CN110324210A - The detection method and device of private communication channel communication are carried out based on ICMP agreement - Google Patents
The detection method and device of private communication channel communication are carried out based on ICMP agreement Download PDFInfo
- Publication number
- CN110324210A CN110324210A CN201910720720.8A CN201910720720A CN110324210A CN 110324210 A CN110324210 A CN 110324210A CN 201910720720 A CN201910720720 A CN 201910720720A CN 110324210 A CN110324210 A CN 110324210A
- Authority
- CN
- China
- Prior art keywords
- character combination
- response contents
- content
- object transmission
- icmp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of detection method and device carrying out private communication channel communication based on ICMP agreement provided by the invention, are related to the communications field, and this method obtains transmission mark and transferring content by being parsed to the ICMP traffic messages of acquisition;Judge whether transferring content is mixed and disorderly;If transferring content be it is mixed and disorderly, judge that object transmission identifies corresponding request content and whether response contents identical;If object transmission identifies corresponding request content and response contents are not identical, is identified based on object transmission and determine private communication channel communication behavior.This method recognizes whether the private communication channel communication behavior based on ICMP agreement based on flow analysis, reduces the performance requirement to detection device, improves detection efficiency, while will not influence the use of network investigation tool, is conducive to the normal operation of network.
Description
Technical field
The present invention relates to fields of communication technology, more particularly, to a kind of inspection for carrying out private communication channel communication based on ICMP agreement
Survey method and device.
Background technique
Network-control message protocol (Internet Control Message Protocol, ICMP) is ICP/IP protocol
One sub-protocol of cluster, for transmitting control message between IP host, router.It is obstructed, main that control message refers to that network leads to
The message for the networks such as whether machine is reachable, whether routing can be used itself.It is common to check that network leads to obstructed ping, tracert etc.
Order is all based on ICMP agreement.
Private communication channel communication based on ICMP agreement is exactly to carry out data transmission reaching logical using ICMP agreement as its name suggests
The conveniently method of section.Because ICMP uses the communication protocol of lower standard, so that flow is smaller in a network, it is not easy to by net
Network administrator and NetStream Data Analyzer discovery.
Currently, in the prior art for the private communication channel based on ICMP agreement detection method there are mainly two types of: scheme 1,
ICMP packet content is checked, judges whether ICMP packet content meets ICMP protocol specification and request for comments
(Request For Comments, RFC) standard;The program 1 has the disadvantage in that consumption performance is larger, to detection device
Performance requirement is higher, and many normal ICMP communications do not strictly observe ICMP protocol specification and RFC standard;Scheme 2, completely
Forbid ICMP agreement, the program 2 is due to total ban ICMP agreement, so that checking that network leads to the life such as obstructed ping, tracert
Failure is enabled, causing to check when network leads to obstructed becomes extremely difficult.
Summary of the invention
In view of this, the purpose of the present invention is to provide based on ICMP agreement carry out private communication channel communication detection method and
Device.
In a first aspect, the embodiment of the invention provides a kind of detection sides for carrying out private communication channel communication based on ICMP agreement
Method, comprising the following steps:
The ICMP traffic messages of acquisition are parsed to obtain transmission mark and transferring content;
Judge whether the transferring content is mixed and disorderly;
If the transferring content be it is mixed and disorderly, judge object transmission identify corresponding request content and response contents whether phase
Together;
If the object transmission identifies corresponding request content and response contents are not identical, it is based on the object transmission mark
Know and determines private communication channel communication behavior.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein institute
It states and judges whether the transferring content is mixed and disorderly, comprising:
The transferring content is grouped according to default rule of classification, obtains multiple groups character combination;
Determine that character combination is the accounting being grouped in multiple groups character combination combined in a jumble;
If the accounting is greater than mixed and disorderly threshold value, judge that transferring content is mixed and disorderly.
The possible embodiment of with reference to first aspect the first, the embodiment of the invention provides second of first aspect
Possible embodiment, wherein the default rule of classification includes:
The character of preset quantity adjacent and continuous in the transferring content is divided into one group.
The possible embodiment of with reference to first aspect the first, the embodiment of the invention provides the third of first aspect
Possible embodiment, wherein the determining character combination is the accounting being grouped in multiple groups character combination combined in a jumble, packet
It includes:
Judge whether every group of character combination is to combine in a jumble;
Counting character combination in multiple groups character combination is the quantity combined in a jumble;
It is the accounting being grouped in multiple groups character combination combined in a jumble that character combination is calculated according to the following formula;
A=n/m
Wherein, A indicates that character combination is the accounting being grouped in multiple groups character combination combined in a jumble, and n indicates mixed and disorderly group
The quantity of the character combination of conjunction, m indicate the group number of multiple groups character combination.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein institute
If stated, the object transmission identifies corresponding request content and response contents are not identical, is identified and is determined based on the object transmission
Private communication channel communication behavior, comprising:
The ICMP traffic messages of the request content object transmission identification transmission different with response contents are determined as depositing
In private communication channel.
With reference to first aspect, the embodiment of the invention provides the 5th kind of possible embodiments of first aspect, wherein institute
If stated, the object transmission identifies corresponding request content and response contents are not identical, is identified and is determined based on the object transmission
Private communication channel communication behavior, comprising:
Judge that the object transmission counted within a preset period of time identifies the system of corresponding request content and response contents
It counts and whether meets preset threshold condition;The statistical data includes at least one below: request content and response contents
Length be different number, request content and response contents the number of transmissions;
If the object transmission counted within a preset period of time identifies the system of corresponding request content and response contents
It counts and meets preset threshold condition, it is determined that the object transmission mark, which exists, carries out private communication channel communication based on ICMP agreement
Behavior.
With reference to first aspect, the embodiment of the invention provides the 6th kind of possible embodiments of first aspect, wherein institute
State method further include:
It is identified based on the object transmission and generates warning information, and the warning information is stored.
Second aspect, the embodiment of the present invention also provide a kind of detection dress that private communication channel communication is carried out based on ICMP agreement
It sets, comprising:
Flow parsing module obtains transmission mark and transferring content for being parsed to the ICMP traffic messages of acquisition;
First judgment module, for judging whether the transferring content is mixed and disorderly;
Second judgment module, if for the transferring content be it is mixed and disorderly, judge in the corresponding request of object transmission mark
Hold and whether response contents are identical;
Channel determination module, if not identical for the corresponding request content of object transmission mark and response contents,
It is identified based on the object transmission and determines private communication channel communication behavior.
The third aspect, the embodiment of the present invention also provide a kind of electronic equipment, including memory, processor and are stored in described
On memory and the computer program that can run on the processor, the processor are realized when executing the computer program
The step of above-mentioned detection method that private communication channel communication is carried out based on ICMP agreement.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, the computer-readable storage
Computer program is stored on medium, the computer program executes above-mentioned based on the progress of ICMP agreement when being run by processor
The step of detection method of private communication channel communication.
The embodiment of the present invention brings following the utility model has the advantages that provided in an embodiment of the present invention hidden based on the progress of ICMP agreement
Detection method, device, electronic equipment and the computer readable storage medium of channel communication pass through the ICMP flow report to acquisition
Text is parsed to obtain transmission mark and transferring content;Then judge whether transferring content is mixed and disorderly;If transferring content is miscellaneous
Disorderly, then judge that object transmission identifies corresponding request content and whether response contents are identical;If object transmission mark corresponds to
Request content and response contents it is not identical, finally based on object transmission identify determine private communication channel communication behavior.Therefore, this hair
The technical solution that bright embodiment provides is a kind of detection method from flow angle analysis ICMP protocol data, is transmitted by judgement
Whether content mixed and disorderly, whether request content of ICMP object transmission mark and response contents are mutually different from the nets such as ping on an equal basis
The communication data packet of network tool detection, to recognize whether the private communication channel communication behavior based on ICMP agreement.Compared to
The prior art checks ICMP packet content, judge ICMP packet content whether meet ICMP protocol specification and
The scheme of RFC standard and total ban ICMP agreement, this method are lower to the performance requirement of detection device, and detection performance is preferable,
Detection efficiency is high, and will not influence the use of network investigation tool, is conducive to the normal operation of network.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of stream of detection method that private communication channel communication is carried out based on ICMP agreement provided in an embodiment of the present invention
Cheng Tu;
Fig. 2 is another detection method that private communication channel communication is carried out based on ICMP agreement provided in an embodiment of the present invention
Flow chart;
Fig. 3 is a kind of tool of detection method that private communication channel communication is carried out based on ICMP agreement provided in an embodiment of the present invention
Body applicating flow chart;
Fig. 4 is a kind of showing for detection device that private communication channel communication is carried out based on ICMP agreement provided in an embodiment of the present invention
It is intended to;
Fig. 5 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
In all examples being illustrated and described herein, any occurrence should be construed as merely illustratively, without
It is as limitation, therefore, other examples of exemplary embodiment can have different values.
There are mainly two types of the detection methods that the private communication channel based on ICMP agreement is directed in currently available technology: scheme 1, right
ICMP packet content is checked, judges whether ICMP packet content meets ICMP protocol specification and request for comments
(Request For Comments, RFC) standard;The program 1 has the disadvantage in that consumption performance is larger, to detection device
Performance requirement is higher, and many normal ICMP communications do not strictly observe ICMP protocol specification and RFC standard;Scheme 2, completely
Forbid ICMP agreement, the program 2 is due to total ban ICMP agreement, so that checking that network leads to the life such as obstructed ping, tracert
Failure is enabled, causing to check when network leads to obstructed becomes extremely difficult.
Based on this, it is provided in an embodiment of the present invention it is a kind of based on ICMP agreement carry out private communication channel communication detection method and
Device can reduce the performance requirement of detection device, improve detection efficiency, and will not influence the use of network investigation tool,
It ensure that the normal operation of network.
The term referred in the application is explained as follows:
Private communication channel: private communication channel is the communication that a kind of permission process transmits information in the form of violating System Security Policy
Channel.In simple terms, private communication channel is exactly the communication channel being not intended to for transmitting information.Private communication channel is now wide
General is applied to network information data safe transmission.
ICMP:ICMP full name is Internet Control Message Protocol, is Internet control message association
View.It is a sub-protocol of ICP/IP protocol cluster, for transmitting control message between IP host, router.Control message
Refer to that network leads to the message for the networks such as whether obstructed, host is reachable, whether routing can be used itself.Although these control messages are not
User data is transmitted, but is played an important role for the transmitting of user data.
For convenient for understanding the present embodiment, first to one kind disclosed in the embodiment of the present invention be based on ICMP agreement into
The detection method of row private communication channel communication describes in detail.
Embodiment one:
The embodiment of the invention provides a kind of detection methods that private communication channel communication is carried out based on ICMP agreement, are applied to hidden
The detection field for covering channel is executed by the electronic equipment in corresponding field, and electronic equipment for example can be detection device or detection
The controller etc. of equipment.
As shown in Figure 1, this method comprises:
Step S102 parses the ICMP traffic messages of acquisition to obtain transmission mark and transferring content;
Step S104 judges whether transferring content is mixed and disorderly;
Step S106, if transferring content be it is mixed and disorderly, judge that object transmission identifies corresponding request content and response contents
It is whether identical;
Step S108 is based on object transmission if object transmission identifies corresponding request content and response contents are not identical
It identifies and determines private communication channel communication behavior.
The detection method provided in an embodiment of the present invention that private communication channel communication is carried out based on ICMP agreement, by acquisition
ICMP traffic messages are parsed to obtain transmission mark and transferring content;Then judge whether transferring content is mixed and disorderly;If passed
Defeated content be it is mixed and disorderly, then judge that object transmission identifies corresponding request content and whether response contents identical;If target passes
The corresponding request content of defeated mark and response contents are not identical, are finally identified based on object transmission and determine that private communication channel communication is gone
For.Scheme compared with the prior art, this method recognize whether the hidden letter based on ICMP agreement based on flow analysis
Road communication behavior reduces the performance requirement to detection device, improves detection efficiency, and will not influence network investigation tool
Use, be conducive to the normal operation of network.
In step s 102, transmission mark includes IP pairs and ICMP session identification (ID);Transferring content includes in request
Appearance and response contents;Above-mentioned IP is to including source IP, destination IP;The length of transferring content can also be determined by the transferring content
(with character or byte representation).
Further, step S102 can be executed by following steps:
1, ICMP traffic messages are captured;
Above-mentioned traffic messages can be described as data on flows packet or referred to as flow again;Specifically, being opened by using data plane
Hair net part (Data Plane Development Kit, DPDK) captures the ICMP real-time streams for flowing through the network equipment (such as network interface card)
It measures message (herein referring to a data on flows packet).
2, traffic messages are parsed;
Specifically, parsing according to ICMP real-time traffic message of the ICMP protocol format to the acquisition, source IP, mesh are obtained
IP, ICMP session id, transferring content and transferring content length.
Optionally, step S104 can be realized by following sub-step:
1) transferring content is grouped according to default rule of classification, obtains multiple groups character combination;
It include that request content and response contents therefore, can be respectively to request contents in the present embodiment in view of transferring content
It is grouped with response contents, obtains the multiple groups character combination of request content and the multiple groups character combination of response contents;Above-mentioned
Default rule of classification includes: that the character of preset quantity adjacent and continuous in the transferring content is divided into one group, i.e., will ask
The character of adjacent and continuous (the there is character repetition) preset quantity of content is asked to be divided into one group, by the adjacent of response contents
And the character of continuous preset quantity is divided into one group, preset quantity here can be set according to actual needs, the present embodiment
Middle preset quantity is typically set at even number, such as is set as 2.
However, it is to be understood that default rule of classification is also possible to other modes, such as in sequence by transferring content
It is unduplicated to be divided into one group per several characters, such as by transferring content according to being divided into one group two-by-two in sequence.
2) determine that character combination is the accounting being grouped in multiple groups character combination combined in a jumble;
Specifically, the step 2) can be executed by following steps:
2.1 judge whether every group of character combination is to combine in a jumble;
Here mixed and disorderly combination is the combination of discontinuous letter including character combination or character combination is discontinuous number
Combination or character combination be letter and number combination;
Specifically, then successively judging whether every group of character combination of request content is following combination for request content
Any one: the combination or character combination of discontinuous letter are discontinuous several combinatorics on words or character combination is alphabetical sum number
Combinatorics on words;If it is, judging this group of character combination for mixed and disorderly combination;For response contents, then response contents are successively judged
Every group of character combination whether be following combination any one: the combination or character combination of discontinuous letter be discontinuous number
Combinatorics on words or character combination are the combinations of letter and number.
Character combination is the quantity combined in a jumble in 2.2 statistics multiple groups character combinations;
Likewise, request content is counted character combination in the multiple groups character combination of request content and is combined in a jumble
Quantity;For response contents, counting character combination in the multiple groups character combination of response contents is the quantity combined in a jumble.
2.3 character combination is calculated according to following formula (1) is being grouped in multiple groups character combination of combining in a jumble
Accounting;
A=n/m (1)
Wherein, A indicates that character combination is the accounting being grouped in multiple groups character combination combined in a jumble, and n indicates mixed and disorderly group
The quantity of the character combination of conjunction, m indicate the group number of multiple groups character combination, i.e., transferring content are divided into m group.
Specifically, calculating separately to obtain character combination in request content using formula (1) is that being grouped in of combining in a jumble is more
Group character combination in accounting and response contents in character combination be combine in a jumble be grouped in accounting in multiple groups character combination
Than;
If 3) accounting is greater than mixed and disorderly threshold value, judge that transferring content is mixed and disorderly.
In view of transferring content includes request content and response contents, therefore, mixed and disorderly threshold value here also includes in request
The mixed and disorderly threshold value of the mixed and disorderly threshold value and response contents held;The setting of above-mentioned mixed and disorderly threshold value can be set according to actual needs, usually
The mixed and disorderly threshold value of the mixed and disorderly threshold value of request content and response contents is disposed as 50%.
Specifically, if character combination is that the accounting being grouped in multiple groups character combination that combines in a jumble is big in request content
Character combination is being grouped in multiple groups character combination of combining in a jumble in the mixed and disorderly threshold value and response contents of request content
Accounting is greater than the mixed and disorderly threshold value of response contents, just judges that transferring content is mixed and disorderly;
It should be noted that it is above-mentioned it is merely exemplary give the executive mode of a kind of request content and response contents, only
Purpose for ease of understanding, should not be construed as limiting the invention;In fact, in the present invention, for request content and sound
Answering the execution sequencing of content both first can execute above-mentioned steps 1 to request content without limitation) to step 3), then it is right
Response contents execute above-mentioned steps 1) to step 3);Above-mentioned steps 1 first can also be executed to response contents) to step 3), then it is right
Request content executes above-mentioned steps 1) to step 3);Execution can also be interspersed with.
In addition, in other embodiments, step S104 can also be accomplished by the following way:
Transferring content is grouped according to default rule of classification first, obtains multiple groups character combination;Then character is determined
Group is combined into the accounting being grouped in multiple groups character combination continuously combined;Above-mentioned continuous combination refers to that character combination is consecutive word
Female combination or character combination is consecutive numbers combinatorics on words;Finally judge character combination and is grouped in multiple groups word for what is continuously combined
Whether the accounting in symbol combination, which is less than or equal to continuous threshold value, (or judges that character combination is grouped in multiple groups character for what is combined in a jumble
Whether the accounting in combination is greater than mixed and disorderly threshold value), if character combination is being grouped in multiple groups character combination of continuously combining
Accounting is less than or equal to continuous threshold value, and (or character combination be the accounting being grouped in multiple groups character combination that combines in a jumble greater than miscellaneous
Random threshold value), judge that transferring content is mixed and disorderly.
Above-mentioned determining character combination is that the accounting being grouped in multiple groups character combination continuously combined may include: that judgement is every
Whether group character combination is continuously to combine;Determine to be the character combination continuously combined in multiple groups character combination in multiple groups character combination
Accounting X;Then character combination can be obtained using 1-X is the accounting being grouped in multiple groups character combination combined in a jumble;This
When, then can directly execute above-mentioned steps 3) if accounting (i.e. character combination be combine in a jumble be grouped in multiple groups character combination
In accounting) be greater than mixed and disorderly threshold value, then judge that transferring content is mixed and disorderly.
In step s 106, object transmission mark refers to selected transmission mark, such as can be a selected ICMP
Session id is also possible to selected one group IP pairs.
Further, in the present embodiment, object transmission mark refers to a selected ICMP session id, above-mentioned steps S106
It executes through the following steps:
In the request content and response for judging a selected ICMP session by ICMP session id, source IP, destination IP
Whether appearance is identical, and the identical data content for referring to request content here is identical as the data content of response contents,
And the length of request content and the length of response contents are also identical.
Further, step S108 can be realized one of in the following manner:
Mode A,
The ICMP traffic messages of the request content object transmission identification transmission different with response contents are determined as to there are hidden
Cover channel.
Here request content and response contents difference include that the length of request content and response contents is not identical and ask
Ask content identical with response contents length but data content is not identical.
I.e. in the case where the request content of object transmission mark and response contents have differences, it can reflect the mesh indirectly
There are private communication channel communication behaviors for mark transmission mark, in other words, the request content and the distinct object transmission of response contents
It is identified as the suspected target of private communication channel communication.
Mode B,
The object transmission that counts within a preset period of time of B1 judgement identifies corresponding request content and response contents
Whether statistical data meets preset threshold condition;The statistical data includes at least one below: in request content and response
The length of appearance is the number of transmissions of different number, request content and response contents;
Here primary send of request content is denoted as the primary of the number of transmissions with the primary feedback of response contents, i.e., once
Request a corresponding secondary response as the primary of the number of transmissions.
Specifically, step B1 is realized by following sub-step:
B11 identifies corresponding request content to object transmission within a preset period of time and response contents count, and obtains
Object transmission identifies the statistical data of corresponding request content and response contents;Wherein the statistical data packet includes request content
Length, the number of request content, the length of response contents and response contents number;
Above-mentioned preset time period can be according to detection demand setting, such as is set as 30 minutes.
Specifically, with IP to for dimension, at interval of count within 30 minutes same IP to the length of lower request content, number and
The length of response contents, number, while the request content and response contents of preset quantity are saved, in this example, at most save
20 different request contents and 20 different response contents, in the buffer as data cached storage.
B12 determines that both request content and corresponding response contents length are asynchronous time based on the statistical data
Number;
B13 judges both the number of request content, the number of response contents, request content and corresponding response contents respectively
Length is whether asynchronous number meets corresponding threshold condition;
If being all satisfied, i.e. the number of request content meets the frequency threshold value of request content, the number of response contents meets sound
The frequency threshold value of content is answered, request content is that asynchronous number meets difference number threshold with both corresponding response contents length
Value, then judge that the object transmission counted within a preset period of time identifies the statistical number of corresponding request content and response contents
According to meeting preset threshold condition.
It should be noted that above-mentioned statistical data can also be not identical including the length of request content and response contents
The length of accounting in request content and response contents are not identical, request content and response contents is that different number is being asked
Seek the accounting of the number of transmissions of content and response contents.
If the object transmission that B2 is counted within a preset period of time identifies corresponding request content and response contents
Statistical data meets preset threshold condition, it is determined that the object transmission mark exists logical based on ICMP agreement progress private communication channel
Letter behavior.
The problem of verifying to testing result is considered how, further, on the basis of aforementioned schemes, such as Fig. 2
Shown, the difference with preceding method is, this method can also include:
Step S202 generates warning information based on object transmission mark, and stores to warning information.
Above-mentioned steps S202 can be executed one of in the following manner:
Mode one, for the ICMP traffic messages of the request content object transmission identification transmission different with response contents are true
Be set to the case where there are private communication channels, step S202 is specifically included: based on object transmission mark source IP, destination IP and should
Different request contents and response contents under object transmission mark generate warning information, and store to local first database
In.
Mode two, corresponding to above-mentioned mode B, the object transmission that counts within a preset period of time mark is corresponding to ask
Under the premise of asking content and the statistical data of response contents to meet preset threshold condition, step S202 can then pass through following step
It is rapid to realize: the source IP based on object transmission mark, destination IP, in the different request contents and response under object transmission mark
Hold, the length of request content, the length of the content number of request and response contents, response contents number, the length of request content
The length of degree and response contents is that different number generates a warning information, and warning information is stored to local second number
According in library.
This method through the above steps be convenient for informing prompting user by S202, meanwhile, subsequent examination veritification is carried out convenient for user,
Be conducive to improve the Experience Degree of user.
In order to make it easy to understand, being described below with reference to specific implementation process of the Fig. 3 to this method:
Referring to Fig. 3, this method comprises:
Step S302: capture ICMP flow simultaneously parses.
The ICMP flow that network interface card is flowed through by using DPDK capture, is then parsed according to ICMP protocol format, is parsed
Obtain source IP, destination IP, the length of ICMP session id, transferring content and transferring content.
Step S304: judge whether transferring content is mixed and disorderly.
Specifically, executing substep respectively for request content and response contents:
1. continuous every 2 characters are divided into a combination first, multiple character combinations are obtained;
Here by taking request content as an example, such as request content is 12345, then according to above-mentioned rule of classification, then available 4
A combination, respectively 12,23,34,45.
2. judging whether each character combination is contiguous alphabet or number.
Such as: character combination 12,21, ab, ba are considered as contiguous alphabet or number;And character combination 13,31, ac, ca is then
It is considered as discontinuous letter or number.
3. counting the accounting of contiguous alphabet+continuous number character combination, if reaching continuous threshold value, in this example, even
Continuous threshold value is set as 50%, then it is assumed that be it is non-mixed and disorderly, be otherwise considered as mixed and disorderly.
4. being judged as mixed and disorderly, then S306 is entered step, otherwise terminates to judge.
Step S306: judge to request and whether identical respond.
Judge that the same ICMP session (is determined whether by ICMP session id to be same by ICMP session id, source IP, destination IP
One) request content and response contents it is whether identical.S308 is entered step if not identical, otherwise terminates to judge.
Step S308: based on IP to counting.
With IP to for dimension, counting same IP to (source IP address identical or source IP address and Target IP with target ip address
The opposite IP in address to) under the length of request content, the length of number and response contents, number, while saving a certain amount of
Request content and response contents;Such as 20 different request contents and 20 different response contents are saved into caching.
Step S310: judge whether to reach threshold value.
(this example is set as half an hour) at regular intervals, to each IP to judging, if the request time of statistics
Several and response times all reach threshold value (it is 20 times that threshold value, which is arranged, in this example), and request content and response contents are different length
Quantity reaches threshold value (this example threshold is set as 10), then is identified as carrying out private communication channel communication based on ICMP agreement, into step
Rapid S312.Otherwise statistical data is emptied, judgement is terminated.
Step S312: alarm data is generated, and is stored.
Step S310 is judged as, private communication channel communication is carried out based on ICMP agreement, saves a warning information, the announcement
Alert information includes source IP, destination IP, the request content saved in step S308, response contents, the length of request content, number and
The length of response contents, number;And warning information is stored in local presetting database.
The embodiment of the present invention from flow angle analysis ICMP protocol data, by statistics ICMP request response contents whether phase
Whether whether same, request response content-length distribution is relatively wide, request the content responded mixed and disorderly etc., and it is normal to distinguish ping etc.
Data packet and abnormal ICMP communication data packet, to recognize whether the private communication channel communication row based on ICMP agreement
For.This method can effectively detect the communication that private communication channel is carried out based on ICMP agreement, and detection efficiency is high, to detection device
Performance requirement is lower, and will not influence the normal operation of network.
Embodiment two:
As shown in figure 4, the embodiment of the invention provides a kind of detection dresses for carrying out private communication channel communication based on ICMP agreement
It sets, which includes:
Flow parsing module 400, for being parsed to obtain in transmission mark and transmission to the ICMP traffic messages of acquisition
Hold;
First judgment module 500, for judging whether the transferring content is mixed and disorderly;
Second judgment module 600, if for the transferring content be it is mixed and disorderly, judge the corresponding request of object transmission mark
Whether content and response contents are identical;
Channel determination module 700, if identifying corresponding request content and response contents not phase for the object transmission
Together, it is identified based on the object transmission and determines private communication channel communication behavior.
Further, first judgment module 500, for being grouped to the transferring content according to default rule of classification,
Obtain multiple groups character combination;Determine that character combination is the accounting being grouped in multiple groups character combination combined in a jumble;If described
Accounting is greater than mixed and disorderly threshold value, then judges that transferring content is mixed and disorderly.
Further, first judgment module 500, for judging whether every group of character combination is to combine in a jumble;
Counting character combination in multiple groups character combination is the quantity combined in a jumble;Character combination is calculated according to the following formula is
The accounting being grouped in multiple groups character combination combined in a jumble;A=n/m formula (1);Wherein, A indicates that character combination is mixed and disorderly combination
The accounting being grouped in multiple groups character combination, n indicates the quantity of character combination combined in a jumble, and m indicates multiple groups character combination
Group number.
Further, channel determination module 700, for the object transmission mark that the request content is different with response contents
The ICMP traffic messages for knowing transmission are determined as that there are private communication channels.
Further, channel determination module 700, the object transmission mark for judging to count within a preset period of time
Whether the statistical data of corresponding request content and response contents meets preset threshold condition;The statistical data includes below
At least one: the length of request content and response contents is the number of transmissions of different number, request content and response contents;
If the object transmission counted within a preset period of time identifies corresponding request content and the statistical data of response contents is full
Sufficient preset threshold condition, it is determined that the object transmission mark, which exists, carries out private communication channel communication behavior based on ICMP agreement.
Further, the device further include:
Alarm memory module 800, for generating warning information based on object transmission mark, and to the warning information
It is stored.
It is apparent to those skilled in the art that for convenience and simplicity of description, the device of foregoing description
Specific work process, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
The detection device provided in an embodiment of the present invention that private communication channel communication is carried out based on ICMP agreement, with above-described embodiment
What is provided carries out the detection method technical characteristic having the same of private communication channel communication based on ICMP agreement, so also can solve phase
Same technical problem, reaches identical technical effect.
The flow chart and block diagram in the drawings show the system of multiple embodiments according to the present invention, method and computer journeys
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, section or code of table, a part of the module, section or code include one or more use
The executable instruction of the logic function as defined in realizing.It should also be noted that in some implementations as replacements, being marked in box
The function of note can also occur in a different order than that indicated in the drawings.For example, two continuous boxes can actually base
Originally it is performed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.It is also noted that
It is the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, can uses and execute rule
The dedicated hardware based system of fixed function or movement is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
Referring to Fig. 5, the embodiment of the present invention also provides a kind of electronic equipment 100, comprising: processor 40, memory 41, bus
42 and communication interface 43, the processor 40, communication interface 43 and memory 41 are connected by bus 42;Processor 40 is for holding
The executable module stored in line storage 41, such as computer program.
Wherein, memory 41 may include high-speed random access memory (RAM, Random Access Memory),
It may further include nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.By at least
One communication interface 43 (can be wired or wireless) realizes the communication between the system network element and at least one other network element
Connection, can be used internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 42 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data
Bus, control bus etc..Only to be indicated with a four-headed arrow convenient for indicating, in Fig. 5, it is not intended that an only bus or
A type of bus.
Wherein, memory 41 is for storing program, and the processor 40 executes the journey after receiving and executing instruction
Sequence, method performed by the device that the stream process that aforementioned any embodiment of the embodiment of the present invention discloses defines can be applied to handle
In device 40, or realized by processor 40.
Processor 40 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 40 or the instruction of software form.Above-mentioned
Processor 40 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network
Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal
Processor, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, referred to as
ASIC), field programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable
Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention
Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor is also possible to appoint
What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing
Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at
Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally
In the storage medium of field maturation.The storage medium is located at memory 41, and processor 40 reads the information in memory 41, in conjunction with
Its hardware completes the step of above method.
The embodiment of the present invention also provides a kind of computer readable storage medium, and meter is stored on computer readable storage medium
Calculation machine program executes provided by the above embodiment based on ICMP agreement progress private communication channel when computer program is run by processor
The step of detection method of communication.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of detection method for carrying out private communication channel communication based on ICMP agreement, which comprises the following steps:
The ICMP traffic messages of acquisition are parsed to obtain transmission mark and transferring content;
Judge whether the transferring content is mixed and disorderly;
If the transferring content be it is mixed and disorderly, judge that object transmission identifies corresponding request content and whether response contents identical;
It is true based on object transmission mark if the object transmission identifies corresponding request content and response contents are not identical
Determine private communication channel communication behavior.
2. the method according to claim 1, wherein described judge whether the transferring content is mixed and disorderly, comprising:
The transferring content is grouped according to default rule of classification, obtains multiple groups character combination;
Determine that character combination is the accounting being grouped in multiple groups character combination combined in a jumble;
If the accounting is greater than mixed and disorderly threshold value, judge that transferring content is mixed and disorderly.
3. according to the method described in claim 2, it is characterized in that, the default rule of classification includes:
The character of preset quantity adjacent and continuous in the transferring content is divided into one group.
4. according to the method described in claim 2, it is characterized in that, the determining character combination is that being grouped in of combining in a jumble is more
Accounting in group character combination, comprising:
Judge whether every group of character combination is to combine in a jumble;
Counting character combination in multiple groups character combination is the quantity combined in a jumble;
It is the accounting being grouped in multiple groups character combination combined in a jumble that character combination is calculated according to the following formula;
A=n/m
Wherein, A indicates that character combination is the accounting being grouped in multiple groups character combination combined in a jumble, and n expression is combined in a jumble
The quantity of character combination, m indicate the group number of multiple groups character combination.
5. if the method according to claim 1, wherein the object transmission identifies in corresponding request
Hold and response contents be not identical, is identified based on the object transmission and determine private communication channel communication behavior, comprising:
The ICMP traffic messages of the request content object transmission identification transmission different with response contents are determined as to there are hidden
Cover channel.
6. if the method according to claim 1, wherein the object transmission identifies in corresponding request
Hold and response contents be not identical, is identified based on the object transmission and determine private communication channel communication behavior, comprising:
Judge that the object transmission counted within a preset period of time identifies the statistical number of corresponding request content and response contents
According to whether meeting preset threshold condition;The statistical data includes at least one below: the length of request content and response contents
Degree is the number of transmissions of different number, request content and response contents;
If the object transmission counted within a preset period of time identifies the statistical number of corresponding request content and response contents
According to meeting preset threshold condition, it is determined that the object transmission mark, which exists, carries out private communication channel communication row based on ICMP agreement
For.
7. the method according to claim 1, wherein the method also includes:
It is identified based on the object transmission and generates warning information, and the warning information is stored.
8. a kind of detection device for carrying out private communication channel communication based on ICMP agreement characterized by comprising
Flow parsing module obtains transmission mark and transferring content for being parsed to the ICMP traffic messages of acquisition;
First judgment module, for judging whether the transferring content is mixed and disorderly;
Second judgment module, if for the transferring content be it is mixed and disorderly, judge the object transmission corresponding request content of mark with
Whether response contents are identical;
Channel determination module is based on if not identical for the corresponding request content of object transmission mark and response contents
The object transmission, which identifies, determines private communication channel communication behavior.
9. a kind of electronic equipment, including memory, processor and it is stored on the memory and can transports on the processor
Capable computer program, which is characterized in that the processor realizes the claims 1 to 7 when executing the computer program
The step of described in any item methods.
10. a kind of computer readable storage medium, computer program, feature are stored on the computer readable storage medium
The step of being, the described in any item methods of the claims 1 to 7 executed when the computer program is run by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910720720.8A CN110324210B (en) | 2019-08-06 | 2019-08-06 | Detection method and device for covert channel communication based on ICMP (Internet control protocol) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910720720.8A CN110324210B (en) | 2019-08-06 | 2019-08-06 | Detection method and device for covert channel communication based on ICMP (Internet control protocol) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110324210A true CN110324210A (en) | 2019-10-11 |
| CN110324210B CN110324210B (en) | 2020-12-25 |
Family
ID=68125434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910720720.8A Active CN110324210B (en) | 2019-08-06 | 2019-08-06 | Detection method and device for covert channel communication based on ICMP (Internet control protocol) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110324210B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371740A (en) * | 2020-02-17 | 2020-07-03 | 华云数据有限公司 | Message flow monitoring method and system and electronic equipment |
| CN111464497A (en) * | 2020-03-05 | 2020-07-28 | 北京安码科技有限公司 | Target range hidden channel establishing method and system based on icmp, electronic device and storage medium |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111585993A (en) * | 2020-04-27 | 2020-08-25 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111586075A (en) * | 2020-05-26 | 2020-08-25 | 国家计算机网络与信息安全管理中心 | Hidden channel detection method based on multi-scale stream analysis technology |
| CN112491662A (en) * | 2020-12-14 | 2021-03-12 | 北京亚鸿世纪科技发展有限公司 | ICMP hidden tunnel detection method and device |
| CN112565229A (en) * | 2020-11-27 | 2021-03-26 | 北京天融信网络安全技术有限公司 | Hidden channel detection method and device |
| CN112688957A (en) * | 2020-12-29 | 2021-04-20 | 北京天融信网络安全技术有限公司 | ICMP message processing method, device, computer equipment and medium |
| CN113179278A (en) * | 2021-05-20 | 2021-07-27 | 北京天融信网络安全技术有限公司 | Abnormal data packet detection method and electronic equipment |
| CN113364793A (en) * | 2021-06-17 | 2021-09-07 | 北京天融信网络安全技术有限公司 | ICMP hidden tunnel detection method, device and storage medium |
| CN113497797A (en) * | 2020-04-08 | 2021-10-12 | 中国移动通信集团广东有限公司 | Method and device for detecting abnormality of ICMP tunnel transmission data |
| CN113923047A (en) * | 2021-11-04 | 2022-01-11 | 杭州安恒信息安全技术有限公司 | Covert communication method, device, system, computer and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104104675A (en) * | 2014-06-24 | 2014-10-15 | 赖洪昌 | Internet control message protocol camouflage capture and analysis technology |
| CN106453225A (en) * | 2016-07-18 | 2017-02-22 | 北龙中网(北京)科技有限责任公司 | Method and client for realizing covert communication, and server |
| RU2015154207A (en) * | 2015-12-16 | 2017-06-21 | федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации | Covert channel detection device based on error identification in the tested nodes of automated systems |
| CN109547443A (en) * | 2018-11-28 | 2019-03-29 | 甘肃农业大学 | A kind of detection method of the hidden channel of network storage type |
-
2019
- 2019-08-06 CN CN201910720720.8A patent/CN110324210B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104104675A (en) * | 2014-06-24 | 2014-10-15 | 赖洪昌 | Internet control message protocol camouflage capture and analysis technology |
| RU2015154207A (en) * | 2015-12-16 | 2017-06-21 | федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации | Covert channel detection device based on error identification in the tested nodes of automated systems |
| CN106453225A (en) * | 2016-07-18 | 2017-02-22 | 北龙中网(北京)科技有限责任公司 | Method and client for realizing covert communication, and server |
| CN109547443A (en) * | 2018-11-28 | 2019-03-29 | 甘肃农业大学 | A kind of detection method of the hidden channel of network storage type |
Non-Patent Citations (2)
| Title |
|---|
| SIRINE SAYADI等: "Detection of Covert Channels Over ICMP Protocol", 《IEEE》 * |
| 许晓东等: "基于信息熵SVM的ICMP负载隐蔽通道检测", 《计算机应用》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371740A (en) * | 2020-02-17 | 2020-07-03 | 华云数据有限公司 | Message flow monitoring method and system and electronic equipment |
| CN111464497A (en) * | 2020-03-05 | 2020-07-28 | 北京安码科技有限公司 | Target range hidden channel establishing method and system based on icmp, electronic device and storage medium |
| CN113497797A (en) * | 2020-04-08 | 2021-10-12 | 中国移动通信集团广东有限公司 | Method and device for detecting abnormality of ICMP tunnel transmission data |
| CN113497797B (en) * | 2020-04-08 | 2023-04-28 | 中国移动通信集团广东有限公司 | Abnormality detection method and device for ICMP tunnel transmission data |
| CN111478920A (en) * | 2020-04-27 | 2020-07-31 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111585993A (en) * | 2020-04-27 | 2020-08-25 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111585993B (en) * | 2020-04-27 | 2022-08-09 | 深信服科技股份有限公司 | Method, device and equipment for detecting communication of hidden channel |
| CN111586075B (en) * | 2020-05-26 | 2022-06-14 | 国家计算机网络与信息安全管理中心 | Hidden channel detection method based on multi-scale stream analysis technology |
| CN111586075A (en) * | 2020-05-26 | 2020-08-25 | 国家计算机网络与信息安全管理中心 | Hidden channel detection method based on multi-scale stream analysis technology |
| CN112565229A (en) * | 2020-11-27 | 2021-03-26 | 北京天融信网络安全技术有限公司 | Hidden channel detection method and device |
| CN112491662A (en) * | 2020-12-14 | 2021-03-12 | 北京亚鸿世纪科技发展有限公司 | ICMP hidden tunnel detection method and device |
| CN112688957A (en) * | 2020-12-29 | 2021-04-20 | 北京天融信网络安全技术有限公司 | ICMP message processing method, device, computer equipment and medium |
| CN112688957B (en) * | 2020-12-29 | 2023-03-24 | 北京天融信网络安全技术有限公司 | ICMP message processing method, device, computer equipment and medium |
| CN113179278A (en) * | 2021-05-20 | 2021-07-27 | 北京天融信网络安全技术有限公司 | Abnormal data packet detection method and electronic equipment |
| CN113179278B (en) * | 2021-05-20 | 2023-04-18 | 北京天融信网络安全技术有限公司 | Abnormal data packet detection method and electronic equipment |
| CN113364793A (en) * | 2021-06-17 | 2021-09-07 | 北京天融信网络安全技术有限公司 | ICMP hidden tunnel detection method, device and storage medium |
| CN113923047A (en) * | 2021-11-04 | 2022-01-11 | 杭州安恒信息安全技术有限公司 | Covert communication method, device, system, computer and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110324210B (en) | 2020-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324210A (en) | The detection method and device of private communication channel communication are carried out based on ICMP agreement | |
| US7808898B2 (en) | Flow estimator | |
| Zdonik et al. | SpringerBriefs in Computer Science | |
| CN108667747A (en) | The method, apparatus and computer readable storage medium of network flow application type identification | |
| CN106416171A (en) | Method and device for feature information analysis | |
| CN110912927B (en) | Method and device for detecting control message in industrial control system | |
| CN102238021A (en) | Message sequence searching method, protocol analysis engine and protocol analyzer | |
| CN112769633B (en) | Proxy traffic detection method and device, electronic equipment and readable storage medium | |
| CN112260899B (en) | Network monitoring method and device based on MMU (memory management unit) | |
| CN106790299B (en) | Wireless attack defense method and device applied to wireless Access Point (AP) | |
| CN109670046A (en) | A kind of public sentiment monitoring method, storage medium and terminal device | |
| EP2983327A1 (en) | Counting control method for counter, and network chip | |
| CN110457137A (en) | Flow analytic method, device, electronic equipment and computer-readable medium | |
| Canini et al. | Per flow packet sampling for high-speed network monitoring | |
| CN102714652A (en) | Supervision of a communication session comprising several flows over a data network | |
| CN107666417B (en) | Method for realizing IPFIX random sampling | |
| CN113765728B (en) | Network detection method, device, equipment and storage medium | |
| CN106375351B (en) | A kind of method and device of abnormal domain name detection | |
| CN113098852A (en) | Log processing method and device | |
| CN112688924A (en) | Network protocol analysis system | |
| CN107528837A (en) | Encrypted video recognition methods and device, computer installation, readable storage medium storing program for executing | |
| CN115514683B (en) | Packet loss reason determining method, device, exchange chip and storage medium | |
| CN105704057B (en) | The method and apparatus for determining the type of service of burst port congestion packet loss | |
| US8576717B2 (en) | System and method for detecting rogue traffic using flow statistics with a list of authorized engines | |
| CN109327404A (en) | P2P prediction technique and system, server and medium based on Naive Bayes Classification Algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |