CN112667875A - Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium - Google Patents

Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium Download PDF

Info

Publication number
CN112667875A
CN112667875A CN202011547288.6A CN202011547288A CN112667875A CN 112667875 A CN112667875 A CN 112667875A CN 202011547288 A CN202011547288 A CN 202011547288A CN 112667875 A CN112667875 A CN 112667875A
Authority
CN
China
Prior art keywords
data
domain name
network
target
network data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011547288.6A
Other languages
Chinese (zh)
Inventor
李佳佳
梁彧
田野
傅强
王杰
杨满智
蔡琳
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202011547288.6A priority Critical patent/CN112667875A/en
Publication of CN112667875A publication Critical patent/CN112667875A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the invention discloses a data acquisition method, a data analysis method, a data acquisition device, a data analysis device, equipment and a storage medium. The data acquisition method comprises the following steps: obtaining crawler data and domain name system DNS domain name data; updating a target domain name basic database according to the crawler data and the DNS domain name data; the target domain name basic database is used for intelligently analyzing the original network data of the internet. The technical scheme of the embodiment of the invention can greatly improve the acquisition amount of domain name data and improve the real-time performance and reliability of intelligent analysis on the premise of not adding external equipment.

Description

Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a device, equipment and a storage medium for data acquisition and data analysis.
Background
With the increasing popularization and complication of network application, the internet information shows explosive growth and has penetrated the aspects of daily life. However, while the internet brings convenience to people in work and life, network security events of the internet also continuously appear, and means for acquiring information of the network security events are gradually renovated, so that network and information security become more and more important for people to pay attention to. How to quickly, accurately and comprehensively search websites and pages with potential safety hazards is of great significance for improving the network safety level and purifying the network environment.
Currently, security monitoring for websites is mainly implemented by deployment on hardware by means of a third-party gateway probe, and the following defects mainly exist in this way: by adopting a network packet capturing mode, the method can only detect the IP (Internet Protocol, interconnected Protocol between networks) in an IDC (Internet Data Center) machine room, belongs to passive detection and can only detect the IP when a website is accessed; the method can only be deployed at an IDC gateway outlet, and the hardware cost is high; it is impossible to detect a private Line Subscriber and a website of a dynamic ADSL (Asymmetric Digital Subscriber Line).
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a device and a storage medium for data acquisition and data analysis, which greatly increase the acquisition amount of domain name data and improve the real-time performance and reliability of intelligent analysis without adding external devices.
In a first aspect, an embodiment of the present invention provides a data acquisition method, including:
obtaining crawler data and DNS domain name data;
updating a target domain name basic database according to the crawler data and the DNS domain name data;
the target domain name basic database is used for intelligently analyzing the original network data of the internet.
In a second aspect, an embodiment of the present invention provides a data analysis method, including:
acquiring original network data of the internet;
intelligently analyzing original network data of the internet according to a target domain name basic database to obtain normal network data and abnormal network data;
and inputting the normal network data into the normal network database, and inputting the abnormal network data into the abnormal network database.
In a third aspect, an embodiment of the present invention further provides a data acquisition apparatus, including:
the data acquisition module is used for acquiring crawler data and DNS domain name data;
the target domain name basic database updating module is used for updating the target domain name basic database according to the crawler data and the DNS domain name data;
the target domain name basic database is used for intelligently analyzing the original network data of the internet.
In a fourth aspect, an embodiment of the present invention further provides a data analysis apparatus, including:
the original network data acquisition module is used for acquiring original network data of the Internet;
the normal network data and abnormal network data acquisition module intelligently analyzes the original network data of the internet according to the target domain name basic database to obtain normal network data and abnormal network data;
and the data input module is used for inputting the normal network data into the normal network database and inputting the abnormal network data into the abnormal network database.
In a fifth aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the data acquisition method or the data analysis method provided by any embodiment of the present invention.
In a sixth aspect, an embodiment of the present invention further provides a computer storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the data acquisition method or the data analysis method provided in any embodiment of the present invention.
The technical scheme of the embodiment updates the target domain name basic database according to the acquired crawler data and domain name system DNS domain name data, further intelligently analyzes the original network data of the internet through the updated target domain name basic database, the scheme can supplement the data which is not crawled by the crawler data through domain name system DNS domain name data, the updated target domain name basic database has complete domain name data, solves the problems of high monitoring cost, limited detection time and incapability of implementing dynamic detection of the prior website, can greatly improve the acquisition amount of the domain name data on the premise of not adding external equipment, because the target domain name basic database is continuously updated, the updated target domain name basic database is used for intelligently analyzing the original network data of the Internet, so that the real-time performance and the reliability of intelligent analysis can be improved.
Drawings
Fig. 1 is a flowchart of a data acquisition method according to an embodiment of the present invention;
fig. 2 is a flow chart of DNS log analysis according to an embodiment of the present invention;
FIG. 3 is a block diagram of an Internet fraud website route-finding system according to an embodiment of the present invention;
FIG. 4 is a flowchart of a data analysis method according to a second embodiment of the present invention;
fig. 5 is a schematic diagram of a data acquisition apparatus according to a third embodiment of the present invention;
fig. 6 is a schematic diagram of a data analysis apparatus according to a fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention.
It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings. Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is a flowchart of a data obtaining method according to an embodiment of the present invention, where the embodiment is applicable to a case of updating a target domain name base database in real time, and the method may be executed by a data obtaining apparatus, which may be implemented by software and/or hardware, and may be generally integrated in an electronic device. Accordingly, as shown in fig. 1, the method comprises the following operations:
and S110, acquiring crawler data and DNS domain name data.
The crawler data may be a web page program or a script acquired by a crawler technology. The DNS (Domain Name System) Domain Name data may be data obtained by a DNS server. For example, the DNS domain name data may include, but is not limited to, data such as domain name data, IP (Internet Protocol) address, and access log.
Specifically, a crawler technology may be used to crawl a web page program or script in the network data, the crawled data may be used as crawler data, and the network data obtained by using the DNS server may be used as DNS domain name data.
In an alternative embodiment of the present invention, obtaining crawler data may include: creating an IP agent pool; using a parallel crawler technology to crawl target network data according to the IP proxy pool as crawler data; the target network data comprises target website data, target webpage data and target APP data.
The IP proxy pool may be a database storing a large amount of IP address resources. The target network data may be network data crawled according to an IP address by using a crawler technology, that is, crawler data, and for example, the target network data may include target website data, target webpage data, and target APP data. The target website data may be website data that requires data analysis. The target web page data may be web page data that requires data analysis. The target APP data may be APP data for which data analysis is required.
The number of web pages accessed by internet users is huge, and the traditional internet crawler technology cannot meet the requirements of accuracy, comprehensiveness and instantaneity of current web page information acquisition. Therefore, in the embodiment, a parallel crawler technology and an IP pool proxy technology are adopted, so that the quality, coverage rate, crawling efficiency and other performances of the crawler are comprehensively improved.
Specifically, an IP proxy pool may be established by using an existing IP address, an IP address may be further randomly selected from the IP proxy pool, and the target network data may be crawled according to the determined IP address by using a parallel crawler technology, for example, the target website data, the target webpage data, the target APP data, and the like may be crawled according to the determined IP address by using the parallel crawler technology. And further using the crawled target network data as crawler data. The embodiment of the invention does not limit the specific data content of the target network data.
Illustratively, a spider crawler technology and an IP pool proxy technology can be used to crawl internet fraud websites continuously for 24 hours, a crawl dynamic result can be displayed in a webpage crawling process, and URL (Uniform Resource Locator) number statistics and page information data volume calculation are performed in a multithread crawling process, so that the working efficiency of the parallel crawler technology in the operation process can be mastered in time, and corresponding adjustment can be made.
At present, most domain names on a network can be accurately crawled by acquiring domain name and website data through a parallel crawler technology, but the domain name data collected only through the crawler technology is still partially insufficient. Because, when a domain name has no external links, it will not be crawled to the domain name in the normal way using crawler technology. In addition, when the website domain name is less out-linked or hidden, the probability of crawling the domain name data by using the crawler technology is reduced. Aiming at the problem that the crawler technology can not completely acquire all domain name data, the domain name data which is not crawled can be completed by extracting the DNS log.
In an optional embodiment of the present invention, acquiring DNS domain name data may include: acquiring DNS query log data from a DNS log analysis server in real time; performing domain name extraction processing according to DNS query log data to obtain domain name extraction data; and carrying out re-arranging and filtering processing on the domain name extraction data to obtain DNS domain name data.
The DNS log analyzing server may be a server capable of analyzing the DNS log. The DNS query log data may be all or part of the log data of the DNS log. The DNS query log data may include, but is not limited to, DNS query time, DNS query type, DNS query rank, and DNS query data, among others. The DNS log may be a log file created and maintained by a DNS server. The DNS server is a domain name server that performs conversion between a domain name and an IP address corresponding to the domain name. The domain name extraction data may be DNS domain name data corresponding to a DNS query log. The domain name extraction process may be an operation of performing domain name extraction on DNS query log data. The re-elimination filtering process may be an operation of comparing and filtering the repeated data.
In the embodiment of the present invention, DNS query log data can be obtained from a DNS log analysis server in real time, and data analysis and domain name extraction processing can be performed on the obtained DNS query log data, for example, domain name extraction processing can be performed on DNS query data in the DNS query log data. And further taking the domain name extraction processing result, namely DNS domain name data corresponding to the DNS query data as domain name extraction data. And finally, filtering repeated DNS domain name data in the domain name extraction data through re-arranging filtering processing, so that the domain name data in the obtained DNS domain name data has uniqueness.
And S120, updating a target domain name basic database according to the crawler data and the DNS domain name data.
The target domain name base database may be a database in which domain name data and other associated data under the domain name are stored. The domain name data may be a character string composed of letters and symbols for identifying the computer at the time of data transmission. The association data may be other network data associated with the domain name data, such as access data generated by accessing the domain name. And the target domain name basic database is used for intelligently analyzing the original network data of the Internet. The internet raw network data may be the most raw data generated by the internet without any data processing. The intelligent analysis may include, but is not limited to, location analysis of internet raw network data, access behavior backtracking, and monitoring model creation. The location analysis may be used to locate an IP address that generates raw network data for the internet. The access behavior tracing can be used for tracing the network access behavior according to the original network data of the internet. The creation of the monitoring model can be used for monitoring and analyzing the behavior of accessing a specific domain name according to the original network data of the internet.
Specifically, data analysis can be performed on the crawler data to obtain domain name data corresponding to the crawler data, data processing can be performed on the analyzed domain name data and the DNS domain name data to ensure that the obtained DNS domain name data has uniqueness, and the DNS domain name data which does not exist in the target domain name basic database and the crawler data corresponding to the domain name are stored in the target domain name basic database to realize data updating of the target domain name basic database. Updating the target domain name base database according to the crawler data and the DNS domain name data can ensure the completeness of the domain name data.
Fig. 2 is a flow chart of DNS log analysis according to an embodiment of the present invention, and in a specific example, as shown in fig. 2, a DNS server sends DNS log data to a DNS log analysis server, and the DNS log analysis server analyzes DNS query log data from the DNS log data and performs data analysis and storage processing. Specifically, the DNS domain name data analyzed from the DNS query log data is subjected to domain name extraction processing and re-filtering processing, and finally the data-processed DNS domain name data is stored in the target domain name base database.
In an optional embodiment of the present invention, before acquiring the crawler data and the DNS domain name data, the method may further include: acquiring original reference network data; and constructing a target domain name basic database according to the original reference network data.
The original reference network data may be network data that is already known and needs to be used as a data basis for analyzing the network data to be analyzed. The network data can be traffic data and internet access data generated by the user on the internet. For example, the original reference network data may include the relevant real data of the fraud websites already held and the relevant real data of the fraud APPs (applications). The embodiment of the invention does not limit the specific data content included in the original reference network data.
Specifically, the communication data that has been subjected to data screening in the internet or the telecommunication network may be analyzed to obtain the original reference network data. For example, the related network data of the fraud-related event acquired from the department of industry and trust or the operator may be used as the original reference network data. After the original reference network data are obtained, data processing is carried out on the original reference network data to obtain each domain name data corresponding to the original reference network data, and a target domain name basic database is further constructed according to each domain name data and associated data under each domain name. The target domain name basic database can be used for comparing and analyzing crawler data and DNS domain name data, supplementing data which does not appear in the target domain name basic database, and updating the target domain name basic database.
In an alternative embodiment of the present invention, updating the target domain name base database according to the crawler data and the DNS domain name data may include: constructing domain name data to be researched and judged according to the crawler data and the DNS domain name data; obtaining multi-dimensional line expansion data corresponding to domain name data to be researched and judged according to network line expansion search data; identifying the domain name data to be researched and judged according to a preset list database, the multidimensional line expansion data corresponding to the domain name data to be researched and judged and a target characteristic analysis model to obtain reference network data; and updating the target domain name basic database according to the reference network data.
The domain name data to be researched and judged can be the domain name data which needs to be analyzed and researched and judged and the first target data under the domain name. The first target data may be associated data under the domain name. The network route extension search data can be data obtained by performing route extension search on domain name data to be researched and judged. The route-finding search may be an operation of performing an extended search on the domain name data to be researched to obtain other associated data. The other associated data may be data associated with the first target data. The multidimensional scaling data can be data obtained by searching for network profiles corresponding to domain name data to be researched. For example, the multidimensional scaling data may include, but is not limited to, a user mailbox that accesses the domain name, a home address of the domain name, and the number of accesses to the domain name. The preset list database may be a list database capable of domain name feature differentiation. For example, the preset list database may include a white list and a black list. For example, the normal domain names may be divided into a white list, and the abnormal domain names such as the domain names of the fraud websites may be divided into a black list. The target feature analysis model may be a mathematical model that enables identification and analysis of target features. The target features may be features that need to be analyzed, for example, the target features may include, but are not limited to, behavioral features, domain name features, visual features, and the like. The reference network data may be the result of data processing of domain name data to be judged.
In the embodiment of the invention, the domain name data in the crawler data and the DNS domain name data can be compared and integrated to obtain the domain name data to be judged. The comparison and integration processing process can compare domain name data in the crawler data with DNS domain name data on the basis of the domain name, complete the crawler domain name data under the same domain name through the DNS domain name data, further filter the repeated data, and finally integrate the domain name data under the same domain name so as to ensure the integrity and uniqueness of the obtained domain name data to be researched and judged. And performing route extension search on the obtained domain name data to be researched and judged to obtain network route extension search data, and acquiring multidimensional route expansion data corresponding to the domain name data to be researched and judged according to the network route extension search data, so as to analyze and identify the domain name data to be researched and judged further according to a preset list database, the multidimensional route expansion data corresponding to the domain name data to be researched and judged and a target characteristic analysis model. If the domain name data to be researched and judged is present in the preset list database, the domain name data to be researched and judged and the multidimensional line expansion data corresponding to the domain name data to be researched and judged have relevance, or the domain name data to be researched and judged is input into the target feature analysis model to obtain the target feature, the domain name data to be researched and judged, the list type to which the domain name data to be researched and judged belongs, the multidimensional line expansion data corresponding to the domain name data to be researched and judged and the target feature corresponding to the domain name data to be researched and judged are used as reference network data, and finally the reference network data which does not appear in the target domain name basic database can be updated to the target domain name basic database.
In a specific example, the target domain name base database stores fraud network information as an example, and the monitoring and early warning model can be established based on a line-up search. Firstly, domain name data to be judged is constructed according to acquired crawler data and DNS domain name data, the domain name data to be judged may have internet fraud, telephone fraud, IMS (IP Multimedia Subsystem) fraud, short message fraud and other data, more than 10 dimensional data of a communication address attribution place, a mobile phone number, a website, an IP address, a domain name, a family name, a developer, a communication address, a mailbox and the like of the domain name data to be judged is further acquired, the multidimensional data and known fraud sample data in a target domain name basic database are subjected to correlation analysis and comparison, fraud samples are subjected to more accurate analysis, and characteristics of each family are provided for deep black traceability.
Fig. 3 is a structural diagram of an internet fraud website striping search system according to an embodiment of the present invention, and in a specific example, as shown in fig. 3, data crawling is performed by using crawler technology to obtain fraud webpage data and fraud APP data, and a DNS log analysis server is used to perform log analysis on DNS query log data, such as log extraction, analysis and domain name collection. The phishing websites in the internet can be monitored and blocked through the crawler data, the crawler data and the DNS domain name data are further fused, the fused data are intelligently analyzed in the intelligent analysis system, such as fraud website association analysis, artificial intelligent analysis, fraud website line-expanding analysis, data cleaning and data processing, data output results are obtained, internet fraud website line-expanding search is completed according to the data output results, a target domain name basic database (not shown in fig. 3) in the intelligent analysis system can be updated through the data obtained after the line-expanding search is completed, and the fraud information is updated and accumulated. Accordingly, the intelligent analysis system can identify and analyze fraud information in the network using the target domain name base database.
In the above example, the fraud-related websites can be researched and judged through the DNS query log data, and the associated data of the fraud-related websites, such as the analysis of the fraud-related personnel, the fraud-related websites and the fraud-related APP, can be analyzed. Further, potential victims are searched and mined by line-expansion search, and identification of involved websites and APPs is assisted. The Internet user data can be cleaned and analyzed, and related department organizations are assisted to give early warning to unaffiliated cases according to the currently issued cases, so that fraud crimes are effectively attacked, and user loss is reduced. In addition, the data acquisition method of the embodiment of the invention can be widely applied to various large data centers and basic operators to supervise specific types of network data, thereby greatly improving the network security level in the area, promoting the network supervision and purifying the network environment.
The technical scheme of the embodiment updates the target domain name basic database according to the acquired crawler data and domain name system DNS domain name data, further intelligently analyzes the original network data of the internet through the updated target domain name basic database, the scheme can supplement the data which is not crawled by the crawler data through domain name system DNS domain name data, the updated target domain name basic database has complete domain name data, solves the problems of high monitoring cost, limited detection time and incapability of implementing dynamic detection of the prior website, can greatly improve the acquisition amount of the domain name data on the premise of not adding external equipment, because the target domain name basic database is continuously updated, the updated target domain name basic database is used for intelligently analyzing the original network data of the Internet, so that the real-time performance and the reliability of intelligent analysis can be improved.
Example two
Fig. 4 is a flowchart of a data analysis method according to a second embodiment of the present invention, where this embodiment is applicable to a case of performing intelligent analysis on internet data, and the method may be executed by a data analysis apparatus, and the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. Accordingly, as shown in fig. 4, the method includes the following operations:
s210, obtaining original network data of the Internet.
Correspondingly, before the intelligent analysis of the original network data of the internet, data acquisition can be performed from the telecommunication network and the internet, for example, user internet traffic data, user call data and user identity information acquired from the operator pipeline data of the telecommunication network can be used as the original network data of the internet, and user access website data, APP data and URLs in the internet can be used as the original network data of the internet. The embodiment of the invention does not limit the specific data content included in the original network data of the internet.
S220, intelligently analyzing the original network data of the Internet according to the target domain name basic database to obtain normal network data and abnormal network data.
The normal network data may be network data generated by a user performing normal internet access. The abnormal network data may be network data generated by the user making an abnormal internet access. For example, the abnormal network data may include, but is not limited to, fraudulent user call data, fraudulent website data, fraudulent APP data, and fraudulent websites.
Specifically, the internet original network data is classified and identified according to the target domain name basic database, for example, normal network data and abnormal network data are identified from the internet original network data.
Illustratively, based on the acquired internet original network data, a preset list database and a target feature analysis model are utilized to identify normal websites, fraud websites and suspected fraud websites, and abnormal network data is further analyzed, researched and trained, and model training is performed. In addition, the method for judging the similarity of domain names, website feature similarity, visual feature similarity, text content similarity and the like can be adopted to identify the fraud-related websites, and the identified fraud-related websites are subjected to intelligent classification, safety level evaluation, feature extraction, public opinion monitoring and the like.
For example, similar fraud websites can be found by identifying and analyzing characteristics such as website interface characteristics, website code characteristics and website mailboxes by using URL route search. Meanwhile, the user access condition can be obtained according to the URL in the DNS query log data, so that the victim information base and the fraudster information base are obtained, accurate early warning on the victim is achieved, and the effect of effectively striking the fraudster is achieved.
And S230, inputting the normal network data into the normal network database, and inputting the abnormal network data into the abnormal network database.
Wherein the normal network database may be a database storing normal network data. The abnormal network data may be a database storing the abnormal network data.
Specifically, the normal network data in the original network data of the internet can be input into the normal network database, and the abnormal network data in the original network data of the internet can be input into the abnormal network database. So as to carry out real-time intelligent analysis on the original network data of the Internet. Optionally, the abnormal network database may be a target domain name basic database, or may also be an independent database, which is not limited in the embodiment of the present invention.
Illustratively, the qualitative determination of website determination results, such as normal websites or fraud websites, can be realized through intelligent analysis of the original network data of the internet. And if the website judgment result is a normal website, inputting the website to a normal website library. And if the website judgment result is a fraud website, inputting the website to a fraud website library. And polling judgment can be carried out on the unknown websites after one round of judgment, and a normal website library or a fraud website library is finally input. So that the normal website library and the fraud website library can form a closed loop.
In an optional embodiment of the present invention, the intelligently analyzing the internet raw network data according to the target domain name basic database may include: generating ticket data according to the original network data of the Internet; obtaining multi-dimensional line expansion data of the call ticket data according to the network line expansion search data; and intelligently analyzing the multidimensional expanded line data of the dialogue single data of the target domain name basic database to determine abnormal network data.
The call ticket data can be user communication data which needs to be subjected to data analysis in the original network data of the internet.
Specifically, as massive communication data, namely call ticket data, is generated every day in a telecommunications network and the internet, and a plurality of call tickets can be generated by each telephone number or APP account, for such a situation, multidimensional line expansion data generated by the same telephone number or APP account can be obtained according to network line expansion search data, and further the multidimensional line expansion data belonging to the same telephone number or APP account is integrated into a whole, because the data stored in the target domain name basic database has a list type and a target characteristic, the multidimensional line expansion data of one account can be compared with the data stored in the target domain name basic database, and if part or all of the multidimensional line expansion data appears in the target domain name basic database, the corresponding data in the target domain name database can be combined for analysis and study.
Illustratively, the method can be used for primarily screening and sorting the original network data of the accessed telecommunication network and the internet, forming call ticket data with analysis value by cleaning the data, fusing the crawler data, the DNS domain name data and the call ticket data to form various data resources, providing service for an application layer, and providing the original data and the associated calculation of the original data for various services. For example, the correlation calculations may include, but are not limited to, streaming calculations, real-time calculations, offline calculations, and the like. In addition, the data resources obtained by fusion can be used for technologies such as creation and operation of various anti-fraud business models, various thematic analyses, artificial intelligence and the like, and discovery, identification, tracking and tracing of fraud behaviors are achieved, so that full-flow service support of processing is further struck.
The information such as the domain name, the IP address and the like of all accessed websites is extracted from DNS query log data, so that a target domain name basic database is completed, and further, the specific physical position of the website is found through an interface, so that whether the website under the domain name is already recorded in industrial and information departments or not is analyzed for being queried by working personnel.
In the embodiment of the invention, the fraud website data or the network access behavior log of the victim in the fraud event time window can be acquired based on the acquired internet original network data, the fraud event is restored and backtraced according to the acquired fraud website data or the network access behavior log of the victim, and further comprehensive analysis work is carried out to support manual research and judgment and event analysis. Meanwhile, data needing to be analyzed in the original reference network data can be used as a sample, so that broad spectrum characteristics can be obtained according to the sample, and for example, the broad spectrum characteristics can include analysis and judgment information such as application program names, signatures, class names, byte codes, authority statement lists, sensitive behavior scanning results, reinforcement, counterfeit application, file sizes, component information, intention information and the like. Relevant statistics after combined clustering is carried out on fraud website data or network access logs of victims, corresponding data which accord with a black-producing application model are established, and analysis, source tracing and evidence obtaining are carried out by combining with an analysis means of big data.
According to the embodiment of the invention, the acquired original network data of the internet is intelligently analyzed according to the target domain name basic database to obtain normal network data and abnormal network data, the normal network data is further input into the normal network database, and the abnormal network data is input into the abnormal network database. According to the scheme, data classification can be carried out on the original network data of the Internet through intelligent analysis, and as the target domain name basic database is continuously updated, normal network data and abnormal network data are also continuously updated, so that the normal network database and the abnormal network database are updated. When the normal network database and the abnormal network database are used for data analysis, the real-time performance of the data analysis can be improved.
It should be noted that any permutation and combination between the technical features in the above embodiments also belong to the scope of the present invention.
EXAMPLE III
Fig. 5 is a schematic diagram of a data acquisition apparatus according to a third embodiment of the present invention, and as shown in fig. 5, the apparatus includes: a data acquisition module 310 and a target domain name base database update module 320, wherein:
a data obtaining module 310, configured to obtain crawler data and domain name system DNS domain name data;
a target domain name base database updating module 320, configured to update the target domain name base database according to the crawler data and the DNS domain name data;
the target domain name basic database is used for intelligently analyzing the original network data of the internet.
Optionally, the data acquiring apparatus further includes: the target domain name basic database construction module is used for acquiring original reference network data; and constructing the target domain name basic database according to the original reference network data.
Optionally, the data obtaining module 310 is specifically configured to: creating an IP agent pool; using a parallel crawler technology to crawl network data according to the IP proxy pool as the crawler data; the target network data comprises target website data, target webpage data and target APP data.
Optionally, the data obtaining module 310 is specifically configured to: acquiring DNS query log data from a DNS log analysis server in real time; performing domain name extraction processing according to the DNS query log data to obtain domain name extraction data; and carrying out rearrangement filtering processing on the domain name extraction data to obtain the DNS domain name data.
Optionally, the target domain name base database updating module 320 is specifically configured to: constructing domain name data to be researched and judged according to the crawler data and the DNS domain name data; obtaining multi-dimensional line expansion data corresponding to the domain name data to be researched and judged according to network line expansion search data; according to a preset list database, multi-dimensional line expansion data corresponding to the domain name data to be researched and judged and a target feature analysis model, identifying the domain name data to be researched and judged to obtain reference network data; and updating the target domain name basic database according to the reference network data.
The technical scheme of the embodiment updates the target domain name basic database according to the acquired crawler data and domain name system DNS domain name data, further intelligently analyzes the original network data of the internet through the updated target domain name basic database, the scheme can supplement the data which is not crawled by the crawler data through domain name system DNS domain name data, the updated target domain name basic database has complete domain name data, solves the problems of high monitoring cost, limited detection time and incapability of implementing dynamic detection of the prior website, can greatly improve the acquisition amount of the domain name data on the premise of not adding external equipment, because the target domain name basic database is continuously updated, the updated target domain name basic database is used for intelligently analyzing the original network data of the Internet, so that the real-time performance and the reliability of intelligent analysis can be improved.
The data acquisition device can execute the data acquisition method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the technology that are not described in detail in this embodiment, reference may be made to the data acquisition method provided in any embodiment of the present invention.
Since the data acquisition device described above is a device capable of executing the data acquisition method in the embodiment of the present invention, based on the data acquisition method described in the embodiment of the present invention, a person skilled in the art can understand the specific implementation of the data acquisition device in the embodiment and various variations thereof, and therefore, how the data acquisition device implements the data acquisition method in the embodiment of the present invention is not described in detail herein. The device used by those skilled in the art to implement the data acquisition method in the embodiments of the present invention is within the scope of the present application.
Example four
Fig. 6 is a schematic diagram of a data analysis apparatus according to a fourth embodiment of the present invention, and as shown in fig. 6, the apparatus includes: an original network data acquisition module 410, a normal network data and abnormal network data acquisition module 420, and a data input module 430, wherein:
an original network data obtaining module 410, configured to obtain internet original network data;
a normal network data and abnormal network data obtaining module 420, which intelligently analyzes the original network data of the internet according to the target domain name basic database to obtain normal network data and abnormal network data;
the data input module 430 is configured to input the normal network data into a normal network database, and input the abnormal network data into an abnormal network database.
According to the embodiment of the invention, the acquired original network data of the internet is intelligently analyzed according to the target domain name basic database to obtain normal network data and abnormal network data, the normal network data is further input into the normal network database, and the abnormal network data is input into the abnormal network database. According to the scheme, data classification can be carried out on the original network data of the Internet through intelligent analysis, and as the target domain name basic database is continuously updated, normal network data and abnormal network data are also continuously updated, so that the normal network database and the abnormal network database are updated. When the normal network database and the abnormal network database are used for data analysis, the real-time performance of the data analysis can be improved.
Optionally, the normal network data and abnormal network data obtaining module 420 is specifically configured to: generating ticket data according to the original internet network data; obtaining multi-dimensional line expansion data of the call ticket data according to network line expansion search data; and intelligently analyzing the multidimensional expanded line data of the call ticket data according to the target domain name basic database so as to determine the abnormal network data.
The data analysis device can execute the data analysis method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to a data analysis method provided in any embodiment of the present invention.
Since the data analysis device described above is a device capable of executing the data analysis method in the embodiment of the present invention, based on the data analysis method described in the embodiment of the present invention, a person skilled in the art can understand the specific implementation of the data analysis device in the embodiment of the present invention and various variations thereof, and therefore, how the data analysis device implements the data analysis method in the embodiment of the present invention is not described in detail herein. The scope of the present application is intended to be covered by the claims so long as those skilled in the art can implement the data analysis method of the present invention.
EXAMPLE five
Fig. 7 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention. FIG. 7 illustrates a block diagram of an electronic device 512 that is suitable for use in implementing embodiments of the present invention. The electronic device 512 shown in fig. 7 is only an example and should not bring any limitations to the function and the scope of use of the embodiments of the present invention. The electronic device 512 may be, for example, an electronic device or a server device, etc.
As shown in fig. 7, the electronic device 512 is in the form of a general purpose computing device. Components of the electronic device 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
Bus 518 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus.
Electronic device 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 512 and includes both volatile and nonvolatile media, removable and non-removable media.
Storage 528 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 530 and/or cache Memory 532. The electronic device 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 7, and commonly referred to as a "hard drive"). Although not shown in FIG. 7, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk-Read Only Memory (CD-ROM), a Digital Video disk (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. Storage 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program 536 having a set (at least one) of program modules 526 may be stored, for example, in storage 528, such program modules 526 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination may include an implementation of a network environment. Program modules 526 generally perform the functions and/or methodologies of the described embodiments of the invention.
The electronic device 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, camera, display 524, etc.), with one or more devices that enable a user to interact with the electronic device 512, and/or with any devices (e.g., network card, modem, etc.) that enable the electronic device 512 to communicate with one or more other computing devices. Such communication may be through an Input/Output (I/O) interface 522. Also, the electronic device 512 may communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), and/or a public Network such as the internet) via the Network adapter 520. As shown, the network adapter 520 communicates with the other modules of the electronic device 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 512, including but not limited to: microcode, device drivers, Redundant processing units, external disk drive Arrays, disk array (RAID) systems, tape drives, and data backup storage systems, to name a few.
The processor 516 executes various functional applications and data processing by executing programs stored in the storage device 528, for example, implementing the data acquisition method provided by the above-described embodiment of the present invention: obtaining crawler data and domain name system DNS domain name data; updating a target domain name basic database according to the crawler data and the DNS domain name data; the target domain name basic database is used for intelligently analyzing the original network data of the internet. Or, implementing the data analysis method provided by the above embodiment of the present invention: acquiring original network data of the internet; intelligently analyzing original network data of the internet according to a target domain name basic database to obtain normal network data and abnormal network data; and inputting the normal network data into the normal network database, and inputting the abnormal network data into the abnormal network database.
The technical scheme of the embodiment updates the target domain name basic database according to the acquired crawler data and domain name system DNS domain name data, further intelligently analyzes the original network data of the internet through the updated target domain name basic database, the scheme can supplement the data which is not crawled by the crawler data through domain name system DNS domain name data, the updated target domain name basic database has complete domain name data, solves the problems of high monitoring cost, limited detection time and incapability of implementing dynamic detection of the prior website, can greatly improve the acquisition amount of the domain name data on the premise of not adding external equipment, because the target domain name basic database is continuously updated, the updated target domain name basic database is used for intelligently analyzing the original network data of the Internet, so that the real-time performance and the reliability of intelligent analysis can be improved.
EXAMPLE six
An embodiment of the present invention further provides a computer storage medium storing a computer program, where the computer program is used to execute the data acquisition method according to any one of the above embodiments of the present invention when executed by a computer processor: obtaining crawler data and domain name system DNS domain name data; updating a target domain name basic database according to the crawler data and the DNS domain name data; the target domain name basic database is used for intelligently analyzing the original network data of the internet. Or, implementing the data analysis method provided by the above embodiment of the present invention: acquiring original network data of the internet; intelligently analyzing original network data of the internet according to a target domain name basic database to obtain normal network data and abnormal network data; and inputting the normal network data into the normal network database, and inputting the abnormal network data into the abnormal network database.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM) or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (11)

1. A method of data acquisition, comprising:
obtaining crawler data and domain name system DNS domain name data;
updating a target domain name basic database according to the crawler data and the DNS domain name data;
the target domain name basic database is used for intelligently analyzing the original network data of the Internet.
2. The method of claim 1, further comprising, prior to the obtaining crawler data and DNS domain name data:
acquiring original reference network data;
and constructing the target domain name basic database according to the original reference network data.
3. The method of claim 1, wherein the obtaining crawler data comprises:
creating an IP agent pool;
using a parallel crawler technology to crawl network data according to the IP proxy pool as the crawler data;
the target network data comprises target website data, target webpage data and target APP data.
4. The method of claim 1, wherein the obtaining DNS domain name data comprises:
acquiring DNS query log data from a DNS log analysis server in real time;
performing domain name extraction processing according to the DNS query log data to obtain domain name extraction data;
and carrying out rearrangement filtering processing on the domain name extraction data to obtain the DNS domain name data.
5. The method of claim 1, wherein updating a target domain name base database based on the crawler data and the DNS domain name data comprises:
constructing domain name data to be researched and judged according to the crawler data and the DNS domain name data;
obtaining multi-dimensional line expansion data corresponding to the domain name data to be researched and judged according to network line expansion search data;
according to a preset list database, multi-dimensional line expansion data corresponding to the domain name data to be researched and judged and a target feature analysis model, identifying the domain name data to be researched and judged to obtain reference network data;
and updating the target domain name basic database according to the reference network data.
6. A method of data analysis, comprising:
acquiring original network data of the internet;
intelligently analyzing the original network data of the internet according to a target domain name basic database to obtain normal network data and abnormal network data;
and inputting the normal network data into a normal network database, and inputting the abnormal network data into an abnormal network database.
7. The method of claim 6, wherein the intelligently analyzing the internet raw network data according to the target domain name base database comprises:
generating ticket data according to the original internet network data;
obtaining multi-dimensional line expansion data of the call ticket data according to network line expansion search data;
and intelligently analyzing the multidimensional expanded line data of the call ticket data according to the target domain name basic database so as to determine the abnormal network data.
8. A data acquisition apparatus, comprising:
the data acquisition module acquires crawler data and domain name system DNS domain name data;
the target domain name basic database updating module is used for updating the target domain name basic database according to the crawler data and the DNS domain name data;
the target domain name basic database is used for intelligently analyzing the original network data of the Internet.
9. A data analysis apparatus, comprising:
the original network data acquisition module is used for acquiring original network data of the Internet;
the normal network data and abnormal network data acquisition module is used for intelligently analyzing the original network data of the internet according to the target domain name basic database to obtain normal network data and abnormal network data;
and the data input module is used for inputting the normal network data into a normal network database and inputting the abnormal network data into an abnormal network database.
10. An electronic device, characterized in that the electronic device comprises:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a data acquisition method as claimed in any one of claims 1 to 5, or to implement a data analysis method as claimed in any one of claims 6 to 7.
11. A computer storage medium on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out a data acquisition method as claimed in any one of claims 1 to 5, or is adapted to carry out a data analysis method as claimed in any one of claims 6 to 7.
CN202011547288.6A 2020-12-24 2020-12-24 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium Pending CN112667875A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011547288.6A CN112667875A (en) 2020-12-24 2020-12-24 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011547288.6A CN112667875A (en) 2020-12-24 2020-12-24 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112667875A true CN112667875A (en) 2021-04-16

Family

ID=75408234

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011547288.6A Pending CN112667875A (en) 2020-12-24 2020-12-24 Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112667875A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746953A (en) * 2021-09-18 2021-12-03 恒安嘉新(北京)科技股份公司 Domain name server DNS processing method, device, equipment and storage medium
CN113890866A (en) * 2021-09-26 2022-01-04 恒安嘉新(北京)科技股份公司 Illegal application software identification method, device, medium and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469117A (en) * 2010-11-08 2012-05-23 中国移动通信集团广东有限公司 Method and device for identifying abnormal access action
CN104065532A (en) * 2014-06-26 2014-09-24 国家计算机网络与信息安全管理中心 Unrecorded website search method and system based on multi-channel data access method
CN105491033A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Phishing website identifying method and device
CN108540490A (en) * 2018-04-26 2018-09-14 四川长虹电器股份有限公司 A kind of detection of fishing website and domain name are put on record storage method
CN108737385A (en) * 2018-04-24 2018-11-02 杭州安恒信息技术股份有限公司 A kind of malice domain name matching method mapping IP based on DNS
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning
CN110401614A (en) * 2018-04-24 2019-11-01 中移(杭州)信息技术有限公司 The source tracing method and device of malice domain name

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469117A (en) * 2010-11-08 2012-05-23 中国移动通信集团广东有限公司 Method and device for identifying abnormal access action
CN104065532A (en) * 2014-06-26 2014-09-24 国家计算机网络与信息安全管理中心 Unrecorded website search method and system based on multi-channel data access method
CN105491033A (en) * 2015-11-30 2016-04-13 睿峰网云(北京)科技股份有限公司 Phishing website identifying method and device
CN108737385A (en) * 2018-04-24 2018-11-02 杭州安恒信息技术股份有限公司 A kind of malice domain name matching method mapping IP based on DNS
CN110401614A (en) * 2018-04-24 2019-11-01 中移(杭州)信息技术有限公司 The source tracing method and device of malice domain name
CN108540490A (en) * 2018-04-26 2018-09-14 四川长虹电器股份有限公司 A kind of detection of fishing website and domain name are put on record storage method
CN109510815A (en) * 2018-10-19 2019-03-22 杭州安恒信息技术股份有限公司 A kind of multistage detection method for phishing site and detection system based on supervised learning

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746953A (en) * 2021-09-18 2021-12-03 恒安嘉新(北京)科技股份公司 Domain name server DNS processing method, device, equipment and storage medium
CN113746953B (en) * 2021-09-18 2024-03-22 恒安嘉新(北京)科技股份公司 Domain Name Server (DNS) processing method, device, equipment and storage medium
CN113890866A (en) * 2021-09-26 2022-01-04 恒安嘉新(北京)科技股份公司 Illegal application software identification method, device, medium and electronic equipment
CN113890866B (en) * 2021-09-26 2024-03-12 恒安嘉新(北京)科技股份公司 Illegal application software identification method, device, medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
CN104579773B (en) Domain name system analyzes method and device
JP7120350B2 (en) SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM
CN111104579A (en) Identification method and device for public network assets and storage medium
CN103455758A (en) Method and device for identifying malicious website
CN111400357A (en) Method and device for identifying abnormal login
CN112667875A (en) Data acquisition method, data analysis method, data acquisition device, data analysis device, equipment and storage medium
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
US20120117034A1 (en) Context-aware apparatus and method
CN112416730A (en) User internet behavior analysis method and device, electronic equipment and storage medium
CN113177205A (en) Malicious application detection system and method
CN111404937B (en) Method and device for detecting server vulnerability
CN112445870A (en) Knowledge graph string parallel case analysis method based on mobile phone evidence obtaining electronic data
KR102124935B1 (en) Disaster Monitoring System, Method Using Crowd Sourcing, and Computer Program therefor
Pretorius et al. Attributing users based on web browser history
Hemdan et al. Spark-based log data analysis for reconstruction of cybercrime events in cloud environment
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
WO2021248707A1 (en) Operation verification method and apparatus
CN110866700A (en) Method and device for determining enterprise employee information disclosure source
CN115314271A (en) Access request detection method, system and computer storage medium
CN114218569A (en) Data analysis method, device, equipment, medium and product
CN114363039A (en) Method, device, equipment and storage medium for identifying fraud websites
CN114189585A (en) Crank call abnormity detection method and device and computing equipment
CN112199573A (en) Active detection method and system for illegal transaction
CN111212039A (en) Host mining behavior detection method based on DNS flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination