CN110336835A - Detection method, user equipment, storage medium and the device of malicious act - Google Patents
Detection method, user equipment, storage medium and the device of malicious act Download PDFInfo
- Publication number
- CN110336835A CN110336835A CN201910720423.3A CN201910720423A CN110336835A CN 110336835 A CN110336835 A CN 110336835A CN 201910720423 A CN201910720423 A CN 201910720423A CN 110336835 A CN110336835 A CN 110336835A
- Authority
- CN
- China
- Prior art keywords
- malicious
- behavior
- default
- characteristic
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The present invention relates to technical field of network security, disclose detection method, user equipment, storage medium and the device of a kind of malicious act.Measurement of discharge to be checked is obtained in the present invention;Each traffic characteristic corresponding with each default characteristic type is extracted from the measurement of discharge to be checked, the default characteristic type is characteristic type corresponding with malicious file downloading behavior;The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.Significantly, the default characteristic type of various dimensions will be preset in the present invention, analyze whether the file download behavior that flow to be monitored is included is malicious file downloading behavior by fixed default characteristic type, the detection accuracy for detecting malicious file downloading behavior is improved, the technical issues of malicious file downloads behavior can not accurately be detected by solving.
Description
Technical field
The present invention relates to the detection method of technical field of network security more particularly to malicious act, user equipment, storages to be situated between
Matter and device.
Background technique
More and more in view of malicious attack behavior, particularly, malicious attacker can mostly be attacked using some security breaches
Some corporate server, and get and can subsequently be held by this by some exectorial execution permission of attack server
Row permission goes on the server attacked to execute download command, to download preprepared rogue program to by attack server
It is local, also just complete malicious intrusions process.
In order to take precautions against the malicious intrusions process, corresponding preventive means can be mostly used, for example, can be husky by deployment Intranet
Case, gas defence case, firewall and antivirus software etc. go to take precautions against the malicious intrusions process.But these preventive means are disliked in detection
It performs poor in detection accuracy when meaning file download behavior, greatly reduces safety.
So, it is believed that it there is technical issues that accurately detect that malicious file is downloaded.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill
Art.
Summary of the invention
The main purpose of the present invention is to provide the detection method of malicious act, user equipment, storage medium and device, purports
It is solving accurately detect the technical issues of malicious file downloads behavior.
To achieve the above object, the present invention provides a kind of detection method of malicious act, the detection side of the malicious act
Method the following steps are included:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked
Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Preferably, before the acquisition measurement of discharge to be checked, the detection method of the malicious act further include:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Preferably, after malicious access flow sample of the acquisition comprising malicious file downloading behavior, the malice row
For detection method further include:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
Preferably, described that default behavioral value model is established according to the access feature, it specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Preferably, described that the inspection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model
It surveys, specifically includes:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type
Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior
The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Preferably, before the default traversal order for obtaining the traffic characteristic, the detection method of the malicious act
Further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute
State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Preferably, described that the traffic characteristic is traversed based on the default traversal order, it is target signature by characteristic type
The traffic characteristic of type determines behavior criterion corresponding with the target signature type, base as traffic characteristic to be processed
The detection for carrying out malicious file downloading behavior to the traffic characteristic to be processed in the behavior criterion, specifically includes:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on
Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute
The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed
Carry out the detection of malicious file downloading behavior.
In addition, to achieve the above object, the present invention also proposes a kind of user equipment, the user equipment include memory,
Processor and the detection program for being stored in the malicious act that can be run on the memory and on the processor, the malice
The step of detection program of behavior is arranged for carrying out the detection method of malicious act as described above.
In addition, to achieve the above object, the present invention also proposes a kind of storage medium, malice is stored on the storage medium
The detection program of behavior, the detection program of the malicious act realize malicious act as described above when being executed by processor
The step of detection method.
In addition, to achieve the above object, the present invention also proposes a kind of detection device of malicious act, the malicious act
Detection device includes:
Flow detection module, for obtaining measurement of discharge to be checked;
Characteristic extracting module, for extracting each stream corresponding with each default characteristic type from the measurement of discharge to be checked
Measure feature, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;
Behavioral value module, for carrying out malicious file downloading row to the traffic characteristic by default behavioral value model
For detection.
Measurement of discharge to be checked is obtained in the present invention;It extracts from the measurement of discharge to be checked and is respectively corresponded with each default characteristic type
Each traffic characteristic, the default characteristic type is to download the corresponding characteristic type of behavior with malicious file;By presetting behavior
Detection model carries out the detection of malicious file downloading behavior to the traffic characteristic.It is apparent that will be preset in the present invention more
The default characteristic type of dimension analyzes the file download row that flow to be monitored is included by fixed default characteristic type
Whether to be that malicious file downloads behavior, the detection accuracy for detecting malicious file downloading behavior is improved, solving can not
Accurately detect the technical issues of malicious file downloads behavior.
Detailed description of the invention
Fig. 1 is the user device architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the detection method first embodiment of malicious act of the present invention;
Fig. 3 is the flow diagram of the detection method second embodiment of malicious act of the present invention;
Fig. 4 is the flow diagram of the detection method 3rd embodiment of malicious act of the present invention;
Fig. 5 is the behavioral value flow chart of the detection method 3rd embodiment of malicious act of the present invention;
Fig. 6 is the structural block diagram of the detection device first embodiment of malicious act of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the user device architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
As shown in Figure 1, the user equipment may include: processor 1001, such as central processing unit (Central
Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein,
Communication bus 1002 is for realizing the connection communication between these components.User interface 1003 may include display screen
(Display), optional user interface 1003 can also include the wireline interface and wireless interface of standard, and user interface 1003
Wireline interface in the present invention can be universal serial bus (Universal Serial Bus, USB) interface.Network interface
1004 optionally may include the wireline interface and wireless interface (such as WI-FI interface) of standard.Memory 1005 can be height
Fast random access memory (Random Access Memory, RAM);It is also possible to stable memory, for example, non-volatile deposit
Reservoir (Non-volatile Memory), concretely, magnetic disk storage.Memory 1005 optionally can also be independently of
The storage device of aforementioned processor 1001.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to user equipment, can wrap
It includes than illustrating more or fewer components, perhaps combines certain components or different component layouts.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage medium
Believe the detection program of module, Subscriber Interface Module SIM and malicious act.
In user equipment shown in Fig. 1, network interface 1004 is mainly used for connecting background server, takes with the backstage
Business device carries out data communication;User interface 1003 is mainly used for connecting peripheral hardware;The user equipment is called by processor 1001
The detection program of the malicious act stored in memory 1005, and execute following operation:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked
Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
Correspondingly, following operation is also executed:
Access feature is extracted from the HTTP flow.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type
Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior
The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute
State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold
The following operation of row:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on
Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute
The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed
Carry out the detection of malicious file downloading behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked
Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row
The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment
The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type
Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves
It can not accurately detect the technical issues of malicious file downloads behavior.
Based on above-mentioned hardware configuration, the embodiment of the detection method of malicious act of the present invention is proposed.
It is the flow diagram of the detection method first embodiment of malicious act of the present invention referring to Fig. 2, Fig. 2.
In the first embodiment, detection method includes the following steps for the malicious act:
Step S10: measurement of discharge to be checked is obtained.
It should be understood that can analyze conventional safety means, for example, according to deployment Intranet sandbox, gas defence case
And the mode of the components such as firewall removes preventing malice phagocytic process, can mostly monitor the file of network downloading, then to monitoring
File carries out selective killing;Preventing malice phagocytic process is removed according to the mode of deployment antivirus software, can mostly wait rogue programs
Download to the means for being used direct killing behind attack server local again.But conventional safety means are in killing rogue program
When, possible false drop is killed or under-enumeration kills, moreover, fractionated viral may have the function of anti-killing, so, it is unable to reach higher
Killing success rate.
In the concrete realization, in the present embodiment can by improve detect malicious file download behavior detection accuracy come
Guarantee that killing success rate maintains a higher level, meanwhile, also reduce the probability that false drop is killed or under-enumeration kills.
It is understood that the executing subject of the present embodiment is user equipment, user equipment can be server or individual
Computer.If user equipment is server A, it can first intercept server A and access the interactive information between network or other equipment,
It may be flow measurement to be checked herein for the procedural information between request of data and request feedback, the interactive information in the interactive information
Amount.
Step S20: each traffic characteristic corresponding with each default characteristic type, institute are extracted from the measurement of discharge to be checked
Stating default characteristic type is characteristic type corresponding with malicious file downloading behavior.
It is understood that after being truncated to the measurement of discharge to be checked, the request class of the request of data in the measurement of discharge to be checked
Type may be file download request, and downloading the file to be downloaded of request as this document may be malicious file may also be normal
File.It may include the file for thering is this to be downloaded in the measurement of discharge to be checked, also may not include the file to be downloaded.
In the concrete realization, in order to more accurately judge in the measurement of discharge to be checked whether existing malicious file downloading row
For in other words, if corresponding request feedback of the request of data and the request of data of existing malicious file to be downloaded etc., it can
Prespecified default characteristic type, the default characteristic type can effectively determine malicious file downloading behavior.The default spy
Levying type includes downloading file format type, downloading filename length, download path depth, hypertext transfer protocol
(HyperText Transfer Protocol, HTTP) header fields number, downloading Internet protocol (Internet Protocol
Address, IP) address attribution, downloading filename type and HTTP header reference (referer) field at least one
?.
If should be noted that, default characteristic type at this time is to download file format type and downloading filename length,
The traffic characteristic extracted will include and download the corresponding traffic characteristic of file format type, corresponding with downloading filename length
Traffic characteristic.
Step S30: the detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
In the concrete realization, after extracting traffic characteristic, flow spy can be judged by default behavioral value model
It is still normal file that the included file to be downloaded of file download behavior of sign, which is malicious file,.If malicious file, then may be used
Assert that this document downloading behavior is that malicious file downloads behavior;If normal file, then it can assert that this document downloading behavior is positive
Normal file download behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked
Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row
The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment
The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type
Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves
It can not accurately detect the technical issues of malicious file downloads behavior.
It is the flow diagram of the detection method second embodiment of malicious act of the present invention referring to Fig. 3, Fig. 3, based on above-mentioned
First embodiment shown in Fig. 2 proposes the second embodiment of the detection method of malicious act of the present invention.
In second embodiment, before the step S10, the detection method of the malicious act further include:
Step S01: the malicious access flow sample comprising malicious file downloading behavior is obtained.
It is understood that malicious access flow sample can be prepared in advance, which can collect in advance,
It can also be by automatic generating test case, to be used as model foundation.
Step S02: access feature is extracted from the malicious access flow sample.
It should be understood that can from determine have malicious file downloading behavior malicious access flow sample in extract with
The corresponding each access feature of each default characteristic type.
Step S03: default behavioral value model is established according to the access feature.
It is understood that can be based on should after the access feature for actually including in getting malicious access flow sample
Access feature establish out can accurately determine file download behavior whether be malicious file downloading behavior default behavioral value model.
Further, after the step S01, the detection method of the malicious act further include:
HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
In the concrete realization, in order to which that improves model establishes efficiency, the malicious access stream that can first be initiated from malicious attacker
HTTP flow is filtered out in amount sample, the access feature for establishing model will be extracted from the HTTP flow.
Further, described that default behavioral value model is established according to the access feature, it specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
It should be understood that the model foundation process as default behavioral value model will be by the first default decision Tree algorithms
It realizes, which is decision tree (Decision Tree) algorithm of supervised learning.This first it is default certainly
Plan tree algorithm will be trained using access feature as input sample, be concluded the regularity in access feature, be determined and malice occurs
Data characteristic when file download behavior, the result after training will be similar to the working model of binary tree for one, this can be used
Model is default behavioral value model herein.
In the concrete realization, for example, if default characteristic type include downloading file format type, downloading filename length,
Download path depth, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header
At least one of in referer field, then the prescribed limit for presetting characteristic type in behavioral value model containing these is preset, it can
Determine whether each traffic characteristic in measurement of discharge to be checked meets the prescribed limit of these default characteristic types one by one, according to meet with
It is no come determine file download behavior whether be malicious file downloading behavior.
Default behavioral value model ready for use will be trained in the present embodiment using decision Tree algorithms, after training
Default behavioral value model come carry out malicious file downloading behavior detection, substantially increase the accuracy of the judgement result.
Referring to Fig. 4, Fig. 4 is the flow diagram of the detection method 3rd embodiment of malicious act of the present invention, can be based on upper
First embodiment shown in Fig. 2 or above-mentioned second embodiment shown in Fig. 3 are stated, it is real based on above-mentioned shown in Fig. 2 first herein
Apply the 3rd embodiment that example proposes the detection method of malicious act of the present invention.
In 3rd embodiment, the step S30 is specifically included:
Step S301: the default traversal order of the traffic characteristic is obtained.
It is understood that default characteristic type includes downloading file format type, downloading filename length, download path
In depth, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header referer field
At least one of, and default traversal order is made of default characteristic type, moreover, by based on certain composition that puts in order.
Step S302: the traffic characteristic is traversed based on the default traversal order, is target signature class by characteristic type
The traffic characteristic of type determines behavior criterion corresponding with the target signature type, is based on as traffic characteristic to be processed
The behavior criterion carries out the detection of malicious file downloading behavior to the traffic characteristic to be processed.
It should be understood that if preset in default traversal order putting in order for characteristic type be respectively from head to tail " under
Carry file format type, downloading filename length, download path depth, HTTP header Field Count, downloading IP address ownership place, under
Carry filename type and HTTP header referer field ", downloading file format type can be target signature type, then will be first
The corresponding traffic characteristic of downloading file format type is traversed, the corresponding behavior of the downloading file format type is read and determines mark
Standard, judges whether the traffic characteristic meets behavior criterion;Then, the corresponding flow of downloading filename length will be traversed
Feature reads the corresponding behavior criterion of the downloading filename length, judges whether the traffic characteristic meets behavior judgement
Standard etc..Multiple judging results will be obtained, malicious file downloading row can be determined whether there is based on these judging results
For.
In addition, the default characteristic type includes downloading file format type, downloading filename length, download path depth
In degree, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header referer field
At least one of.
In the concrete realization, downloading file format type refers to the Format Type of downloading file, if downloading file is malice
File, alternatively referred to as virus document, the Format Type of the virus document is common to can be performed (Portable for portable
Executable, PE) format and script format;Downloading filename length refers to the filename length of downloading file, for example, if
Downloading file is " www.abcd.com/1.exe ", can first remove the domain name in the filename of downloading file, i.e., after removal domain name
File it is entitled " 1.exe ", it is believed that the downloading filename length be 1;Download path depth refers to the path in download path
File depth, for example, if having download path is " www.abcd.com/1.exe ", but its path file folder depth is 1 layer, if
Having download path is " www.abcd.com/down/1.exe ", but its path file folder depth is 2 layers.
It is to consider it is understood that introducing the detection operation that HTTP header Field Count carries out malicious file downloading behavior
It is often more to HTTP fields for including of standard, and the field of rogue program downloading is often less.Downloading IP address is introduced to return
Possession, it is external more suspicious for allowing for ownership place.Downloading filename type refers to " is in the filename of judgement downloading file
It is no that there are words ", for example, can find wherein exist if the file of downloading file is entitled " www.abcd.com/word.exe "
Word " word ".HTTP header referer field is introduced, allowing in the script file of malicious downloading does not often have
Referer field.
Further, before the step S301, the detection method of the malicious act further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute
State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
It should be noted that the second default decision Tree algorithms and the first default decision Tree algorithms before herein can be phase
Same decision Tree algorithms.
It should be understood that can be determined by information gain as putting in order for characteristic type is preset in default traversal order
It is fixed.Entropy can indicate that the uncertainty of stochastic variable, conditional entropy can indicate the uncertainty of stochastic variables under the conditions of some, and
Information gain is then the difference of entropy and conditional entropy, can indicate the degree of information uncertainty reductions under the conditions of some.As it can be seen that letter
Breath gain can characterize some default characteristic type and directly affect degree or indirect influence degree to testing result, so, it can
The information gain of characteristic type is preset according to some to determine the default corresponding priority of characteristic type.
In the concrete realization, for example, class file format can will be downloaded if the information gain of downloading file format type is larger
The priority of type is classified as level-one, i.e., downloading file format type is classified as first item in default traversal order;If downloading filename
The information gain of length is taken second place, and the priority for downloading filename length can be classified as second level, i.e., is classified as downloading filename length
Section 2 in default traversal order.
Further, described that the traffic characteristic is traversed based on the default traversal order, it is that target is special by characteristic type
The traffic characteristic of type is levied as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type,
The detection for being carried out malicious file downloading behavior to the traffic characteristic to be processed based on the behavior criterion, is specifically included:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on
Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute
The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed
Carry out the detection of malicious file downloading behavior.
In the concrete realization, it if the first item in default traversal order is downloading file format type, can first traverse down
The corresponding traffic characteristic of file format type is carried, which can be " script format ", corresponding with downloading file format type
Behavior criterion in reference format in do not include have " script format ", then can be by the corresponding file download of measurement of discharge to be checked
Malicious file downloading behavior is regarded as in behavior.
Certainly, if the traffic characteristic is " Word format ", include in the reference format in corresponding behavior criterion
The corresponding file download behavior of measurement of discharge to be checked can then be regarded as normal file downloading behavior by " Word format ".
Further, referring also to Fig. 5, a kind of default characteristic type by 7 dimensions is provided in Fig. 5 comprehensively to examine
Survey the detection mode of file download behavior.In Fig. 5, the corresponding behavior criterion of downloading file format type is denoted as the first row
The second behavior criterion, download path depth are denoted as criterion, the corresponding behavior criterion of downloading filename length
Corresponding behavior criterion is denoted as third behavior criterion, the corresponding behavior criterion of HTTP header Field Count is denoted as
It is criterion, lower published article that four behavior criterion, the corresponding behavior criterion of downloading IP address ownership place, which are denoted as fifth line,
The corresponding behavior criterion of part name type (i.e. downloading filename whether word) is denoted as the 6th behavior criterion and HTTP
Referer field corresponding behavior criterion in head is denoted as the 7th behavior criterion.
If the corresponding traffic characteristic of downloading file format type meets the first behavior criterion, and measurement of discharge to be checked is corresponding
File download behavior regard as normal file downloading behavior;If the corresponding traffic characteristic of downloading file format type does not meet the
One behavior criterion will judge to download whether the corresponding traffic characteristic of filename length meets the second behavior criterion.If
The corresponding traffic characteristic of downloading filename length meets the second behavior criterion, will judge the corresponding flow of download path depth
Whether feature meets third behavior criterion;If the corresponding traffic characteristic of downloading filename length does not meet the second behavior judgement
Standard will judge to download whether the corresponding traffic characteristic of filename type meets the 6th behavior criterion etc..Wherein, in Fig. 5
Y expression comply with standard, N expression be not inconsistent standardization;" normal " expression in Fig. 5 is determined as that normal file downloads behavior, " dislikes
Meaning " indicates to be determined as that malicious file downloads behavior.
The traversal priority that will determine each default characteristic type in the present embodiment based on information gain, should by using
Priority is traversed to carry out behavioral value, further increases detection efficiency and detection accuracy.
In addition, the embodiment of the present invention also proposes a kind of storage medium, the inspection of malicious act is stored on the storage medium
Ranging sequence realizes following operation when the detection program of the malicious act is executed by processor:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked
Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
Correspondingly, following operation is also realized:
Access feature is extracted from the HTTP flow.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type
Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior
The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute
State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on
Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute
The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed
Carry out the detection of malicious file downloading behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked
Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row
The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment
The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type
Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves
It can not accurately detect the technical issues of malicious file downloads behavior.
In addition, the embodiment of the present invention also proposes a kind of detection device of malicious act, the malicious act referring to Fig. 6
Detection device includes:
Flow detection module 10, for obtaining measurement of discharge to be checked.
It should be understood that can analyze conventional safety means, for example, according to deployment Intranet sandbox, gas defence case
And the mode of the components such as firewall removes preventing malice phagocytic process, can mostly monitor the file of network downloading, then to monitoring
File carries out selective killing;Preventing malice phagocytic process is removed according to the mode of deployment antivirus software, can mostly wait rogue programs
Download to the means for being used direct killing behind attack server local again.But conventional safety means are in killing rogue program
When, possible false drop is killed or under-enumeration kills, moreover, fractionated viral may have the function of anti-killing, so, it is unable to reach higher
Killing success rate.
In the concrete realization, in the present embodiment can by improve detect malicious file download behavior detection accuracy come
Guarantee that killing success rate maintains a higher level, meanwhile, also reduce the probability that false drop is killed or under-enumeration kills.
It is understood that can first intercept server and access the interactive information between network or other equipment, the friendship
It may be measurement of discharge to be checked herein for the procedural information between request of data and request feedback, the interactive information in mutual information.
Characteristic extracting module 20, it is corresponding with each default characteristic type each for being extracted from the measurement of discharge to be checked
Traffic characteristic, the default characteristic type are characteristic type corresponding with malicious file downloading behavior.
It is understood that after being truncated to the measurement of discharge to be checked, the request class of the request of data in the measurement of discharge to be checked
Type may be file download request, and downloading the file to be downloaded of request as this document may be malicious file may also be normal
File.It may include the file for thering is this to be downloaded in the measurement of discharge to be checked, also may not include the file to be downloaded.
In the concrete realization, in order to more accurately judge in the measurement of discharge to be checked whether existing malicious file downloading row
For in other words, if corresponding request feedback of the request of data and the request of data of existing malicious file to be downloaded etc., it can
Prespecified default characteristic type, the default characteristic type can effectively determine malicious file downloading behavior.The default spy
Levying type includes downloading file format type, downloading filename length, download path depth, hypertext transfer protocol
(HyperText Transfer Protocol, HTTP) header fields number, downloading Internet protocol (Internet Protocol
Address, IP) address attribution, downloading filename type and HTTP header reference (referer) field at least one
?.
If should be noted that, default characteristic type at this time is to download file format type and downloading filename length,
The traffic characteristic extracted will include and download the corresponding traffic characteristic of file format type, corresponding with downloading filename length
Traffic characteristic.
Behavioral value module 30, for carrying out malicious file downloading to the traffic characteristic by default behavioral value model
The detection of behavior.
In the concrete realization, after extracting traffic characteristic, flow spy can be judged by default behavioral value model
It is still normal file that the included file to be downloaded of file download behavior of sign, which is malicious file,.If malicious file, then may be used
Assert that this document downloading behavior is that malicious file downloads behavior;If normal file, then it can assert that this document downloading behavior is positive
Normal file download behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked
Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;For by pre-
If behavioral value model carries out the detection of malicious file downloading behavior to the traffic characteristic.It is apparent that will be pre- in the present embodiment
The default characteristic type of various dimensions is first set, the text that flow to be monitored is included is analyzed by fixed default characteristic type
Whether part downloading behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solution
The technical issues of malicious file downloads behavior can not accurately be detected by having determined.
In one embodiment, the detection device of the malicious act further include:
Model building module, for obtaining the malicious access flow sample comprising malicious file downloading behavior;From the evil
Access feature is extracted in meaning flowing of access sample;Default behavioral value model is established according to the access feature.
In one embodiment, the model building module is also used to extract from the malicious access flow sample super literary
This transport protocol HTTP flow;
The model building module is also used to extract access feature from the HTTP flow.
In one embodiment, the model building module is also used to through the access feature to the first default decision tree
Algorithm is trained, to obtain default behavioral value model.
In one embodiment, the behavioral value module 30 is also used to obtain the default traversal order of the traffic characteristic;
Traverse the traffic characteristic based on the default traversal order, using traffic characteristic that characteristic type is target signature type as to
Traffic characteristic is handled, determines behavior criterion corresponding with the target signature type, is based on the behavior criterion pair
The traffic characteristic to be processed carries out the detection of malicious file downloading behavior.
In one embodiment, the detection device of the malicious act further include:
Order establishes module, for corresponding according to the default characteristic type respectively based on the second default decision Tree algorithms
The determining priority corresponding with the default characteristic type of information gain;Default traversal order is constituted by the priority.
In one embodiment, the behavioral value module 30 is also used to read and successively sort in the default traversal order
Downloading file format type, the traffic characteristic is traversed based on the default traversal order;It is the downloading by characteristic type
The traffic characteristic of file format type determines behavior corresponding with the downloading file format type as traffic characteristic to be processed
Criterion carries out the detection of malicious file downloading behavior based on the behavior criterion to the traffic characteristic to be processed.
The other embodiments or specific implementation of the detection device of malicious act of the present invention can refer to above-mentioned each side
Method embodiment, details are not described herein again.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.If listing equipment for drying
Unit claim in, several in these devices, which can be, to be embodied by the same item of hardware.Word first,
Second and the use of third etc. do not indicate any sequence, can be title by these word explanations.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as read-only memory, RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, count
Calculation machine, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of detection method of malicious act, which is characterized in that detection method includes the following steps for the malicious act:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default feature class are extracted from the measurement of discharge to be checked
Type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
2. the detection method of malicious act as described in claim 1, which is characterized in that before the acquisition measurement of discharge to be checked,
The detection method of the malicious act further include:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
3. the detection method of malicious act as claimed in claim 2, which is characterized in that described obtain is downloaded comprising malicious file
After the malicious access flow sample of behavior, the detection method of the malicious act further include:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
4. the detection method of malicious act as claimed in claim 2, which is characterized in that described to be established according to the access feature
Default behavioral value model, specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
5. the detection method of malicious act according to any one of claims 1 to 4, which is characterized in that described by default
Behavioral value model carries out the detection of malicious file downloading behavior to the traffic characteristic, specifically includes:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, the traffic characteristic that characteristic type is target signature type is made
For traffic characteristic to be processed, behavior criterion corresponding with the target signature type is determined, mark is determined based on the behavior
Standard carries out the detection of malicious file downloading behavior to the traffic characteristic to be processed.
6. the detection method of malicious act as claimed in claim 5, which is characterized in that described to obtain the pre- of the traffic characteristic
If before traversal order, the detection method of the malicious act further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type it is determining with it is described pre-
If the corresponding priority of characteristic type;
Default traversal order is constituted by the priority.
7. the detection method of malicious act as claimed in claim 5, which is characterized in that described to be based on the default traversal order
Traverse the traffic characteristic, using the traffic characteristic that characteristic type is target signature type as traffic characteristic to be processed, determine with
The corresponding behavior criterion of the target signature type, based on the behavior criterion to the traffic characteristic to be processed into
Row malicious file downloads the detection of behavior, specifically includes:
The downloading file format type successively to sort in the default traversal order is read, based on the default traversal order traversal
The traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, under determining and described
The corresponding behavior criterion of file format type is carried, the traffic characteristic to be processed is carried out based on the behavior criterion
The detection of malicious file downloading behavior.
8. a kind of user equipment, which is characterized in that the user equipment includes: memory, processor and is stored in the storage
The detection program of malicious act can be run on device and on the processor, the detection program of the malicious act is by the processing
The step of detection method of the malicious act as described in any one of claims 1 to 7 is realized when device executes.
9. a kind of storage medium, which is characterized in that be stored with the detection program of malicious act, the malice on the storage medium
The detection side of the malicious act as described in any one of claims 1 to 7 is realized when the detection program of behavior is executed by processor
The step of method.
10. a kind of detection device of malicious act, which is characterized in that the detection device of the malicious act includes:
Flow detection module, for obtaining measurement of discharge to be checked;
Characteristic extracting module, for extracting each flow spy corresponding with each default characteristic type from the measurement of discharge to be checked
Sign, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;
Behavioral value module, for carrying out malicious file downloading behavior to the traffic characteristic by presetting behavioral value model
Detection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910720423.3A CN110336835B (en) | 2019-08-05 | 2019-08-05 | Malicious behavior detection method, user equipment, storage medium and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910720423.3A CN110336835B (en) | 2019-08-05 | 2019-08-05 | Malicious behavior detection method, user equipment, storage medium and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110336835A true CN110336835A (en) | 2019-10-15 |
CN110336835B CN110336835B (en) | 2021-10-19 |
Family
ID=68148596
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910720423.3A Active CN110336835B (en) | 2019-08-05 | 2019-08-05 | Malicious behavior detection method, user equipment, storage medium and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110336835B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110879885A (en) * | 2019-11-05 | 2020-03-13 | 西安交通大学 | Online file illegal downloading detection method and device |
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111404949A (en) * | 2020-03-23 | 2020-07-10 | 深信服科技股份有限公司 | Flow detection method, device, equipment and storage medium |
CN112887327A (en) * | 2021-02-23 | 2021-06-01 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
CN114650158A (en) * | 2020-12-21 | 2022-06-21 | 深信服科技股份有限公司 | HTTP detection method, system, equipment and computer storage medium |
CN116708008A (en) * | 2023-07-18 | 2023-09-05 | 山东溯源安全科技有限公司 | Method for determining malicious files in transformer substation system, electronic equipment and storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
CN103577547A (en) * | 2013-10-12 | 2014-02-12 | 优视科技有限公司 | Webpage type identification method and device |
CN105488413A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Malicious code detection method and system based on information gain |
CN105894177A (en) * | 2016-03-25 | 2016-08-24 | 国家电网公司 | Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment |
CN106485146A (en) * | 2015-09-02 | 2017-03-08 | 腾讯科技(深圳)有限公司 | A kind of information processing method and server |
CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
CN107315954A (en) * | 2016-04-27 | 2017-11-03 | 腾讯科技(深圳)有限公司 | A kind of file type identification method and server |
CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
CN109800797A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | File black and white judgment method, device and equipment based on AI |
-
2019
- 2019-08-05 CN CN201910720423.3A patent/CN110336835B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
CN103577547A (en) * | 2013-10-12 | 2014-02-12 | 优视科技有限公司 | Webpage type identification method and device |
CN105488413A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Malicious code detection method and system based on information gain |
CN106485146A (en) * | 2015-09-02 | 2017-03-08 | 腾讯科技(深圳)有限公司 | A kind of information processing method and server |
CN105894177A (en) * | 2016-03-25 | 2016-08-24 | 国家电网公司 | Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment |
CN107315954A (en) * | 2016-04-27 | 2017-11-03 | 腾讯科技(深圳)有限公司 | A kind of file type identification method and server |
CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
CN109800797A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | File black and white judgment method, device and equipment based on AI |
CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110879885A (en) * | 2019-11-05 | 2020-03-13 | 西安交通大学 | Online file illegal downloading detection method and device |
CN110879885B (en) * | 2019-11-05 | 2022-04-05 | 西安交通大学 | Online file illegal downloading detection method and device |
CN110995576A (en) * | 2019-12-16 | 2020-04-10 | 深信服科技股份有限公司 | Mail detection method, device, equipment and storage medium |
CN111404949A (en) * | 2020-03-23 | 2020-07-10 | 深信服科技股份有限公司 | Flow detection method, device, equipment and storage medium |
CN114650158A (en) * | 2020-12-21 | 2022-06-21 | 深信服科技股份有限公司 | HTTP detection method, system, equipment and computer storage medium |
CN112887327A (en) * | 2021-02-23 | 2021-06-01 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
CN112887327B (en) * | 2021-02-23 | 2022-11-22 | 深信服科技股份有限公司 | Method, device and storage medium for detecting malicious behaviors |
CN116708008A (en) * | 2023-07-18 | 2023-09-05 | 山东溯源安全科技有限公司 | Method for determining malicious files in transformer substation system, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110336835B (en) | 2021-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110336835A (en) | Detection method, user equipment, storage medium and the device of malicious act | |
US10534906B1 (en) | Detection efficacy of virtual machine-based analysis with application specific events | |
US20230074151A1 (en) | Multi-representational learning models for static analysis of source code | |
CN103617395B (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
CN103634306B (en) | The safety detection method and safety detection server of network data | |
CN107659583B (en) | Method and system for detecting attack in fact | |
CN102694817B (en) | The whether abnormal method of the network behavior of a kind of recognizer, Apparatus and system | |
US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
EP3726410B1 (en) | Interpretation device, interpretation method and interpretation program | |
CN112685737A (en) | APP detection method, device, equipment and storage medium | |
CN108664793B (en) | Method and device for detecting vulnerability | |
Shabtai et al. | F-sign: Automatic, function-based signature generation for malware | |
CN106357689A (en) | Method and system for processing threat data | |
US20040030931A1 (en) | System and method for providing enhanced network security | |
Luoshi et al. | A3: automatic analysis of android malware | |
US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
Djanali et al. | SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker | |
KR101781780B1 (en) | System and Method for detecting malicious websites fast based multi-server, multi browser | |
JP4309102B2 (en) | Illegal command / data detection method, illegal command / data detection method, and illegal command / data detection program | |
CN115001789B (en) | Method, device, equipment and medium for detecting collapse equipment | |
CN109951484A (en) | The test method and system attacked for machine learning product | |
Takata et al. | Website forensic investigation to identify evidence and impact of compromise | |
Chen et al. | Detecting mobile application malicious behaviors based on data flow of source code | |
CN108197475A (en) | A kind of malice so modules detection method and relevant apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |