CN111371917B - Domain name detection method and system - Google Patents
Domain name detection method and system Download PDFInfo
- Publication number
- CN111371917B CN111371917B CN202010127131.1A CN202010127131A CN111371917B CN 111371917 B CN111371917 B CN 111371917B CN 202010127131 A CN202010127131 A CN 202010127131A CN 111371917 B CN111371917 B CN 111371917B
- Authority
- CN
- China
- Prior art keywords
- domain name
- detected
- determining
- score
- response records
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5046—Resolving address allocation conflicts; Testing of addresses
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a domain name detection method and a domain name detection system. The method comprises the steps of obtaining a domain name to be detected; determining response records of the domain name to be detected at different moments within detection time according to the domain name to be detected; determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different moments; and determining the domain name category of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected. The domain name detection method and system provided by the invention improve the domain name detection efficiency and accurately detect the malicious domain name.
Description
Technical Field
The invention relates to the field of computer network security, in particular to a domain name detection method and system.
Background
The number of malicious programs has shown a trend to increase year by year in recent years, and has become more sophisticated and complex. Network intrusion, such as worms, spam, trojans, denial of service attacks, important information theft, etc., has become a huge threat to network space. Attackers often use Domain Name System (DNS) technology to hide their malicious behavior, maintain the robustness of the malicious network itself, because DNS exists in all networks and is not typically filtered by firewalls. After infecting the host computer, the malicious program is usually connected with the remote command and control server, and an attacker can directly control the command and control server. Such as APT attack (Advanced Persistent Threat), botnets may download the latest malicious programs through a remote C & C Server (Command and Control Server), or obtain malicious instructions; malicious programs such as information stealing and the like can send the stolen information to a remote server and the like; spam relies on DNS to redirect web pages. These malicious programs often access the remote server through a domain name without using the IP address of the server, and thus the domain name plays an important role in malicious behavior. Early malicious programs employed a single domain name, which presented a single point of failure problem and were easily discovered and banned.
To prevent single point failures, and to evade detection and make malicious networks more robust, attackers will employ fast-flux techniques. The fast-flux technology refers to that hundreds of thousands of IP addresses correspond to a domain name, when the domain name is inquired, different IP addresses are returned, and the IP addresses are frequently changed, and the IP addresses serve as proxies for redirecting the communication between the infected host and the C & C server. If an IP address is blacklisted, servers of other IP addresses may still continue to provide service. By adding a new IP address, a new server is easy to be added into a malicious network. This dynamic DNS technique makes it difficult for an intrusion detection system to discover an attacker hidden behind a proxy.
In addition, the malicious program dynamically generates a large number of Domain names each day by using DGA (Domain Generation Algorithm), some of which are valid Domain names registered by an attacker, and a plurality of which correspond to the IP address of a command and control server (C & C server). The infected host queries a large number of automatically generated domain names and establishes connections with a few of them. Because the number of domain names is large and are automatically generated every day, the malicious network of the attacker is well hidden.
The current mechanism for evading malicious programs adopts fast-flux and DGA technologies at the same time. The domain name is automatically generated by using a DGA algorithm every day, and the IP address corresponding to the domain name is not the IP address of one or more proxy hosts which are responsible for redirecting the communication between the C & C server and the infected host. Malicious programs that employ this escape mechanism are more flexible and robust and are more difficult to detect.
Existing malicious domain name detection methods can be classified into the following two categories:
(1) a passive detection method. Malicious domain names are detected by collecting DNS traffic, parsing and analyzing DNS query and response packets.
(2) An active detection method. Malicious domain names are detected by sending data to the server of the attacker and analyzing response result data of the attacker, such as response time delay and the like.
The above two methods have the following limitations:
(1) the passive detection method needs to collect massive DNS traffic, analyze DNS data packets, and analyze the analyzed result, and has the defect of large calculated amount.
(2) The active detection method needs to send data to the server of the attacker, and has the defect that the active detection method is easy to cause the idea of the attacker, so that the active detection method is discovered by the attacker.
Therefore, the prior art cannot effectively detect the domain name and cannot timely find the malicious domain name.
Disclosure of Invention
The invention aims to provide a domain name detection method and a domain name detection system, which can improve the domain name detection efficiency and accurately detect malicious domain names.
In order to achieve the purpose, the invention provides the following scheme:
a domain name detection method, comprising:
acquiring a domain name to be detected;
determining response records of the domain name to be detected at different moments within detection time according to the domain name to be detected; the response record comprises a domain name, an IP address and query time;
determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different moments; the domain name features comprise a domain name score and a domain name length;
determining the domain name category of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output.
Optionally, the determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different times specifically includes:
sequencing the response records of the domain name to be detected at different moments according to the query time;
numbering the sorted response records;
calculating the similarity of the IP addresses of the adjacent numbers;
and determining the domain name score according to the similarity.
Optionally, the determining the domain name score according to the similarity specifically includes:
using formulas
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, L is the number of response records,
is the similarity of the IP addresses of i and j.
Optionally, the detection time is 10 days.
A domain name detection system, comprising:
the domain name acquisition module is used for acquiring a domain name to be detected;
the response record determining module is used for determining the response records of the domain name to be detected at different moments within the detection time according to the domain name to be detected; the response record comprises a domain name, an IP address and query time;
the domain name feature determining module is used for determining the domain name features of the domain name to be detected according to the response records of the domain name to be detected at different moments; the domain name features comprise a domain name score and a domain name length;
the domain name class determining module is used for determining the domain name class of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output.
Optionally, the domain name feature determining module specifically includes:
the sequencing unit is used for sequencing the response records of the domain name to be detected at different moments according to the query time;
the numbering unit is used for numbering the sequenced response records;
a similarity calculation unit for calculating a similarity of IP addresses of adjacent numbers;
and the domain name score determining unit is used for determining the domain name score according to the similarity.
Optionally, the domain name score determining unit specifically includes:
a domain name score determination subunit for utilizing the formula
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, L is the number of response records,
is the similarity of the IP addresses of i and j.
Optionally, the detection time is 10 days.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
according to the domain name detection method and system provided by the invention, the domain name characteristics of the domain name to be detected are determined according to the response records of the domain name to be detected at different moments within the detection time, and then classification is carried out by utilizing a classification model which takes the domain name characteristics as input and the domain name categories as output, so that the domain name is accurately and quickly detected, the domain name detection efficiency is improved, and the malicious domain name is accurately detected.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a schematic diagram showing the comparison between normal domain name and fast-flux domain name IP address fluctuation;
FIG. 2 is a schematic flow chart of a domain name detection method according to the present invention;
fig. 3 is a schematic structural diagram of a domain name detection system provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a domain name detection method and a domain name detection system, which can improve the domain name detection efficiency and accurately detect malicious domain names.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
In a malicious network adopting the fast-flux technology, one domain name corresponds to a plurality of different IP addresses, each IP address is an independent infected host which is controlled by a common user and cannot be started and networked in real time, and in order to ensure the usability of the malicious network, an attacker needs to continuously infect new hosts, so that when a client inquires the fast-flux domain name in different time periods, the returned IP address changes, namely, the IP address has larger fluctuation. Fig. 1 shows the fluctuation between the fast-flux domain name and the normal IP address. In addition, the malicious domain name automatically generated by the DGA algorithm is obviously different from the normal domain name, and if the readability is not considered in the malicious domain name, the domain name length is larger. A specific comparison is shown in fig. 1.
Fig. 2 is a schematic flow chart of a domain name detection method provided by the present invention, and as shown in fig. 2, the domain name detection method provided by the present invention includes:
s201, acquiring the domain name to be detected.
S202, determining response records of the domain name to be detected at different moments within detection time according to the domain name to be detected; the response record includes a domain name, an IP address, and a query time. The detection time is 10 days. The time interval was 1 hour.
The method comprises the following specific steps:
(1) recording the current time TnowAnd a start detection time TstartIs the current time.
(2) If T isnow-TstartAnd (5) repeatedly executing the steps (3) - (5) if the T is less than or equal to T.
(3) Inquiring each domain name from the server of the domain name system, obtaining the response record of the domain name system, and storing each response record, including the domain name, the IP address and the inquiring time Tquery。
(4) Updating the current time Tnow。
(5) Calculating the time T taken for a queryqduration=Tnow-TqueryWait for Tp-TqdurationAfter the time, the current time T is updated againnow。
When the time T to be detected is over, all domain names are acquired at intervals of TpTime-corresponding domain name system response records including domain name, IP address and query time Tquery。
S203, determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different moments; the domain name characteristics include a domain name score and a domain name length. The malicious domain name score is significantly less than the normal domain name score. In order to maintain a malicious network of an attacker, the attacker needs to continuously recruit new infected hosts, so that an IP address set corresponding to a malicious domain name changes, the similarity of the IP address sets in adjacent time windows is low, and the domain name score is low. The length of the malicious domain name is smaller than that of the normal domain name. The malicious domain name generated by the DGA algorithm does not consider the readability of the domain name, so that the length of the malicious domain name is longer.
And sequencing the response records of the domain name to be detected at different moments according to the query time.
And numbering the sorted response records.
The similarity of the IP addresses of adjacent numbers is calculated.
And determining the domain name score according to the similarity. Using formulas
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, L is the number of response records,
similarity of IP addresses for i and j;
the domain name length is the number of characters in the domain name.
S204, determining the domain name category of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output.
Obtaining a malicious domain name through an open source channel (hphosts, RiskAnalytics, Malc0de database) and obtaining a normal domain name through a white list domain name website (Alexa website), respectively determining domain name characteristics of the malicious domain name and the normal domain name, and training the classification model obtained by the SVM model.
The domain name detection method provided by the invention has the following beneficial effects:
(1) DNS flow data does not need to be analyzed, and the calculation amount is reduced.
(2) Data do not need to be sent to the server of the attacker, and the attacker is prevented from finding the data and escaping detection.
(3) The method and the device can detect the fast-flux malicious domain name and the fast-flux malicious domain name adopting the DGA technology.
Fig. 3 is a schematic structural diagram of a domain name detection system provided by the present invention, and as shown in fig. 3, the domain name detection system provided by the present invention includes: a domain name acquisition module 301 to be detected, a response record determination module 302, a domain name feature determination module 303 and a domain name category determination module 304.
The domain name acquisition module 301 to be detected is used for acquiring a domain name to be detected;
the response record determining module 302 is configured to determine, according to the domain name to be detected, response records of the domain name to be detected at different times within a detection time; the response record comprises a domain name, an IP address and query time; the detection time is 10 days.
The domain name feature determining module 303 is configured to determine a domain name feature of the domain name to be detected according to response records of the domain name to be detected at different times; the domain name features comprise a domain name score and a domain name length;
the domain name class determining module 304 is configured to determine a domain name class of the domain name to be detected by using a classification model according to the domain name feature of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output.
The domain name feature determining module 303 specifically includes: the device comprises a sorting unit, a numbering unit, a similarity calculation unit and a domain name score determination unit.
The sequencing unit is used for sequencing the response records of the domain name to be detected at different moments according to the query time;
the numbering unit is used for numbering the sequenced response records;
the similarity calculation unit is used for calculating the similarity of the IP addresses of the adjacent numbers;
and the domain name score determining unit is used for determining the domain name score according to the similarity.
The domain name score determining unit specifically includes: a domain name score determination subunit.
Domain name score determination subunit for utilizing formulas
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, L is the number of response records,
is the similarity of the IP addresses of i and j.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principle and the implementation mode of the invention are explained by applying a specific example, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (4)
1. A domain name detection method is characterized by comprising the following steps:
acquiring a domain name to be detected;
determining response records of the domain name to be detected at different moments within detection time according to the domain name to be detected; the response record comprises a domain name, an IP address and query time;
determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different moments; the domain name features comprise a domain name score and a domain name length;
determining the domain name category of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output;
the determining the domain name characteristics of the domain name to be detected according to the response records of the domain name to be detected at different times specifically includes:
sequencing the response records of the domain name to be detected at different moments according to the query time;
numbering the sorted response records;
calculating the similarity of the IP addresses of the adjacent numbers;
determining the domain name score according to the similarity;
the determining the domain name score according to the similarity specifically includes:
using formulas
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, Pi d,
IP address sets returned by the response records corresponding to the ith and jth time windows respectively, L is the number of the response records,
to be the similarity of the IP addresses of i and j,
2. the method as claimed in claim 1, wherein the detection time is 10 days.
3. A domain name detection system, comprising:
the domain name acquisition module is used for acquiring a domain name to be detected;
the response record determining module is used for determining the response records of the domain name to be detected at different moments within the detection time according to the domain name to be detected; the response record comprises a domain name, an IP address and query time;
the domain name feature determining module is used for determining the domain name features of the domain name to be detected according to the response records of the domain name to be detected at different moments; the domain name features comprise a domain name score and a domain name length;
the domain name class determining module is used for determining the domain name class of the domain name to be detected by adopting a classification model according to the domain name characteristics of the domain name to be detected; the domain name categories comprise a malicious domain name and a normal domain name; the classification model takes the domain name characteristics as input and takes the domain name category as output;
the domain name feature determination module specifically includes:
the sequencing unit is used for sequencing the response records of the domain name to be detected at different moments according to the query time;
the numbering unit is used for numbering the sequenced response records;
a similarity calculation unit for calculating a similarity of IP addresses of adjacent numbers;
a domain name score determining unit, configured to determine the domain name score according to the similarity;
the domain name score determining unit specifically includes:
a domain name score determination subunit for utilizing the formula
Determining the domain name score; s (d) is the domain name score, i and j are both adjacent numbers, Pi d,
IP address sets returned by the response records corresponding to the ith and jth time windows respectively, L is the number of the response records,
to be the similarity of the IP addresses of i and j,
4. a domain name detection system according to claim 3, wherein said detection time is 10 days.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010127131.1A CN111371917B (en) | 2020-02-28 | 2020-02-28 | Domain name detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010127131.1A CN111371917B (en) | 2020-02-28 | 2020-02-28 | Domain name detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111371917A CN111371917A (en) | 2020-07-03 |
| CN111371917B true CN111371917B (en) | 2022-04-22 |
Family
ID=71211614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010127131.1A Active CN111371917B (en) | 2020-02-28 | 2020-02-28 | Domain name detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111371917B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112995360B (en) * | 2021-04-30 | 2021-07-30 | 新华三技术有限公司 | Domain name detection method and device, DGA service equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN110650157A (en) * | 2019-10-23 | 2020-01-03 | 北京邮电大学 | Fast-flux domain name detection method based on ensemble learning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10594711B2 (en) * | 2016-11-28 | 2020-03-17 | Microsoft Technology Licensing, Llc. | Detection of botnets using command-and-control access patterns |
| CN110266739A (en) * | 2019-08-06 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | In conjunction with the detection method for the Fast-Flux Botnet for threatening information |
-
2020
- 2020-02-28 CN CN202010127131.1A patent/CN111371917B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
| CN106713371A (en) * | 2016-12-08 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Fast Flux botnet detection method based on DNS anomaly mining |
| CN110650157A (en) * | 2019-10-23 | 2020-01-03 | 北京邮电大学 | Fast-flux domain name detection method based on ensemble learning |
Non-Patent Citations (1)
| Title |
|---|
| Botnet Detection by Monitoring Group Activities in DNS Traffic;Hyunsang Choi等;《7th IEEE International Conference on Computer and Information Technology (CIT 2007)》;20071121;第715-720页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111371917A (en) | 2020-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Vinayakumar et al. | Scalable framework for cyber threat situational awareness based on domain name systems data analysis | |
| Nadler et al. | Detection of malicious and low throughput data exfiltration over the DNS protocol | |
| Singh et al. | Issues and challenges in DNS based botnet detection: A survey | |
| US10880270B1 (en) | Network firewall for mitigating against persistent low volume attacks | |
| US10185761B2 (en) | Domain classification based on domain name system (DNS) traffic | |
| US8260914B1 (en) | Detecting DNS fast-flux anomalies | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| Bilge et al. | EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. | |
| US9503468B1 (en) | Detecting suspicious web traffic from an enterprise network | |
| US8516585B2 (en) | System and method for detection of domain-flux botnets and the like | |
| US8347394B1 (en) | Detection of downloaded malware using DNS information | |
| US9258289B2 (en) | Authentication of IP source addresses | |
| Singh et al. | Detecting bot-infected machines using DNS fingerprinting | |
| US20140047543A1 (en) | Apparatus and method for detecting http botnet based on densities of web transactions | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| US20180034837A1 (en) | Identifying compromised computing devices in a network | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| CN110730175A (en) | Botnet detection method and detection system based on threat information | |
| CN102685145A (en) | Domain name server (DNS) data packet-based bot-net domain name discovery method | |
| CN111818103A (en) | Traffic-based tracing attack path method in network target range | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| Nguyen et al. | DGA botnet detection using collaborative filtering and density-based clustering | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| Zang et al. | Identifying fast-flux botnet with AGD names at the upper DNS hierarchy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |