CN111224933A - Method for simulating embezzlement sensitive data perception latent APT attack - Google Patents
Method for simulating embezzlement sensitive data perception latent APT attack Download PDFInfo
- Publication number
- CN111224933A CN111224933A CN201911020563.6A CN201911020563A CN111224933A CN 111224933 A CN111224933 A CN 111224933A CN 201911020563 A CN201911020563 A CN 201911020563A CN 111224933 A CN111224933 A CN 111224933A
- Authority
- CN
- China
- Prior art keywords
- sequence
- data
- latent
- real
- apt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention discloses a method for simulating embezzlement sensitive data perception latent APT attack, which comprises the following steps: building a data model, and generating a characteristic sequence A [ a ] by using a system log1,a2,...ai,...an]Wherein a isiIs the ith sequence; analyzing data flow fluctuation to generate flow sequence B [ B ]1,b2,...bi,...bn]Wherein b isiIs the ith sequence; matching the characteristic sequence with the flow sequence to generate a normal sequence library; releasing viruses simulating data stealing to obtain a virus characteristic diagram and monitoring a real-time sequence of a system; and calculating the relative difference degree of the real-time sequence and the normal sequence, and comparing the relative difference degree with a threshold value to judge whether the system has latent APT. The invention has the advantages that virus is released to simulate stealing sensitive data, then the real-time characteristic sequence of the system is matched with the normal characteristic sequence, the relative difference degree is calculated and compared with the threshold value, and whether the latent property aiming at stealing data possibly exists in the system is sensedAnd the sensitivity and accuracy of the latent APT of the detection system are improved by the APT attack.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a method for simulating an Advanced Persistent Attack (APT) attack by embezzling sensitive data.
Technical Field
APT does not refer to a particular virus, but rather hackers use advanced means to conduct long-term, persistent cyber attacks on targets, usually high-value businesses, government agencies, and sensitive information. After the prism door event outbreak, china has been identified as one of the major countries suffering from network attacks. According to the research report of '2017 China Advanced Persistent Threat (APT) issued by a 360-threat information center', as long as 12 months end in 2017, 38 APT organizations inside and outside the country, which are accumulatively monitored by the 360-threat information center and aim at the targets in China to attack, are shown, and the attack actions initiated by the APT organizations in the whole year in 2017 at least influence over ten thousand computers in China, the attack range extends over 31 provincial administrative regions in China, wherein the proportion of the government organization in the attack targets is 50%, and the APT seriously threatens the information security of the national important organization. In addition, in the HighLevel network operational principle of the U.S. department of defense, it is explicitly pointed out that detection and defense against APT attack behavior are a crucial part of the overall risk management chain. In recent years, advanced persistent threat attack events continuously appear, the remarkable characteristic is persistence, usually for years, and the specific characteristics are that various attack means are continuously sought, long-term hibernation is realized after the attack means slowly permeate into an internal network, authority is continuously promoted in the network, various information is continuously collected until important information is obtained.
Because APT is hidden and can be hidden in a computer system for years without being perceived, the traditional intrusion detection method, such as firewall, IDS product, etc., can hardly detect the latent APT. The final target of the APT attack is valuable data, the network and the system are not damaged, the current model and algorithm for sensing and detecting the APT attack generally have the defect of low sensitivity, meanwhile, the data cannot be matched according to the environmental characteristics, and the difficulty in extracting the characteristic value is high.
Disclosure of Invention
In order to improve the sensing accuracy and sensitivity of the existing APT detection method, the invention provides a method for simulating the perception of latent APT attack by stealing sensitive data, which judges the APT attack by simulating the reaction of a system after stealing the sensitive data of the system.
The technical scheme for realizing the purpose of the invention is as follows: a method of simulating a theft sensitive data aware latent APT attack, comprising the steps of:
1) establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]Carrying out data annotation based on an attribute value extraction method of a neural network to generate a characteristic sequence A and form a data model; wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, analyzing data flow fluctuation by a flow analyzer and a KTAM to generate a flow sequence B;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is taken as the timestamp as a variable to be added into the calculation, a specific time vector is formed by the timestamps by using a sampling rate of 100Hz to obtain a virus characteristic time sequence group diagram, and meanwhile, the real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Compared with the prior art, the invention has the remarkable advantages that: by releasing virus to simulate stealing sensitive data, matching the real-time characteristic sequence of the system with the normal characteristic sequence, calculating the relative difference degree, and comparing the relative difference degree with a threshold value, whether the latent APT attack aiming at stealing data possibly exists in the perception system or not is sensed, and the sensitivity and the accuracy of detecting the latent APT of the system are improved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The invention discloses a method for simulating embezzlement sensitive data perception latent APT attack, which comprises the following steps:
1) establishing a data environment, building a data model, and performing labeling compilation sequence A [ a ] on a data source1,a2,...ai,...an]Wherein a isiThe ith sequence is restored, extracted and screened by using a system log to generate a characteristic sequence A;
2) setting several data source sending targets, establishing data channels with data sources in data environment, making one code for each channel, recording data set Bb with all codes1,b2,...bi,...bn]Wherein b isiAnalyzing data flow fluctuation by using a flow analyzer for the ith sequence to generate a flow sequence B;
3) combining and calculating the sequence A and the sequence B, matching, summarizing and classifying to obtain an AB combined feature library, and taking the AB combined feature library as a normal sequence library of the system;
4) taking the release time of the stolen data virus as a variable to be added into calculation to obtain a virus characteristic group diagram, and monitoring a real-time sequence of the system;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Further, in step 5), it is assumed that the number of the system call sequences of a real-time process is f (t) (t ≧ 1, 2.), the width of the sliding window is w real-time sequences, and if f (t) ≧ w, then (f (t) -w +1) short sequences with the width of w can be formed according to the sliding window method principle, and these short sequences are labeled as { a ≧ wiu1,2, f (t) -w +1, u 1,2, w. The normal sequence library is N, wherein any normal sequence is { bju}(j=1,2,...,n;u=1,2,...,w)。
In practical circumstances, noise data cannot be excluded, and therefore, the difference between the real-time sequences is subjected to windowing and noise filtering. Assuming that the window width is L, the difference between the real-time sequence and the normal sequence library is:
wherein Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w.
By analyzing a large number of samples, the threshold τ for the degree of difference between the real-time sequence and the normal sequence can be calculated, if D ({ aiuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
At present, in the field of intrusion detection, traditional enterprises use various network security protection systems including software and hardware firewalls, IDS, IPS, log management and the like, but these detection means cannot effectively detect and defend latent APT.
The invention senses whether the latent APT exists in the system by extracting and modeling the system log and matching the system log with the flow sequence after releasing the virus.
The invention is further described below with reference to the accompanying drawings.
1) Establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]And carrying out data annotation based on an attribute value extraction method of the neural network to generate a characteristic sequence A and form a data model. Wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, generating a flow sequence B by using a flow analyzer and adopting a KTAM analysis method to analyze data flow fluctuation, wherein the data flow fluctuation comprises characteristic data such as flow rate, link utilization rate, protocol distribution of different protocol layers, packet size and the like;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is used as the timestamp to be added into calculation, the timestamp comprises metadata attributes describing a timetable, the row time of the timetable and variables of the row time, a specific time vector formed by the timestamps is used for obtaining a virus characteristic time sequence group diagram, and a real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
Further, in step 5), it is assumed that the number of the system call sequences of a real-time process is f (t) (t ≧ 1, 2.), the width of the sliding window is w real-time sequences, and if f (t) ≧ w, then (f (t) -w +1) short sequences with the width of w can be formed according to the sliding window method principle, and these short sequences are labeled as { a ≧ wiu1,2, f (t) -w +1, u 1,2, w. The normal sequence library is N, wherein any normal sequence is { bju}(j=1,2,...,n;u=1,2,...,w)。
In practical circumstances, noise data cannot be excluded, and therefore, the difference between the real-time sequences is subjected to windowing and noise filtering. And carrying out windowing and noise filtering processing on the difference degree of each real-time sequence, wherein the assumed window width is L, and the difference degree of the real-time sequence and a normal sequence library is as follows:
among them, Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w;
analyzing through a sample, selecting a field window which is determined to be centered by each vector by adopting an adaptive threshold method, searching the maximum value and the minimum value of the vectors in the window, and taking the average value of the maximum value and the minimum value as a threshold value, or taking the average value of all the vectors in the window as the threshold value, or taking the Gaussian convolution of all the vectors in the window as the threshold value. Calculating to obtain the threshold value tau of the difference degree between the real-time sequence and the normal sequence if D ({ a)iuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
At present, in the field of machine learning, the technology for extracting the characteristics of system logs and network flow is gradually mature, the method can acquire the real-time sequence characteristics of a system by using a sliding window method, then matches the characteristics with a normal behavior characteristic library, and calculates the relative difference between the characteristics, so that the detection sensitivity of the unknown latent APT is improved.
According to the invention, after the virus simulating the stolen data is released, whether the latent APT exists is judged by comparing the virus characteristic diagram with the non-infected computer characteristic sequence, so that the detection accuracy of the unknown latent APT is improved, and the perception accuracy and sensitivity of an intrusion detection platform are improved.
Claims (4)
1. A method of simulating a theft sensitive data aware latent APT attack comprising the steps of:
1) establishing a data environment consisting of second-order arrays generated by random arrays, and performing labeling compilation sequence A [ a ] on data sources in the data environment1,a2,...ai,...an]Wherein a isiIs the ith sequence, and utilizes the system log to restore, extract and screen the tagged sequence A [ a ]1,a2,...ai,...an]Carrying out data annotation based on an attribute value extraction method of a neural network to generate a characteristic sequence A and form a data model; wherein;
2) setting a plurality of data source sending targets, establishing data channels with the data sources in the data environment, compiling a code for each channel, and serializing all code records to form a data set Bb1,b2,...bi,...bn]Wherein b isiFor the ith sequence, analyzing data flow fluctuation by a flow analyzer and a KTAM to generate a flow sequence B;
3) performing combined calculation on the sequence A and the sequence B, matching, finding out the same characteristic values of the sequence A and the sequence B by using a TF-IDF algorithm, generating respective characteristic vectors of the sequence A and the sequence B, calculating cosine similarity of the two characteristic vectors, indicating that the larger the value is, the more similar the value is, sequencing according to the size of cosine values to obtain an AB combined characteristic library, and taking the AB combined characteristic library as a normal sequence library of a system;
4) each vector data is provided with a timestamp, the release time of the stolen data virus is taken as the timestamp as a variable to be added into the calculation, a specific time vector is formed by the timestamps by using a sampling rate of 100Hz to obtain a virus characteristic time sequence group diagram, and meanwhile, the real-time sequence of the system is monitored;
5) and calculating the difference between the real-time sequence after the virus is released and the normal sequence before the virus is released, and judging whether the latent APT possibly exists in the system according to the difference.
2. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: and 2) analyzing data traffic fluctuation by adopting KTAM, wherein the data traffic fluctuation comprises traffic rate, link utilization rate, protocol distribution of different protocol layers and packet size.
3. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: the time stamp in step 4) contains metadata attributes describing the schedule, its line time and its variables.
4. The method of simulating a theft sensitive data aware latent APT attack according to claim 1, wherein: in the step 5), the number of the system call sequences of a real-time process is set as f (t) (t is 1, 2.), the width of the sliding window is w real-time sequences, if f (t) is greater than or equal to w, (f (t) -w +1) short sequences with the width of w are formed according to the sliding window method principle, and the short sequences are marked as { a ≧ wiuN as a normal sequence library, where any normal sequence is { b }, N, and (i) ═ 1,2,. times.f (t) -w + 1; u ═ 1,2,. times.w)ju}(j=1,2,...,n;u=1,2,...,w);
And carrying out windowing and noise filtering processing on the difference degree of each real-time sequence, setting the window width as L, and setting the difference degree between the real-time sequence and a normal sequence library as follows:
among them, Diff ({ a)iuN) is { a }iuThe difference degree from a normal sequence library N, and the calculation method thereof satisfies Diff ({ a)iu},N)=min{Diff({aiu},{bju}), wherein: diff ({ a)iu},{bjuIs { a) })iuAnd bjuThe degree of difference; l is the window width and is more than or equal to w;
analyzing through a sample, selecting a field window which is determined to be centered by each vector by adopting a self-adaptive threshold method, searching the maximum value and the minimum value of the vectors in the window, and taking the average value of the maximum value and the minimum value as a threshold value, or taking the average value of all the vectors in the window as the threshold value, or taking the Gaussian convolution of all the vectors in the window as the threshold value; calculating to obtain the threshold value tau of the difference degree between the real-time sequence and the normal sequence if D ({ a)iuN) is more than or equal to tau, the real-time sequence is abnormal, the system makes a defense response, and no latent APT exists in the system; if D ({ a)iuN) < τ, the real-time sequence is normal, the system does not respond significantly, and there may be latent APT in the system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911020563.6A CN111224933B (en) | 2019-10-25 | 2019-10-25 | Method for simulating embezzlement sensitive data perception latent APT attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911020563.6A CN111224933B (en) | 2019-10-25 | 2019-10-25 | Method for simulating embezzlement sensitive data perception latent APT attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111224933A true CN111224933A (en) | 2020-06-02 |
CN111224933B CN111224933B (en) | 2022-04-08 |
Family
ID=70827553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911020563.6A Active CN111224933B (en) | 2019-10-25 | 2019-10-25 | Method for simulating embezzlement sensitive data perception latent APT attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111224933B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2942919A1 (en) * | 2014-05-08 | 2015-11-11 | Deutsche Telekom AG | Social network honeypot |
CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
CN108768989A (en) * | 2018-05-18 | 2018-11-06 | 刘勇 | It is a kind of using the APT attack defense methods of mimicry technology, system |
CN108875364A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Menace determination method, device, electronic equipment and the storage medium of unknown file |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
-
2019
- 2019-10-25 CN CN201911020563.6A patent/CN111224933B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2942919A1 (en) * | 2014-05-08 | 2015-11-11 | Deutsche Telekom AG | Social network honeypot |
CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
CN108875364A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Menace determination method, device, electronic equipment and the storage medium of unknown file |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN108768989A (en) * | 2018-05-18 | 2018-11-06 | 刘勇 | It is a kind of using the APT attack defense methods of mimicry technology, system |
Non-Patent Citations (1)
Title |
---|
贾焰等: "大规模网络安全态势分析系统YHSAS设计与实现", 《信息技术与网络安全》 * |
Also Published As
Publication number | Publication date |
---|---|
CN111224933B (en) | 2022-04-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
Liu et al. | Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling | |
CN111181918B (en) | TTP-based high-risk asset discovery and network attack tracing method | |
CN112333195B (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
CN113422763B (en) | Alarm correlation analysis method constructed based on attack scene | |
CN110598180B (en) | Event detection method, device and system based on statistical analysis | |
CN105959270A (en) | Network attack detection method based on spectral clustering algorithm | |
CN115459965A (en) | Multistep attack detection method for network security of power system | |
Nalavade et al. | Mining association rules to evade network intrusion in network audit data | |
Hendry et al. | Intrusion signature creation via clustering anomalies | |
CN110598397A (en) | Deep learning-based Unix system user malicious operation detection method | |
RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
CN111191683B (en) | Network security situation assessment method based on random forest and Bayesian network | |
CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
CN111224933B (en) | Method for simulating embezzlement sensitive data perception latent APT attack | |
Haque et al. | An intelligent approach for Intrusion Detection based on data mining techniques | |
CN113132414B (en) | Multi-step attack mode mining method | |
Phutane et al. | A survey of intrusion detection system using different data mining techniques | |
CN114726623A (en) | Advanced threat attack evaluation method and device, electronic equipment and storage medium | |
Zhai et al. | Research and improvement on ID3 algorithm in intrusion detection system | |
Gambo et al. | Hybrid approach for intrusion detection model using combination of k-means clustering algorithm and random forest classification | |
Liu et al. | A Blockchain-assisted Collaborative Ensemble Learning for Network Intrusion Detection | |
Athira et al. | Standardisation and classification of alerts generated by intrusion detection systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |