For each characteristic dimension, the network equipment presses the elder generation of history feature variable corresponding historical juncture
Sequence afterwards combines the history feature variable under this feature dimension, obtains the traffic characteristic vector under each characteristic dimension.
For example, under characteristic dimension 1, the history feature variable for the historical traffic data that the network equipment extracts includes:
{ 10:00,5 }, { 10:01,9 }, { 10:02,10 }, { 10:03,4 }, { 10:04,7 }.The network equipment is according to the feature dimensions extracted
The history feature variable of each historical juncture under degree 1, obtain traffic characteristic vector characteristic dimension 1 under can be 5,9,10,4,
7}。
Step 103, predict future time instance each using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of historical traffic data under characteristic dimension.
For each characteristic dimension, the network equipment utilizes the traffic characteristic vector under this feature dimension, passes through GBDT
The regression algorithms training such as (Gradient Boosting Decision Tree, gradient promote decision tree), random forest returns mould
Type, based on the corresponding following number of trained obtained forecast of regression model future time instance historical traffic data under this feature dimension
Value.
For example, current time is 11:00.The network equipment uses regression algorithm, using under each characteristic dimension extracted
Traffic characteristic vector, predict 11:01 when under each characteristic dimension the corresponding future values of historical traffic data.
Step 104, the weight of each characteristic dimension is obtained.
In the embodiment of the present application, what the weight of each characteristic dimension can rule of thumb set for network management people, it can also be with
The weight of each characteristic dimension is determined using regression algorithm according to the traffic characteristic vector under each characteristic dimension.
In one embodiment, the network equipment uses linear regression algorithm, determines the weight of each characteristic dimension.
For example, the network equipment utilizes following formula (1), the weight of each characteristic dimension is determined.
Wherein, Q1For the flow value of the historical traffic data of historical juncture, n is the number of multiple characteristic dimensions, kiIt is i-th
The weight of a characteristic dimension, viFor numerical value of the historical traffic data under ith feature dimension of historical juncture.
Based on formula (1), n historical traffic data is got, that is, can determine that the weight of each characteristic dimension.
Step 105, according to the future values under the weight of each characteristic dimension and each characteristic dimension, determine that future time instance is gone through
The corresponding future traffic value of history data on flows.
The network equipment is weighted processing to the future values under each characteristic dimension, obtains according to the weight of each characteristic dimension
To the corresponding future traffic value of future time instance historical traffic data.
In an optional embodiment, the network equipment can use following formula (2), determine future time instance historical traffic number
According to corresponding future traffic value Q0。
Wherein, n is the number of multiple characteristic dimensions, kiFor the weight of ith feature dimension, wiFor under ith feature dimension
Future values.
For example, being provided with 5 characteristic dimensions, the weight of characteristic dimension 1 is 0.1, and the weight of characteristic dimension 2 is 0.2,
The weight of characteristic dimension 3 is 0.3, and the weight of characteristic dimension 4 is 0.2, and the weight of characteristic dimension 5 is 0.2.The network equipment determines special
Levying the future values under dimension 1 is 10, and the future values under characteristic dimension 2 are 5, and the future values under characteristic dimension 3 are 14, special
Levying the future values under dimension 4 is 8, and the future values under characteristic dimension 5 are 12, then can determine future time instance historical traffic data
Corresponding future traffic value is Q0=0.1*10+0.2*5+0.3*14+0.2*8+0.2*12=10.2.
In addition, the network equipment can use following formula (2) in an optional embodiment, future time instance history is determined
The corresponding future traffic value Q of data on flows0。
Wherein, n is the number of multiple characteristic dimensions, kiFor the weight of ith feature dimension, wiFor under ith feature dimension
Future values, T be preset fault-tolerant threshold value, 0≤T≤1.Presetting fault-tolerant threshold value can be system default value, or network
What administrative staff can rule of thumb set.
For example, presetting fault-tolerant threshold value T is 0.5,5 characteristic dimensions are provided with, the weight of characteristic dimension 1 is 0.1, special
The weight for levying dimension 2 is 0.2, and the weight of characteristic dimension 3 is 0.3, and the weight of characteristic dimension 4 is 0.2, the weight of characteristic dimension 5
It is 0.2.The network equipment determines that the future values under characteristic dimension 1 are 10, and the future values under characteristic dimension 2 are 5, characteristic dimension
Future values under 3 are 14, and the future values under characteristic dimension 4 are 8, and the future values under characteristic dimension 5 are 12, then can determine
The corresponding future traffic value of future time instance historical traffic data are as follows:
Q0=(1+0.5) * (0.1*10+0.2*5+0.3*14+0.2*8+0.2*12)=15.3.
Step 106, the actual flow data in future time instance are obtained, actual flow data have phase with historical traffic quantity
Same message information determines whether actual flow data are different according to the actual flow value of future traffic value and actual flow data
Often.
In the embodiment of the present application, the corresponding actual flow data of historical traffic data are the message with historical traffic data
The identical actual flow data of information.The network equipment is getting the corresponding actual flow data of future time instance historical traffic data
Afterwards, the actual flow value of more determining future traffic value and actual flow data determines actual flow number according to comparison result
According to whether abnormal.
For example, current time is 11:00.Historical traffic data corresponding future traffic when the 11:01 that the network equipment determines
Value, when getting 11:01 in the case where historical traffic data corresponding actual flow data, according to historical traffic when 11:01
The corresponding future traffic value of data and when 11:01 the corresponding actual flow data of historical traffic data actual flow value, really
Whether abnormal determine actual flow data.
In an optional embodiment, the network equipment if it is determined that future traffic value be less than actual flow data practical stream
Magnitude, it is determined that actual flow data exception.The network equipment if it is determined that future traffic value be not less than actual flow data reality
Border flow value, it is determined that actual flow data are normal.
In another optional embodiment, difference threshold, i.e. preset difference value threshold value are preset in the network equipment.Network is set
It is standby in the case where getting the corresponding actual flow data of future time instance historical traffic data, by the reality of actual flow data
Flow value subtracts determining future traffic value, obtains flow difference.The network equipment compares flow difference and preset difference value threshold value.If
Flow difference is greater than preset difference value threshold value, then the network equipment can determine actual flow data exception.If flow difference is no more than pre-
If difference threshold, then the network equipment can determine that actual flow data are normal.
For example, preset difference value threshold value is θ.Determining future traffic value is Hn, the actual flow value of actual flow data is
Ha, Ha-Hn=Δ h.If Δ h > θ, the network equipment can determine actual flow data exception.Otherwise, the network equipment can determine reality
Data on flows is normal.
Using preset difference value threshold value, determine whether actual flow data are abnormal, allow the actual flow of actual flow data
Value can fluctuate in a certain range for being greater than future traffic value.Actual flow value fluctuates in the range, it is believed that practical stream
The actual flow value for measuring data is provisional variation, and actual flow data are normal discharge data.Which increase abnormal flows
The robustness of monitoring has better adaptability.
In anomalous traffic detection method provided by the embodiments of the present application, future traffic value is according to the stream under each characteristic dimension
What measure feature vector determined, the feature in traffic characteristic vector is according to time-sequencing.Due to considering when determining future traffic value
The factors such as the temporal regularity of data on flows and business characteristic, it is thus determined that future traffic value can with the change of time and business
Change and change, without being fixed and invariable.In turn, when determining whether actual flow data are abnormal according to future traffic value, energy
The flexibility of abnormal traffic detection is enough improved, and reduces the False Rate of abnormal traffic detection.
For the detection efficiency for improving abnormal flow, in an optional embodiment, with reference to abnormal traffic detection shown in Fig. 2
Second of flow diagram of method.This method may include following steps.
Step 201, historical traffic data is obtained.
It is identical as step 201 as step 101.
Step 202, using preset characteristic dimension selection method, optimal characteristic dimension is selected from multiple characteristic dimensions
Subset.
In the embodiment of the present application, characteristic dimension selection method includes but is not limited to genetic algorithm, rough set, TABU search
Deng.The network equipment uses preset characteristic dimension selection method, and optimal characteristic dimension subset is selected from multiple characteristic dimensions,
The characteristic dimension of redundancy and weak relevant characteristic dimension in multiple characteristic dimensions are removed, optimal characteristic dimension subset is obtained.
The network equipment removes the characteristic dimension of redundancy, maintains flow detection on the basis of historical traffic data is complete
Precision.In addition, reducing the characteristic dimension for participating in subsequent step 203-208 processing, the detection efficiency of abnormal flow is improved.
Step 203, historical traffic data each historical juncture under each characteristic dimension that characteristic dimension subset includes is extracted
History feature variable.
Step 204, it for the history feature variable under each characteristic dimension of extraction, is gone through by history feature variable is corresponding
The sequencing at history moment combines the history feature variable under this feature dimension, obtain traffic characteristic under each characteristic dimension to
Amount.History feature variable in traffic characteristic vector is according to time-sequencing.
Step 205, predict future time instance each using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of historical traffic data under characteristic dimension.
Step 206, the weight of each characteristic dimension is obtained.
Step 207, according to the future values under the weight of each characteristic dimension and each characteristic dimension, determine that future time instance is gone through
The corresponding future traffic value of history data on flows.
Step 208, the actual flow data in future time instance are obtained, actual flow data have phase with historical traffic quantity
Same message information determines whether actual flow data are different according to the actual flow value of future traffic value and actual flow data
Often.
Step 205-208 is identical as step 103-106.
For the detection efficiency for improving abnormal flow, in an optional embodiment, with reference to abnormal traffic detection shown in Fig. 3
The third flow diagram of method.This method may include following steps.
Step 301, historical traffic data is obtained.
Step 302, the history feature variable for extracting historical traffic data each historical juncture under multiple characteristic dimensions, obtains
Traffic characteristic vector under to each characteristic dimension, the history feature variable in traffic characteristic vector is according to time-sequencing.
Step 303, predict future time instance each using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of historical traffic data under characteristic dimension.
Step 304, the weight of each characteristic dimension is obtained.
Step 305, according to the future values under the weight of each characteristic dimension and each characteristic dimension, determine that future time instance is gone through
The corresponding future traffic value of history data on flows.
Step 306, the actual flow data in future time instance are obtained, actual flow data have phase with historical traffic quantity
Same message information determines whether actual flow data are different according to the actual flow value of future traffic value and actual flow data
Often.
Step 301-306 is identical as step 101-106.
Step 307, in the case where determining actual flow data exception, actual flow data are obtained under each characteristic dimension
Actual characteristic variable.
Wherein, characteristic value of the actual flow data under a characteristic dimension is are as follows: actual flow data are in this feature dimension
Under characteristic variable.
Step 308, for each characteristic dimension, judge whether the actual characteristic variable under this feature dimension is greater than this feature
Future values under dimension.If so, thening follow the steps 309.If it is not, thening follow the steps 310.
Future values under each characteristic dimension are to predict to obtain in step 303.
Step 309, determine that actual flow data are abnormal under this feature dimension.
Step 310, determine that actual flow data are normal under this feature dimension.
For example, characteristic dimension includes byte number.The future values for predicting byte number are 100.If obtaining actual flow in word
Actual characteristic variable under joint number is 90,90 < 100, it is determined that actual flow is normal under the characteristic dimension of the byte number.If obtaining
Taking actual characteristic variable of the actual flow under byte number is 150,150 > 100, it is determined that spy of the actual flow in the byte number
It levies abnormal under dimension.
It should be appreciated that in step 308, for each characteristic dimension, judge actual characteristic variable under this feature dimension with
Whether the difference of the future values under this feature dimension is greater than preset threshold.If so, thening follow the steps 309.If it is not, then executing step
Rapid 310.Preset threshold can empirically or actual conditions self-setting be not particularly limited herein.
In technical solution provided by the embodiments of the present application, different characteristic dimensions is analyzed, determines actual flow in each spy
It whether abnormal levies dimension, can help to network management personnel and accurately position abnormal reason, solve abnormal cause in time.
Corresponding with above-mentioned anomalous traffic detection method embodiment, the embodiment of the present application also provides a kind of abnormal traffic detections
Device.With reference to Fig. 4, Fig. 4 is a kind of structural schematic diagram of abnormal traffic detection device provided by the embodiments of the present application, the device packet
It includes:
First acquisition unit 401, for obtaining historical traffic data;
Extraction unit 402, the history for each historical juncture of extracting historical traffic data under multiple characteristic dimensions are special
Variable is levied, obtains the traffic characteristic vector under each characteristic dimension, the history feature variable in traffic characteristic vector is arranged according to the time
Sequence;
Predicting unit 403, for predicting future using regression algorithm according to the traffic characteristic vector under each characteristic dimension
Moment corresponding future values of historical traffic data under each characteristic dimension;
Second acquisition unit 404, for obtaining the weight of each characteristic dimension;
First determination unit 405, for the future values under the weight and each characteristic dimension according to each characteristic dimension, really
Determine the corresponding future traffic value of future time instance historical traffic data;
Second determination unit 406, for obtaining the actual flow data in the future time instance, the actual flow data
With the historical traffic quantity message information having the same, according to the actual flow of future traffic value and actual flow data
Value determines whether actual flow data are abnormal.
Optionally, extraction unit 402 specifically can be used for:
Using preset characteristic dimension selection method, optimal characteristic dimension subset is selected from multiple characteristic dimensions;
The history for extracting historical traffic data each historical juncture under each characteristic dimension that characteristic dimension subset includes is special
Levy variable;
For the history feature variable under each characteristic dimension of extraction, by the history feature variable corresponding historical juncture
Sequencing combines the history feature variable under this feature dimension, obtains the traffic characteristic vector under each characteristic dimension.
Optionally, second acquisition unit 404 specifically can be used for:
The weight of each characteristic dimension is determined using machine learning algorithm according to the traffic characteristic vector under each characteristic dimension.
Optionally, the first determination unit 405, specifically can be used for:
Using following formula, the corresponding future traffic value Q of future time instance historical traffic data is determined0:
Wherein, n is the number of multiple characteristic dimensions, kiFor the weight of ith feature dimension, wiFor under ith feature dimension
Future values, T be preset fault-tolerant threshold value, 0≤T≤1.
Optionally, the second determination unit 406, specifically can be used for:
The actual flow value of actual flow data is subtracted into future traffic value, obtains flow difference;
If flow difference is greater than preset difference value threshold value, it is determined that actual flow data exception;
If flow difference is not more than preset difference value threshold value, it is determined that actual flow data are normal.
Optionally, extraction unit 402 can be also used in the case where determining actual flow data exception, obtain practical
Actual characteristic variable of the data on flows under each characteristic dimension;
Second determination unit 406 can be also used for for each characteristic dimension, if the actual characteristic under this feature dimension becomes
Amount is greater than the future values under this feature dimension, it is determined that actual flow data are abnormal under this feature dimension.
In abnormal traffic detection device provided by the embodiments of the present application, future traffic value is according to the stream under each characteristic dimension
What measure feature vector determined, the feature in traffic characteristic vector is according to time-sequencing.Due to considering when determining future traffic value
The factors such as the temporal regularity of data on flows and business characteristic, it is thus determined that future traffic value can with the change of time and business
Change and change, without being fixed and invariable.In turn, when determining whether actual flow data are abnormal according to future traffic value, energy
The flexibility of abnormal traffic detection is enough improved, and reduces the False Rate of abnormal traffic detection.
Corresponding with above-mentioned anomalous traffic detection method embodiment, the embodiment of the present application also provides a kind of network equipments, such as
Shown in Fig. 5, including processor 501 and machine readable storage medium 502, machine readable storage medium 502, which is stored with, to be located
Manage the machine-executable instruction that device 501 executes.Processor 501 is promoted to realize above-mentioned abnormal traffic detection by machine-executable instruction
The either step of method.Wherein, above-mentioned anomalous traffic detection method includes:
Obtain historical traffic data;
The history feature variable for extracting historical traffic data each historical juncture under multiple characteristic dimensions, obtains each feature
Traffic characteristic vector under dimension, the history feature variable in traffic characteristic vector is according to time-sequencing;
Predict future time instance in each characteristic dimension using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of lower historical traffic data;
Obtain the weight of each characteristic dimension;
According to the future values under the weight of each characteristic dimension and each characteristic dimension, future time instance historical traffic number is determined
According to corresponding future traffic value;
Obtain the actual flow data in future time instance, actual flow data and historical traffic quantity message having the same
Information determines whether actual flow data are abnormal according to the actual flow value of future traffic value and actual flow data.
In technical solution provided by the embodiments of the present application, future traffic value is according to time series under each characteristic dimension
What traffic characteristic vector determined, the feature in traffic characteristic vector is according to time-sequencing.Due to examining when determining future traffic value
Considered the factors such as temporal regularity and the business characteristic of data on flows, it is thus determined that future traffic value can be with time and business
Change and change, without being fixed and invariable, when determining whether actual flow data are abnormal according to future traffic value, can be improved
The flexibility of abnormal traffic detection, and reduce the False Rate of abnormal traffic detection.
Optionally, as shown in figure 5, the network equipment can also include: communication interface 503 and communication bus 504;Wherein, locate
Reason device 501, machine readable storage medium 502, communication interface 503 complete mutual communication by communication bus 504, and communication connects
Mouth 503 is for the communication between the above-mentioned network equipment and other equipment.
Corresponding with above-mentioned anomalous traffic detection method embodiment, the embodiment of the present application also provides a kind of machine readable storages
Medium is stored with machine-executable instruction, and when being called and being executed by processor, machine-executable instruction promotes processor to realize
The either step of above-mentioned anomalous traffic detection method.
Above-mentioned communication bus can be PCI (Peripheral Component Interconnect, Peripheral Component Interconnect
Standard) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) bus
Deng.The communication bus can be divided into address bus, data/address bus, control bus etc..For a thick line table can be used convenient for indicating
Show, as shown in figure 5, it is not intended that only a bus or a type of bus.
Above-mentioned machine readable storage medium may include RAM (Random Access Memory, random access memory),
It also may include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately
Outside, machine readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing,
Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit),
It is FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for exception stream
For amount detecting device, the network equipment, machine readable storage medium embodiment, since it is substantially similar to abnormal traffic detection side
Method embodiment, so being described relatively simple, related place illustrates referring to the part of anomalous traffic detection method embodiment.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all
Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application
It is interior.
Claims (14)
1. a kind of anomalous traffic detection method, which is characterized in that the described method includes:
Obtain historical traffic data;
The history feature variable for each historical juncture of the historical traffic data being extracted under multiple characteristic dimensions, obtains each feature
Traffic characteristic vector under dimension, the history feature variable in the traffic characteristic vector is according to time-sequencing;
Future time instance institute under each characteristic dimension is predicted using regression algorithm according to the traffic characteristic vector under each characteristic dimension
State the corresponding future values of historical traffic data;
Obtain the weight of each characteristic dimension;
According to the future values under the weight of each characteristic dimension and each characteristic dimension, history stream described in the future time instance is determined
Measure the corresponding future traffic value of data;
The actual flow data in the future time instance are obtained, the actual flow data have phase with the historical traffic quantity
Same message information determines the practical stream according to the actual flow value of the future traffic value and the actual flow data
Whether abnormal measure data.
2. the method according to claim 1, wherein described extract the historical traffic data in multiple feature dimensions
The history feature variable of each historical juncture under degree, the step of obtaining the traffic characteristic vector under each characteristic dimension, comprising:
Using preset characteristic dimension selection method, optimal characteristic dimension subset is selected from multiple characteristic dimensions;
Each historical juncture of the historical traffic data being extracted under each characteristic dimension that the characteristic dimension subset is included is gone through
History characteristic variable;
It is successive by the history feature variable corresponding historical juncture for the history feature variable under each characteristic dimension of extraction
Sequentially, the history feature variable under this feature dimension is combined, the traffic characteristic vector under each characteristic dimension is obtained.
3. the method according to claim 1, wherein the step of weight for obtaining each characteristic dimension, comprising:
The weight of each characteristic dimension is determined using machine learning algorithm according to the traffic characteristic vector under each characteristic dimension.
4. the method according to claim 1, wherein the weight and each feature dimensions according to each characteristic dimension
Future values under degree, the step of determining the corresponding future traffic value of historical traffic data described in the future time instance, comprising:
Using following formula, the corresponding future traffic value Q of historical traffic data described in the future time instance is determined0:
Wherein, n is the number of multiple characteristic dimensions, kiFor the weight of ith feature dimension, wiFor under ith feature dimension not
Carry out numerical value, T is to preset fault-tolerant threshold value, 0≤T≤1.
5. the method according to claim 1, wherein described according to the future traffic value and the actual flow
The actual flow value of data, determine the actual flow data whether Yi Chang step, comprising:
The actual flow value of the actual flow data is subtracted into the future traffic value, obtains flow difference;
If the flow difference is greater than preset difference value threshold value, it is determined that the actual flow is abnormal;
If the flow difference is not more than the preset difference value threshold value, it is determined that the actual flow is normal.
6. method according to claim 1-5, which is characterized in that determining the actual flow data exception
In the case of, further includes:
Obtain actual characteristic variable of the actual flow data under each characteristic dimension;
For each characteristic dimension, if the actual characteristic variable under this feature dimension is greater than the future values under this feature dimension,
Then determine that the actual flow data are abnormal under this feature dimension.
7. a kind of abnormal traffic detection device, which is characterized in that described device includes:
First acquisition unit, for obtaining historical traffic data;
Extraction unit, the history feature for each historical juncture of extracting the historical traffic data under multiple characteristic dimensions become
Amount, obtains the traffic characteristic vector under each characteristic dimension, the history feature variable in the traffic characteristic vector is arranged according to the time
Sequence;
Predicting unit, for predicting future time instance each using regression algorithm according to the traffic characteristic vector under each characteristic dimension
The corresponding future values of the historical traffic data under characteristic dimension;
Second acquisition unit, for obtaining the weight of each characteristic dimension;
First determination unit, for the future values under the weight and each characteristic dimension according to each characteristic dimension, determine described in
The corresponding future traffic value of historical traffic data described in future time instance;
Second determination unit, for obtaining the actual flow data in the future time instance, the actual flow data with it is described
Historical traffic quantity message information having the same, according to the actual flow of the future traffic value and the actual flow data
Value determines whether the actual flow data are abnormal.
8. device according to claim 7, which is characterized in that the extraction unit is specifically used for:
Using preset characteristic dimension selection method, optimal characteristic dimension subset is selected from multiple characteristic dimensions;
Each historical juncture of the historical traffic data being extracted under each characteristic dimension that the characteristic dimension subset is included is gone through
History characteristic variable;
It is successive by the history feature variable corresponding historical juncture for the history feature variable under each characteristic dimension of extraction
Sequentially, the history feature variable under this feature dimension is combined, the traffic characteristic vector under each characteristic dimension is obtained.
9. device according to claim 7, which is characterized in that the second acquisition unit is specifically used for:
The weight of each characteristic dimension is determined using machine learning algorithm according to the traffic characteristic vector under each characteristic dimension.
10. device according to claim 7, which is characterized in that first determination unit is specifically used for:
Using following formula, the corresponding future traffic value Q of historical traffic data described in the future time instance is determined0:
Wherein, n is the number of multiple characteristic dimensions, kiFor the weight of ith feature dimension, wiFor under ith feature dimension not
Carry out numerical value, T is to preset fault-tolerant threshold value, 0≤T≤1.
11. device according to claim 7, which is characterized in that second determination unit is specifically used for:
The actual flow value of the actual flow data is subtracted into the future traffic value, obtains flow difference;
If the flow difference is greater than preset difference value threshold value, it is determined that the actual flow is abnormal;
If the flow difference is not more than the preset difference value threshold value, it is determined that the actual flow is normal.
12. according to the described in any item devices of claim 7-11, which is characterized in that
The extraction unit is also used in the case where determining the actual flow data exception, obtains the actual flow number
According to the actual characteristic variable under each characteristic dimension;
Second determination unit is also used to for each characteristic dimension, if the actual characteristic variable under this feature dimension is greater than
Future values under this feature dimension, it is determined that the actual flow data are abnormal under this feature dimension.
13. a kind of network equipment, which is characterized in that including processor and machine readable storage medium, the machine readable storage
Media storage has the machine-executable instruction that can be executed by the processor, and the processor is by the machine-executable instruction
Promote: realizing any method and step of claim 1-6.
14. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and
When execution, the machine-executable instruction promotes the processor: realizing any method and step of claim 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811291061.2A CN109413071B (en) | 2018-10-31 | 2018-10-31 | Abnormal flow detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811291061.2A CN109413071B (en) | 2018-10-31 | 2018-10-31 | Abnormal flow detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109413071A true CN109413071A (en) | 2019-03-01 |
| CN109413071B CN109413071B (en) | 2021-08-06 |
Family
ID=65470812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811291061.2A Active CN109413071B (en) | 2018-10-31 | 2018-10-31 | Abnormal flow detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109413071B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109768995A (en) * | 2019-03-06 | 2019-05-17 | 国网甘肃省电力公司电力科学研究院 | A kind of network flow abnormal detecting method based on circular prediction and study |
| CN109802973A (en) * | 2019-03-15 | 2019-05-24 | 北京百度网讯科技有限公司 | Method and apparatus for detection flows |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN110941797A (en) * | 2019-11-07 | 2020-03-31 | 中信银行股份有限公司 | Operation index monitoring and trend prediction system based on service index |
| CN111181923A (en) * | 2019-12-10 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN111556057A (en) * | 2020-04-29 | 2020-08-18 | 绿盟科技集团股份有限公司 | Flow abnormity detection method and device, electronic equipment and storage medium |
| CN112101400A (en) * | 2019-12-19 | 2020-12-18 | 国网江西省电力有限公司电力科学研究院 | Industrial control system abnormality detection method, equipment, server and storage medium |
| CN116723059A (en) * | 2023-08-10 | 2023-09-08 | 湖南润科通信科技有限公司 | Security analysis system for network information |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003058250A (en) * | 2001-08-09 | 2003-02-28 | Toshiba Corp | Control device |
| CN101155085A (en) * | 2006-09-29 | 2008-04-02 | 中兴通讯股份有限公司 | Method and device for real-time flux prediction and real-time flux monitoring and early warning |
| CN102932264A (en) * | 2012-11-02 | 2013-02-13 | 曙光云计算技术有限公司 | Method and device for judging flow overflowing |
| CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
| CN106411597A (en) * | 2016-10-14 | 2017-02-15 | 广东工业大学 | Network traffic abnormality detection method and system |
| CN107729952A (en) * | 2017-11-29 | 2018-02-23 | 新华三信息安全技术有限公司 | A kind of traffic flow classification method and device |
| CN107786542A (en) * | 2017-09-26 | 2018-03-09 | 杭州安恒信息技术有限公司 | Methods of marking and device based on big data intellectual analysis malice IP |
| CN107832866A (en) * | 2017-09-26 | 2018-03-23 | 晶赞广告(上海)有限公司 | A kind of method for predicting and device, storage medium, terminal |
| CN108234496A (en) * | 2018-01-05 | 2018-06-29 | 宝牧科技(天津)有限公司 | A kind of method for predicting based on neural network |
-
2018
- 2018-10-31 CN CN201811291061.2A patent/CN109413071B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003058250A (en) * | 2001-08-09 | 2003-02-28 | Toshiba Corp | Control device |
| CN101155085A (en) * | 2006-09-29 | 2008-04-02 | 中兴通讯股份有限公司 | Method and device for real-time flux prediction and real-time flux monitoring and early warning |
| CN102932264A (en) * | 2012-11-02 | 2013-02-13 | 曙光云计算技术有限公司 | Method and device for judging flow overflowing |
| CN104202329A (en) * | 2014-09-12 | 2014-12-10 | 北京神州绿盟信息安全科技股份有限公司 | DDoS (distributed denial of service) attack detection method and device |
| CN106411597A (en) * | 2016-10-14 | 2017-02-15 | 广东工业大学 | Network traffic abnormality detection method and system |
| CN107786542A (en) * | 2017-09-26 | 2018-03-09 | 杭州安恒信息技术有限公司 | Methods of marking and device based on big data intellectual analysis malice IP |
| CN107832866A (en) * | 2017-09-26 | 2018-03-23 | 晶赞广告(上海)有限公司 | A kind of method for predicting and device, storage medium, terminal |
| CN107729952A (en) * | 2017-11-29 | 2018-02-23 | 新华三信息安全技术有限公司 | A kind of traffic flow classification method and device |
| CN108234496A (en) * | 2018-01-05 | 2018-06-29 | 宝牧科技(天津)有限公司 | A kind of method for predicting based on neural network |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109768995A (en) * | 2019-03-06 | 2019-05-17 | 国网甘肃省电力公司电力科学研究院 | A kind of network flow abnormal detecting method based on circular prediction and study |
| CN109768995B (en) * | 2019-03-06 | 2021-08-13 | 国网甘肃省电力公司电力科学研究院 | Network flow abnormity detection method based on cyclic prediction and learning |
| CN109802973A (en) * | 2019-03-15 | 2019-05-24 | 北京百度网讯科技有限公司 | Method and apparatus for detection flows |
| US11444861B2 (en) | 2019-03-15 | 2022-09-13 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for detecting traffic |
| CN110784458A (en) * | 2019-10-21 | 2020-02-11 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN110784458B (en) * | 2019-10-21 | 2023-04-18 | 新华三信息安全技术有限公司 | Flow abnormity detection method and device and network equipment |
| CN110941797B (en) * | 2019-11-07 | 2023-04-07 | 中信银行股份有限公司 | Operation index monitoring and trend prediction system based on service index |
| CN110941797A (en) * | 2019-11-07 | 2020-03-31 | 中信银行股份有限公司 | Operation index monitoring and trend prediction system based on service index |
| CN111181923A (en) * | 2019-12-10 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN112101400A (en) * | 2019-12-19 | 2020-12-18 | 国网江西省电力有限公司电力科学研究院 | Industrial control system abnormality detection method, equipment, server and storage medium |
| CN111556057B (en) * | 2020-04-29 | 2022-11-04 | 绿盟科技集团股份有限公司 | Flow abnormity detection method and device, electronic equipment and storage medium |
| CN111556057A (en) * | 2020-04-29 | 2020-08-18 | 绿盟科技集团股份有限公司 | Flow abnormity detection method and device, electronic equipment and storage medium |
| CN116723059A (en) * | 2023-08-10 | 2023-09-08 | 湖南润科通信科技有限公司 | Security analysis system for network information |
| CN116723059B (en) * | 2023-08-10 | 2023-10-20 | 湖南润科通信科技有限公司 | Security analysis system for network information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109413071B (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109413071A (en) | A kind of anomalous traffic detection method and device | |
| WO2018121157A1 (en) | Network traffic anomaly detection method and apparatus | |
| CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
| Roschke et al. | A new alert correlation algorithm based on attack graph | |
| US9870470B2 (en) | Method and apparatus for detecting a multi-stage event | |
| CN106027559B (en) | Large scale network scanning detection method based on network session statistical nature | |
| Liu et al. | Statistical detection of online drifting twitter spam | |
| Balkanli et al. | Feature selection for robust backscatter DDoS detection | |
| CN107465648A (en) | The recognition methods of warping apparatus and device | |
| Udhayan et al. | Statistical segregation method to minimize the false detections during ddos attacks. | |
| Albanese et al. | Recognizing unexplained behavior in network traffic | |
| CN109257390A (en) | Detection method, device and the electronic equipment of CC attack | |
| CN110414223A (en) | A kind of attack detection method and device | |
| CN111641619B (en) | Method and device for constructing hacker portrait based on big data and computer equipment | |
| Razak | A study on IDS for preventing Denial of Service attack using outliers techniques | |
| CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
| Angelini et al. | An attack graph-based on-line multi-step attack detector | |
| CN107426132A (en) | The detection method and device of network attack | |
| Bartos et al. | Towards efficient flow sampling technique for anomaly detection | |
| CN110289992B (en) | Message processing method and device | |
| Kuznetsov et al. | Variance analysis of networks traffic for intrusion detection in smart grids | |
| CN102945254A (en) | Method for detecting abnormal data among TB-level mass audit data | |
| Zali et al. | Real-time intrusion detection alert correlation and attack scenario extraction based on the prerequisite-consequence approach | |
| de Neira et al. | An intelligent system for DDoS attack prediction based on early warning signals | |
| CN112541410B (en) | Method and device for detecting national treasury personnel behavior specification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |