CN111585993B - Method, device and equipment for detecting communication of hidden channel - Google Patents

Method, device and equipment for detecting communication of hidden channel Download PDF

Info

Publication number
CN111585993B
CN111585993B CN202010343180.9A CN202010343180A CN111585993B CN 111585993 B CN111585993 B CN 111585993B CN 202010343180 A CN202010343180 A CN 202010343180A CN 111585993 B CN111585993 B CN 111585993B
Authority
CN
China
Prior art keywords
data
snmp
oid
channel communication
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010343180.9A
Other languages
Chinese (zh)
Other versions
CN111585993A (en
Inventor
周运金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010343180.9A priority Critical patent/CN111585993B/en
Publication of CN111585993A publication Critical patent/CN111585993A/en
Application granted granted Critical
Publication of CN111585993B publication Critical patent/CN111585993B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a covert channel communication detection method, a device and equipment. The method comprises the following steps: acquiring an SNMP data stream; performing protocol audit on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics; and detecting the target characteristics by using a detection model to determine whether an SNMP hidden channel exists. The method carries out the detection of the hidden channel communication behavior on the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host. In addition, the application also provides a hidden channel communication detection device, equipment and a storage medium, and the beneficial effects are as described above.

Description

Method, device and equipment for detecting communication of hidden channel
Technical Field
The present application relates to the field of network communications, and in particular, to a method, an apparatus, and a device for detecting covert channel communication.
Background
SNMP (Simple Network Management Protocol) is a standard Protocol specifically designed for managing Network nodes in an IP Network, and is an application layer Protocol by which a Network administrator can manage Network performance, discover and solve Network problems, and plan Network growth.
Hidden channel communication based on an SNMP protocol is a method for achieving a communication means by using the SNMP protocol to transmit data, a current malicious controller can communicate with a user host in a mode of carrying malicious behavior data in an SNMP data stream, so that the purpose of performing malicious control on the user host is achieved, once the malicious controller uses the SNMP protocol to perform hidden channel communication, high-degree threats are often caused to the stability of the user host, and the network security of the user host is difficult to ensure.
Therefore, it is a problem to be solved by those skilled in the art to provide a covert channel communication detection method to realize covert channel communication detection based on SNMP data stream, and further relatively ensure network security of a user host.
Disclosure of Invention
The application aims to provide a hidden channel communication detection method, a device and equipment, so as to realize hidden channel communication detection based on SNMP data stream, and further relatively ensure the network security of a user host.
In order to solve the above technical problem, the present application provides a covert channel communication detection method, including:
acquiring an SNMP data stream;
performing protocol audit on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics;
and detecting the target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
Preferably, if the target feature includes an object identifier feature and a data field corresponding feature, detecting the target feature by using the detection model to determine whether the SNMP covert channel exists includes:
detecting the object identifier characteristics by using a first detection model to obtain a first detection result;
detecting the corresponding characteristics of the data field by using a second detection model to obtain a second detection result;
and determining whether the SNMP hidden channel exists according to the first detection result and the second detection result.
Preferably, the protocol auditing the SNMP data stream to obtain the target characteristics comprises:
carrying out protocol audit on the SNMP data stream to obtain data corresponding to each field;
and extracting data corresponding to the object identifier field from the field as the object identifier characteristic, and/or extracting data corresponding to the data field from the field as the data field corresponding characteristic.
Preferably, extracting the data corresponding to the object identifier field from the field as the object identifier feature includes:
extracting the numbers in the object identifier field from the fields, and combining the numbers into a number group;
the number group is set as an object identifier feature.
Preferably, extracting data corresponding to the data field from the field as the data field corresponding feature includes:
extracting data fragments in each data field from the field, and combining the data fragments into a data combination;
and setting the data combination as a data field corresponding characteristic.
Preferably, before the detection of the target feature by the detection model determines whether the SNMP covert channel exists, the method further comprises:
filtering normal target features meeting preset normal standards from the target features;
correspondingly, the step of detecting the target characteristics by using the detection model to determine whether the SNMP hidden channel exists comprises the following steps:
and detecting the filtered target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
Preferably, the detecting the target feature by using the detection model comprises:
and counting target features corresponding to the SNMP data stream within preset time to obtain target feature vectors, and detecting the target feature vectors by using a detection model.
Preferably, the object identifier characteristics include one or more of the number of OID nodes of the OID type data, and the OID edit distance of the OID type data; the data field correspondence characteristic includes a complexity of the VALUE type data.
In addition, the present application also provides a covert channel communication detecting device, comprising:
the data flow acquisition module is used for acquiring SNMP data flow;
the characteristic counting module is used for carrying out protocol auditing on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics;
and the model detection module is used for detecting the target characteristics by using the detection model to determine whether the SNMP hidden channel exists.
In addition, the present application also provides a covert channel communication detection device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the covert channel communication detection method as described above when executing a computer program.
Furthermore, the present application also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the covert channel communication detection method as described above.
According to the hidden channel communication detection method, the SNMP data stream is obtained firstly, then protocol audit is conducted on the SNMP data stream to obtain the target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics, and then a detection model is used for detecting the target characteristics to determine whether the SNMP hidden channel exists or not. The method carries out the detection of the hidden channel communication behavior on the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host. In addition, the application also provides a hidden channel communication detection device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is a flow chart of a covert channel communication detection method disclosed in an embodiment of the present application;
FIG. 2 is a flowchart of a specific covert channel communication detection method disclosed in an embodiment of the present application;
FIG. 3 is a flowchart of a specific covert channel communication detection method disclosed in an embodiment of the present application;
FIG. 4 is a flowchart of a method for generating a detection model according to an embodiment of the present disclosure;
FIG. 5 is a flowchart of a specific method for generating a detection model according to an embodiment of the present disclosure;
FIG. 6 is a flowchart illustrating a method for generating a specific detection model according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a hidden channel communication detection apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
Hidden channel communication based on an SNMP protocol is a method for achieving a communication means by using the SNMP protocol to transmit data, a current malicious controller can communicate with a user host in a mode of carrying malicious behavior data in an SNMP data stream, so that the purpose of performing malicious control on the user host is achieved, once the malicious controller uses the SNMP protocol to perform hidden channel communication, high-degree threats are often caused to the stability of the user host, and the network security of the user host is difficult to ensure.
Therefore, the core of the application is to provide a covert channel communication detection method to realize the covert channel communication detection based on SNMP data stream, and further relatively ensure the network security of the user host
Referring to fig. 1, an embodiment of the present application discloses a hidden channel communication detection method, including:
step S10: and acquiring the SNMP data stream.
It should be noted that the execution main body of this embodiment may be a traffic detection device disposed between the user host and the extranet server device, and the traffic detection device performs network security detection on data traffic flowing between the user host and the extranet server device.
The SNMP data flow in this step refers to a to-be-detected data packet generated based on the SNMP protocol in an actual detection scenario, that is, in the actual scenario, a communication packet sent by the user host to the extranet server device based on the SNMP protocol, or a communication packet sent by the extranet server device to the user host based on the SNMP protocol. In addition, the SNMP data stream may be obtained by intercepting, by the traffic detection device, the SNMP data stream transmitted in real time between the user equipment and the external network server, or may be obtained by recording, in advance, the SNMP data stream transmitted at a historical time between the user equipment and the external network server through the traffic log, and then obtaining the SNMP data stream in the historical time period from the traffic log.
Step S11: and carrying out protocol audit on the SNMP data stream to obtain the target characteristics.
The target characteristics comprise object identifier characteristics and/or data field corresponding characteristics;
and on the basis of acquiring the SNMP data stream, performing protocol audit on the SNMP data stream to obtain target characteristics, wherein the target characteristics in the step are attribute characteristics related to the content in the SNMP data stream. The protocol audit in this step is essentially to perform feature statistics on the attribute features related to the contents in the SNMP data stream. In addition, the target features in this step further include an object identifier feature and/or a data field corresponding feature, where the object identifier feature refers to an attribute feature of an identifier in the SNMP data stream for characterizing the identity of the SNMP data stream, and the data field corresponding feature refers to a feature of a data field part in the SNMP data stream.
Step S12: and detecting the target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
After the SNMP data stream is subjected to feature statistics to obtain the target features, the step further utilizes the detection model to detect the target features to obtain a detection result.
In the scene, the detection model can be trained in a supervision and learning mode, and the detection model for detecting whether the SNMP hidden channel exists is obtained after the training is finished.
In particular, supervised learning is defined as a stack of samples, each sample having a set of attributes and a class, which are predetermined. For example, a classifier is obtained through a large amount of sample learning, and the classifier can be regarded as a detection model and can give correct classification to newly appeared objects. The detection model is generated according to the SNMP data stream positive sample having the hidden channel communication behavior and the SNMP data stream negative sample corresponding to the SNMP data stream positive sample, that is, the SNMP data stream having the hidden channel communication behavior is used as the SNMP data stream positive sample in advance, and then the SNMP data stream positive sample and the SNMP data stream negative sample corresponding to the SNMP data stream positive sample are generated into the detection model together, where the positive sample refers to a sample belonging to a certain category, and the negative sample refers to a sample not belonging to the category, so the SNMP data stream type meeting the hidden channel communication standard and the SNMP data stream type not meeting the hidden channel communication standard are divided in the detection model in this embodiment, and then whether the SNMP data stream to be detected has the hidden channel communication behavior can be determined through the detection model in this embodiment.
According to the hidden channel communication detection method, the SNMP data stream is obtained firstly, then protocol audit is conducted on the SNMP data stream to obtain the target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics, and then a detection model is used for detecting the target characteristics to determine whether the SNMP hidden channel exists or not. The method carries out the detection of the hidden channel communication behavior on the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host.
On the basis of the above embodiment, as a preferred implementation, before the detecting the target feature by using the detection model to determine whether the SNMP hidden channel exists, the method further includes:
filtering normal target features meeting preset normal standards from the target features;
correspondingly, the step of detecting the target characteristics by using the detection model to determine whether the SNMP hidden channel exists comprises the following steps:
and detecting the filtered target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
It should be noted that, the important point of this embodiment is to filter the normal target features that meet the preset normal standard in the target features first before the detection model is used to detect the target features to determine whether the SNMP covert channel exists, that is, to filter the data in the target features that can be determined as the normal target features based on the preset normal standard, so as to relatively reduce the overall data amount of the target features, and then to detect the filtered target features by using the detection model to determine whether the SNMP covert channel exists. The embodiment can relatively reduce the whole detection data volume of the detection model for detecting the target characteristics, and further improves the efficiency of covert channel communication detection.
On the basis of the foregoing embodiment, as a preferred implementation manner, the detecting the target feature by using the detection model includes:
and counting target features corresponding to the SNMP data stream within preset time to obtain target feature vectors, and detecting the target feature vectors by using a detection model.
It should be noted that the present embodiment focuses on counting target features corresponding to the SNMP data stream within a preset time to obtain a target feature vector, where the feature vector refers to a feature set composed of target features in the SNMP data stream, so as to further detect the target features by using a detection model, that is, the present embodiment performs covert channel communication detection based on the SNMP data stream generated within a preset time period, and can further ensure flexibility and reliability of covert channel communication detection.
On the basis of the foregoing embodiment, if the target feature includes an object identifier feature and a data field corresponding feature, please refer to fig. 2, the embodiment of the present application discloses a covert channel communication detection method, including:
step S20: and acquiring the SNMP data stream.
Step S21: and carrying out protocol audit on the SNMP data stream to obtain the target characteristics.
The target characteristics comprise object identifier characteristics and/or data field corresponding characteristics.
Step S22: and detecting the object identifier characteristics by using the first detection model to obtain a first detection result.
The first detection model in the present embodiment is a detection model for performing feature detection on an object identifier feature among target features. That is, the first detection model is obtained by training the object identifier feature and is only used for detecting the object identifier feature of the SNMP data stream, so as to obtain the first detection result corresponding to the object identifier feature in the SNMP data stream.
Step S23: and detecting the corresponding characteristics of the data fields by using a second detection model to obtain a second detection result.
It should be noted that the second detection model in this embodiment is a detection model for performing feature detection on a feature corresponding to a data field in a target feature. That is to say, the second detection model is obtained by training the features corresponding to the data fields, and is only used for detecting the features corresponding to the data fields of the SNMP data stream, so as to obtain the second detection result corresponding to the features corresponding to the data fields in the SNMP data stream.
Step S24: and determining whether the SNMP hidden channel exists according to the first detection result and the second detection result.
It should be noted that after obtaining a first detection result corresponding to the object identifier feature in the SNMP data stream based on the first detection model and obtaining a second detection result corresponding to the feature corresponding to the data field in the SNMP data stream based on the second detection model, comprehensive determination is further performed based on the first detection result and the second detection result, so as to determine whether the SNMP covert channel exists. For example, when the first detection result is an SNMP hidden channel or the second detection result is an SNMP hidden channel, it is determined that the final detection result is the presence of the SNMP hidden channel.
In this embodiment, the first detection model and the second detection model may be the same model, for example, both classification models (decision tree, support vector machine, random forest, etc.). In some other embodiments, the first detection model and the second detection model may also be different models, such as the first detection model being a decision tree model and the second detection model being a support vector machine model. And are not limited herein.
In the embodiment, the object identifier characteristics and the data field corresponding characteristics of the SNMP data stream are detected through the first detection model and the second detection model respectively, so that the accuracy of the detection process can be further determined, and then whether the SNMP covert channel exists or not is determined according to the detection results of the object identifier characteristics and the data field corresponding characteristics, so that the overall accuracy of the communication detection of the covert channel can be relatively improved.
Referring to fig. 3, an embodiment of the present application discloses a hidden channel communication detection method, including:
step S30: acquiring an SNMP data stream;
step S31: and carrying out protocol audit on the SNMP data stream to obtain data corresponding to each field.
Step S32: and extracting data corresponding to the object identifier field from the field as the object identifier characteristic, and/or extracting data corresponding to the data field from the field as the data field corresponding characteristic.
It should be noted that, in this embodiment, after performing protocol audit on an SNMP data stream to obtain data corresponding to each field, data corresponding to an object identifier field is further extracted from the field as an object identifier feature, and/or data corresponding to a data field is extracted from the field as a data field corresponding feature, that is, in this embodiment, the data field corresponding feature is data corresponding to each field in the SNMP data stream, and the object identifier feature is further extracted from data corresponding to each field in the SNMP data stream.
Step S33: and detecting the object identifier characteristics and/or the data field corresponding characteristics by using a detection model to determine whether the SNMP hidden channel exists.
After extracting data corresponding to the object identifier field in the field as the object identifier feature and/or extracting data corresponding to the data field in the field as the data field corresponding feature, the step further detects the object identifier feature and/or the data field corresponding feature by using a detection model to determine whether the SNMP covert channel exists.
On the basis of the foregoing embodiment, as a preferred implementation manner, extracting data corresponding to the object identifier field from the field as the object identifier feature includes:
extracting the numbers in the object identifier field from the fields, and combining the numbers into a number group;
the number group is set as an object identifier feature.
It should be noted that, since the hidden channel communication based on the object identifier encodes the data to be transmitted in the object identifier, and the object identifier is often generated in the form of numbers, and there may be symbol intervals between the numbers, in order to extract the object identifier features more accurately, the embodiment extracts the numbers in the object identifier field and recombines them into a longer number combination, thereby further improving the overall accuracy of the detection of the hidden channel communication. In addition, in practical cases, the number of object identifier fields obtained by auditing the SNMP data stream may be multiple.
On the basis of the foregoing embodiment, as a preferred implementation manner, extracting data corresponding to a data field from a field as a data field corresponding feature includes:
extracting data fragments in each data field from the field, and combining the data fragments into a data combination;
and setting the data combination as the corresponding characteristic of the data field.
It should be noted that, when it is considered that the hidden channel communication is performed based on the data field of the SNMP data stream, the data to be transmitted is often encoded in the data field of the SNMP data stream, and when the content of the hidden channel communication is encoded by using a specific encoding method, such as the Base64 encoding method, the data field is often transmitted in segments in the SNMP data stream because the value in the data field has a length limitation. Therefore, the embodiment extracts the data segments in each data field from the field, combines the data segments into the data combination, and further sets the data combination as the corresponding characteristic of the data field, thereby further improving the overall accuracy of the covert channel communication detection.
On the basis of the above series of embodiments, as a preferred embodiment, the object identifier feature includes one or more of the number of OID nodes of the OID type data and the OID edit distance of the OID type data; the data field correspondence characteristic includes a complexity of the VALUE type data.
In this embodiment, the OID node number of the OID type data refers to the number of OID numbers in the OID type data; the OID editing distance of the OID type data refers to the number of editing operations required for converting the current OID type data into other known OID type data, namely the similarity between the current OID type data and the other known OID type data; the complexity of the VALUE type data refers to a content level of the VALUE type data, wherein the content level refers to a quantity degree to which the data amount of the VALUE type data reaches, and the quantity degree includes but is not limited to Gb, Tb quantity degree, and the like. Further, the object identifier characteristics include one or more of the number of OID nodes of the OID type data and the OID edit distance of the OID type data.
It should be noted that the Object Identifier (Object Identifier) type data in the present embodiment refers to globally unique data associated with an Object and used for unambiguously identifying the Object, which can ensure that the Object is correctly positioned and managed in the communication information processing, and considering that when the hidden channel communication is performed through the SNMP data stream, the data to be transmitted is often encoded in the OID type data, so as to achieve the purpose of hiding, in order to more accurately perform the detection of the hidden channel communication on the SNMP data stream, the Object Identifier feature in the present embodiment includes the OID type data; in addition, the VALUE type data in this embodiment refers to the data VALUE content actually carried in the data field of the SNMP data stream, and in consideration that when hidden channel communication is performed through the SNMP data stream, data to be transmitted is often set as the VALUE type data of the SNMP data stream, so in order to more accurately detect hidden channel communication of the SNMP data stream, the corresponding characteristic of the data field in this embodiment includes the complexity of the VALUE type data. The embodiment further ensures the accuracy of the hidden channel communication detection of the SNMP.
Referring to fig. 4, an embodiment of the present application discloses a method for generating a detection model in covert channel communication detection, including:
step S40: acquiring a positive SNMP data flow sample with a hidden channel communication behavior, and acquiring a negative SNMP data flow sample corresponding to the positive SNMP data flow sample.
It should be noted that, in this step, an SNMP data stream positive sample having a covert channel communication behavior is obtained, and an SNMP data stream negative sample corresponding to the SNMP data stream positive sample is obtained, so that a detection model capable of detecting the SNMP data stream having a covert channel communication can be trained in a subsequent step based on the SNMP data stream positive sample and the SNMP data stream negative sample.
Step S41: and performing characteristic statistics on the SNMP data flow positive sample to obtain a positive sample characteristic vector, and performing characteristic statistics on the SNMP data flow negative sample to obtain a negative sample characteristic vector.
After acquiring the SNMP data flow positive sample and the SNMP data flow negative sample, the step further performs characteristic statistics on the SNMP data flow positive sample to obtain a positive sample characteristic vector, and performs characteristic statistics on the SNMP data flow negative sample to obtain a negative sample characteristic vector. The SNMP data stream feature vector comprises a positive sample feature vector and a negative sample feature vector, wherein the positive sample feature vector refers to a feature set composed of content features and/or transmission features in a positive sample of the SNMP data stream, and the negative sample feature vector refers to a feature set composed of content features and/or transmission features in a negative sample of the SNMP data stream.
Step S42: and performing model training on the positive sample feature vector and the negative sample feature vector to generate a detection model.
After the positive sample feature vector and the negative sample feature vector are obtained, the step further performs model training on the positive sample feature vector and the negative sample feature vector to generate a detection model, the essence of the model training on the positive sample feature vector and the negative sample feature vector is to perform generalized statistics on respective rules of the positive sample feature vector and the negative sample feature vector, and then the detection model records the SNMP data stream detection result types corresponding to different rule conditions, namely the SNMP data stream types with covert channel communication behaviors or the SNMP data stream types without covert channel communication behaviors.
The detection model in this embodiment is generated according to the SNMP data stream positive sample with hidden channel communication behavior and the SNMP data stream negative sample corresponding to the SNMP data stream positive sample, that is, the embodiment takes the SNMP data stream with hidden channel communication behavior as the SNMP data stream positive sample in advance, and generating a detection model by combining the SNMP data flow positive sample and the SNMP data flow negative sample corresponding to the SNMP data flow positive sample, wherein the positive sample refers to a sample belonging to a certain class, the negative sample refers to a sample not belonging to the class, therefore the detection model in this embodiment is divided into SNMP data stream types satisfying the covert channel communication standard and SNMP data stream types not satisfying the covert channel communication standard, and then whether the SNMP data stream to be detected has a hidden channel communication behavior can be judged through the detection model in the embodiment.
On the basis of the above-described embodiment, as a preferred implementation, the positive sample feature vector and the negative sample feature vector each include OID type data and/or VALUE type data.
In addition, in this embodiment, the positive sample eigenvector and the negative sample eigenvector may both include any type of data of the OID type data and the VALUE type data, or both include the OID type data and the VALUE type data, and are determined according to the actual blind channel communication detection requirement, and are not limited specifically herein.
Referring to fig. 5, when both the positive sample eigenvector and the negative sample eigenvector contain OID type data, the embodiment of the present application discloses a method for generating a detection model in covert channel communication detection, including:
step S50: acquiring a positive SNMP data flow sample with a hidden channel communication behavior, and acquiring a negative SNMP data flow sample corresponding to the positive SNMP data flow sample.
Step S51: and performing characteristic statistics on the SNMP data flow positive sample to obtain a positive sample characteristic vector, and performing characteristic statistics on the SNMP data flow negative sample to obtain a negative sample characteristic vector.
Step S52: and respectively extracting OID numbers of the OID type data in the positive sample feature vector and the negative sample feature vector.
It should be noted that, in this embodiment, when both the positive sample feature vector and the negative sample feature vector include OID type data, before model training is performed on the positive sample feature vector and the negative sample feature vector, the OID type data in the positive sample feature vector and the OID type data in the negative sample feature vector are respectively preprocessed, that is, OID numbers of the OID type data in the positive sample feature vector and the negative sample feature vector are respectively extracted. For example, when the content of the OID type data is "1.3.6.1.2.1.1.1.0", the extracted OID number from the OID type data is "136121110".
Considering that a malicious controller often converts carried data into OID numbers in OID type data when carrying out covert channel communication, and the OID numbers are the main basis for judging whether SNMP data stream carries out covert channel communication, the OID numbers of the OID type data in the positive sample characteristic vector and the negative sample characteristic vector are respectively extracted in the step, and in the subsequent step, model training is carried out on the basis of the positive sample characteristic vector and the negative sample characteristic vector which are respectively extracted with the OID numbers to generate a detection model.
Step S53: and carrying out model training on the extracted positive sample feature vector with the OID number and the extracted negative sample feature vector with the OID number to generate a detection model.
In the embodiment, before the model training is performed on the positive sample feature vector and the negative sample feature vector, the OID type data in the positive sample feature vector and the OID type data in the negative sample feature vector are respectively preprocessed, so that the overall accuracy of the model training is further improved, and the accuracy of the covert channel communication detection based on the detection model is further improved.
Referring to fig. 6, when the positive sample feature vector and the negative sample feature vector both include VALUE type data, and the number of VALUE VALUEs in the VALUE type data is greater than 1, an embodiment of the present application discloses a method for generating a detection model in blind channel communication detection, including:
step S60: acquiring a positive SNMP data flow sample with a hidden channel communication behavior, and acquiring a negative SNMP data flow sample corresponding to the positive SNMP data flow sample.
Step S61: and performing characteristic statistics on the SNMP data flow positive sample to obtain a positive sample characteristic vector, and performing characteristic statistics on the SNMP data flow negative sample to obtain a negative sample characteristic vector.
Step S62: and respectively combining the VALUE of the VALUE type data in the positive sample characteristic vector and the VALUE of the VALUE type data in the negative sample characteristic vector.
It should be noted that, in this embodiment, when both the positive sample feature vector and the negative sample feature vector include VALUE type data and the number of VALUE VALUEs in the VALUE type data is greater than 1, before model training is performed on the positive sample feature vector and the negative sample feature vector, the VALUE VALUEs of the VALUE type data in the positive sample feature vector are combined, and the VALUE VALUEs of the VALUE type data in the negative sample feature vector are combined, that is, a plurality of VALUE VALUEs in the VALUE type data of each of the positive sample feature vector and the negative sample feature vector are combined into a complete VALUE respectively. For example, when a plurality of VALUE VALUEs of the VALUE type data are "a", "b", and "c", respectively, a complete VALUE obtained by combining the plurality of VALUE VALUEs is "abc".
In this case, because a single VALUE has a length limitation, when the amount of communication data carried in covert channel communication is large, segmented transmission is often required, and then the VALUE type data has a plurality of VALUEs, and then the VALUE of the VALUE type data in the positive sample feature vector and the VALUE of the VALUE type data in the negative sample feature vector are combined respectively in this step, so that the purpose is to train a detection model using complete communication data as a sample feature vector.
Step S63: and performing model training on the positive sample characteristic vector after the VALUE is combined and the negative sample characteristic vector after the VALUE is combined to generate a detection model.
In this embodiment, before the model training is performed on the positive sample feature vector and the negative sample feature vector, the VALUE type data in the positive sample feature vector and the VALUE type data in the negative sample feature vector are preprocessed, so that the overall accuracy of the model training is further improved.
In this embodiment, the detection model may be a classification model (e.g., a decision tree, a support vector machine, a random forest, etc.). In some other embodiments, the detection model may also be a model that performs determination based on features in the target feature vector, for example, when the object identifier features satisfy a preset first SNMP covert channel condition, it is determined that an SNMP covert channel exists, or when the data field corresponding features satisfy a preset second SNMP covert channel condition, it is determined that an SNMP covert channel exists. And are not limited herein.
In this embodiment, a process of training set detection is described by taking a random forest as an example. Those skilled in the art will appreciate that this example is merely an illustrative example, and the process of training set detection may be different from this embodiment when the detection model is other models.
For example, the target feature vector includes an object identifier feature and a data field corresponding feature, and the object identifier feature includes one or more of the OID node number of the OID type data and the OID edit distance of the OID type data; under the condition that the corresponding characteristics of the data field comprise the complexity of the VALUE type data, firstly, randomly selecting a first preset number of training samples (which can comprise positive samples and/or negative samples) from a training sample set comprising positive samples and negative samples, then randomly selecting a second preset number of elements from elements (the number of OID nodes of the OID type data, the OID editing distance of the OID type data and the complexity of the VALUE type data) of a target characteristic vector, constructing a tree by taking the second preset number of elements as characteristics, and then training the constructed tree by using the first preset number of training samples to obtain a tree which can be used for detecting whether SNMP hidden channels exist. The constructed tree may be a decision tree.
Then, repeating the above process to construct a plurality of trees, and determining whether the final detection result of the SNMP covert channel exists according to the detection results of the plurality of trees.
The first preset number is an integer greater than zero and smaller than the total number of all samples in the training sample set, and is not limited herein. A value obtained by multiplying the total number by two thirds (in the case where an integer value cannot be obtained, a rounding value is taken as a value obtained by multiplying the total number by two thirds) is generally taken as the first preset number.
The second predetermined number is an integer greater than zero and smaller than the number of all elements included in the target feature vector, for example, the number of all elements in this embodiment is 5, and then the second predetermined number may be 1, 2, 3, or 4, which is not limited herein.
In some other embodiments, the detection model may further compare each element in the target feature vector with a preset detection standard, and determine whether the SNMP blind channel exists according to the comparison result (for example, when at least one element in each element in the target feature vector does not meet the corresponding detection standard, the SNMP blind channel is considered to exist).
Among them, Decision Tree (Decision Tree) is a classification method for supervised learning, so-called supervised learning is that a stack of samples is given, each sample has a set of attributes and a class, the classes are determined in advance, a classifier is obtained through learning, the classifier can give correct classification to newly appeared objects, and such machine learning is called supervised learning. The decision tree has higher accuracy for the type analysis of the data, so that the embodiment can further improve the accuracy of the covert channel communication detection.
In this embodiment, the generation process of the decision tree is described by taking the example that the target feature vector includes the OID node number of the OID type data, the OID edit distance of the OID type data, and the complexity of the VALUE type data, as known to those skilled in the art, this example is only an illustrative example, and when the target feature vector includes other features, the generation process of the corresponding decision tree model may be different, and is not limited herein.
For example, one feature of the number of OID nodes of OID type data, the OID editing distance of OID type data, and the complexity of VALUE type data may be determined as a root node according to the principle of entropy increase, for example, the entropy increase corresponding to each feature is calculated, all the entropy increases are compared, the feature corresponding to the smallest entropy increase is used as the root node, when the root node is split, since three features are to be selected in the target feature vector except the feature corresponding to the root node, the feature corresponding to the largest entropy increase may be selected as a leaf node of the root node from among the three features to be selected, and so on, until all the features in the target feature vector are selected, a decision tree is obtained.
Wherein, the definition of the entropy increment E is as follows:
E=-sum[P(x i )*log 2 (P(x i ))]
wherein, P (x) i ) Is the probability of the occurrence of the ith feature in the target feature vector.
Training the decision tree through a large number of samples, continuously adjusting the splitting threshold value corresponding to each node, and stopping training until a target function (or a loss function or a cost function) corresponding to the decision tree meets requirements to obtain a trained decision tree model.
Referring to fig. 7, an embodiment of the present application discloses a hidden channel communication detection apparatus, including:
a data stream obtaining module 10, configured to obtain an SNMP data stream;
the characteristic counting module 11 is used for performing protocol auditing on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics;
and the model detection module 12 is used for detecting the target characteristics by using the detection model to determine whether the SNMP hidden channel exists.
On the basis of the foregoing embodiments, the embodiments of the present application further describe and optimize a hidden channel communication detection apparatus. Specifically, the method comprises the following steps:
in one embodiment, if the target feature includes an object identifier feature and a data field corresponding feature, the model detection module 12 includes:
the first result module is used for detecting the object identifier characteristics by utilizing a first detection model to obtain a first detection result;
the second result module is used for detecting the corresponding characteristics of the data field by using a second detection model to obtain a second detection result;
and the result judging module is used for determining whether the SNMP hidden channel exists according to the first detection result and the second detection result.
In one embodiment, the feature statistics module 11 includes:
the data auditing module is used for carrying out protocol auditing on the SNMP data stream to obtain data corresponding to each field;
and the characteristic extraction module is used for extracting data corresponding to the object identifier field from the field as the object identifier characteristic and/or extracting data corresponding to the data field from the field as the data field corresponding characteristic.
In one embodiment, the feature extraction module includes:
a number combination module for extracting the numbers in the object identifier field from the fields and combining the numbers into a number group;
and the number group setting module is used for setting the number group as the object identifier characteristic.
In one embodiment, the feature extraction module includes:
the field combination module is used for extracting data fragments in each data field from the field and combining the data fragments into a data combination;
and the data combination setting module is used for setting the data combination as the corresponding characteristics of the data fields.
In one embodiment, the apparatus further comprises:
the filtering module is used for filtering normal target features meeting preset normal standards in the target features;
accordingly, the model detection module 12 includes:
and the post-filtering detection module is used for detecting the filtered target characteristics by using the detection model to determine whether the SNMP hidden channel exists.
In one embodiment, the model detection module 12 includes:
and the time detection module is used for counting the target characteristics corresponding to the SNMP data stream within the preset time to obtain a target characteristic vector, and detecting the target characteristic vector by using the detection model.
In one embodiment, the object identifier characteristics include one or more of the number of OID nodes of the OID type data, and the OID edit distance of the OID type data; the data field correspondence characteristic includes a complexity of the VALUE type data.
According to the hidden channel communication detection device, the SNMP data stream is firstly obtained, then protocol audit is carried out on the SNMP data stream to obtain the target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics, and then a detection model is used for detecting the target characteristics to determine whether the SNMP hidden channel exists. The device carries out the detection of the hidden channel communication behavior on the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host.
In addition, the embodiment of the present application further discloses a hidden channel communication detection device, including:
a memory for storing a computer program;
a processor for implementing the steps of the covert channel communication detection method as described above when executing a computer program.
According to the hidden channel communication detection equipment, the SNMP data stream is firstly obtained, then protocol audit is carried out on the SNMP data stream to obtain the target characteristics, wherein the target characteristics comprise object identifier characteristics and/or data field corresponding characteristics, and then a detection model is used for detecting the target characteristics to determine whether the SNMP hidden channel exists. The device detects the hidden channel communication behavior of the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host.
In addition, the embodiment of the application also discloses a computer readable storage medium, on which a computer program is stored, and the computer program is executed by a processor to implement the steps of the covert channel communication detection method as described above.
The computer-readable storage medium provided by the application firstly obtains an SNMP data stream, then performs protocol audit on the SNMP data stream to obtain a target feature, wherein the target feature comprises an object identifier feature and/or a data field corresponding feature, and then detects the target feature by using a detection model to determine whether an SNMP hidden channel exists. The computer readable storage medium detects the hidden channel communication behavior of the target characteristics of the SNMP data stream through the detection model, realizes the hidden channel communication detection based on the SNMP data message, and relatively ensures the network security of the user host.
The detailed description is given above to a method, an apparatus, and a device for detecting covert channel communication provided in the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A hidden channel communication detection method, comprising:
acquiring SNMP data flow;
performing protocol audit on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics, the object identifier characteristics comprise one or more of the OID node number of OID type data and the OID editing distance of the OID type data, the OID node number of the OID type data refers to the number of OID numbers in the OID type data, and the OID editing distance of the OID type data refers to the number of editing operations required by converting the current OID type data into other known OID type data;
and detecting the target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
2. The covert channel communication detection method of claim 1, wherein said target feature further comprises a data field corresponding feature.
3. The hidden-channel communication detection method of claim 2, wherein if the target feature comprises the object identifier feature and the data-field-corresponding feature, the detecting the target feature with the detection model to determine whether the SNMP hidden channel exists comprises:
detecting the object identifier characteristics by using a first detection model to obtain a first detection result;
detecting the corresponding characteristics of the data fields by using a second detection model to obtain a second detection result;
and determining whether an SNMP hidden channel exists according to the first detection result and the second detection result.
4. The hidden channel communication detection method of claim 2, wherein said protocol auditing of said SNMP data stream to obtain target characteristics comprises:
carrying out protocol audit on the SNMP data stream to obtain data corresponding to each field;
and extracting data corresponding to the object identifier field from the field as the object identifier characteristic, and extracting data corresponding to the data field from the field as the data field corresponding characteristic.
5. The hidden channel communication detection method of claim 4, wherein extracting data corresponding to an object identifier field from the field as the object identifier feature comprises:
extracting the numbers in the object identifier field in the fields, combining the numbers into a number group;
setting the number group as the object identifier characteristic.
6. The hidden channel communication detection method of claim 4, wherein extracting data field corresponding data from the field as the data field corresponding feature comprises:
extracting data fragments in each data field from the fields, and combining the data fragments into a data combination;
and setting the data combination as the corresponding characteristic of the data field.
7. The hidden-channel communication detection method of claim 1, wherein before said detecting the target feature with the detection model to determine whether the SNMP hidden channel exists, the method further comprises:
filtering normal target features meeting preset normal standards from the target features;
correspondingly, the detecting the target feature by using the detection model to determine whether an SNMP hidden channel exists includes:
and detecting the filtered target characteristics by using a detection model to determine whether an SNMP hidden channel exists.
8. The hidden channel communication detection method of claim 1, wherein detecting the target feature using a detection model comprises:
and counting target features corresponding to the SNMP data stream within preset time to obtain a target feature vector, and detecting the target feature vector by using a detection model.
9. The covert channel communication detecting method of claim 2, wherein said data field corresponding characteristic comprises a complexity of VALUE type data, the complexity of VALUE type data refers to a content level of VALUE type data, wherein the content level refers to a number degree of VALUE type data to which a data amount reaches, and the number degree comprises Gb and Tb number degrees.
10. A covert channel communication detection device, comprising:
the data flow acquisition module is used for acquiring SNMP data flow;
the characteristic counting module is used for carrying out protocol audit on the SNMP data stream to obtain target characteristics, wherein the target characteristics comprise object identifier characteristics, the object identifier characteristics comprise one or more of the quantity of OID nodes of OID type data and the OID editing distance of the OID type data, the quantity of the OID nodes of the OID type data refers to the quantity of OID numbers in the OID type data, and the OID editing distance of the OID type data refers to the number of editing operations needed by converting the current OID type data into other known OID type data;
and the model detection module is used for detecting the target characteristics by using a detection model to determine whether an SNMP hidden channel exists or not.
11. A covert channel communication detection device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the covert channel communication detection method of any of claims 1 to 9 when executing said computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the covert channel communication detection method as claimed in any one of claims 1 to 9.
CN202010343180.9A 2020-04-27 2020-04-27 Method, device and equipment for detecting communication of hidden channel Active CN111585993B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010343180.9A CN111585993B (en) 2020-04-27 2020-04-27 Method, device and equipment for detecting communication of hidden channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010343180.9A CN111585993B (en) 2020-04-27 2020-04-27 Method, device and equipment for detecting communication of hidden channel

Publications (2)

Publication Number Publication Date
CN111585993A CN111585993A (en) 2020-08-25
CN111585993B true CN111585993B (en) 2022-08-09

Family

ID=72119818

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010343180.9A Active CN111585993B (en) 2020-04-27 2020-04-27 Method, device and equipment for detecting communication of hidden channel

Country Status (1)

Country Link
CN (1) CN111585993B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118514A (en) * 2022-07-11 2022-09-27 深信服科技股份有限公司 Data detection method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905440A (en) * 2014-03-28 2014-07-02 哈尔滨工程大学 Network security situation awareness analysis method based on log and SNMP information fusion
CN108199875A (en) * 2017-12-29 2018-06-22 上海上讯信息技术股份有限公司 A kind of Network Intrusion Detection System and method
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110611640A (en) * 2018-06-15 2019-12-24 成都蓝盾网信科技有限公司 DNS protocol hidden channel detection method based on random forest
CN110798463A (en) * 2019-10-25 2020-02-14 广州大学 Network covert channel detection method and device based on information entropy

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL2007180C2 (en) * 2011-07-26 2013-01-29 Security Matters B V Method and system for classifying a protocol message in a data communication network.

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905440A (en) * 2014-03-28 2014-07-02 哈尔滨工程大学 Network security situation awareness analysis method based on log and SNMP information fusion
CN108199875A (en) * 2017-12-29 2018-06-22 上海上讯信息技术股份有限公司 A kind of Network Intrusion Detection System and method
CN110611640A (en) * 2018-06-15 2019-12-24 成都蓝盾网信科技有限公司 DNS protocol hidden channel detection method based on random forest
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110798463A (en) * 2019-10-25 2020-02-14 广州大学 Network covert channel detection method and device based on information entropy

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于SNMP协议的安全审计代理模型的设计与实现;黄珍等;《计算机与现代化》;20060930(第09期);全文 *
基于SNMP和神经网络的DDoS攻击检测;吕涛等;《通信技术》;20090331(第03期);全文 *
基于SNMP进行数据挖掘的入侵检测系统研究;杨海兰等;《计算机工程》;20040131;第30卷(第02期);第20-22页 *

Also Published As

Publication number Publication date
CN111585993A (en) 2020-08-25

Similar Documents

Publication Publication Date Title
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
CN111478920A (en) Method, device and equipment for detecting communication of hidden channel
CN107579956B (en) User behavior detection method and device
CN112468347B (en) Security management method and device for cloud platform, electronic equipment and storage medium
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
CN107276982A (en) A kind of abnormal login detecting method and device
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN107370752B (en) Efficient remote control Trojan detection method
CN112003869B (en) Vulnerability identification method based on flow
CN110046297B (en) Operation and maintenance violation identification method and device and storage medium
CN113821793B (en) Multi-stage attack scene construction method and system based on graph convolution neural network
CN104967616A (en) WebShell file detection method in Web server
CN113452672B (en) Method for analyzing abnormal flow of terminal of Internet of things of electric power based on reverse protocol analysis
CN110545284A (en) Domain name detection method and system for antagonistic network
CN112769623A (en) Internet of things equipment identification method under edge environment
CN112613599A (en) Network intrusion detection method based on generation countermeasure network oversampling
CN104767736A (en) Method for separating unknown single protocol data stream into different types of data frames
CN112532614A (en) Safety monitoring method and system for power grid terminal
Zhao Network intrusion detection system model based on data mining
CN111478921A (en) Method, device and equipment for detecting communication of hidden channel
CN111585993B (en) Method, device and equipment for detecting communication of hidden channel
CN111464510B (en) Network real-time intrusion detection method based on rapid gradient lifting tree classification model
CN111835681A (en) Large-scale abnormal flow host detection method and device
CN112134875A (en) IoT network abnormal flow detection method and system
Perona et al. Service-independent payload analysis to improve intrusion detection in network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant