CN115118500A - Attack behavior rule obtaining method and device and electronic equipment - Google Patents
Attack behavior rule obtaining method and device and electronic equipment Download PDFInfo
- Publication number
- CN115118500A CN115118500A CN202210743014.7A CN202210743014A CN115118500A CN 115118500 A CN115118500 A CN 115118500A CN 202210743014 A CN202210743014 A CN 202210743014A CN 115118500 A CN115118500 A CN 115118500A
- Authority
- CN
- China
- Prior art keywords
- behavior
- behavior data
- attack
- rule
- ioa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000001514 detection method Methods 0.000 claims abstract description 5
- 230000006399 behavior Effects 0.000 claims description 440
- 238000012545 processing Methods 0.000 claims description 10
- 238000013138 pruning Methods 0.000 claims description 10
- 238000012163 sequencing technique Methods 0.000 claims description 5
- 238000007619 statistical method Methods 0.000 claims description 5
- 230000000875 corresponding effect Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 6
- 244000035744 Hura crepitans Species 0.000 description 5
- 230000002085 persistent effect Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000010485 coping Effects 0.000 description 2
- 230000008030 elimination Effects 0.000 description 2
- 238000003379 elimination reaction Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 238000003908 quality control method Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The application relates to an attack behavior rule obtaining method and device and electronic equipment. The method comprises the following steps: acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are obtained by detection according to known attack rules; removing behavior data matched with the known IOA behavior rule and the white behavior rule from the initial attack behavior data to obtain target attack behavior data; and generating a target IOA behavior rule according to the target attack behavior data. The scheme provided by the application can discover and obtain the unknown target IOA attack behavior rule in time, and effectively improves the early warning capability of network security.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for acquiring attack behavior rules, and an electronic device.
Background
In an attack coping strategy for network security, an IOA (Indicators of attack) represents an active defense posture, and an defender can actively search, monitor, collect and analyze behaviors occurring on a network, and initiate early warning according to early warning signals of possible attacks, such as events of code execution, persistent residence, concealment, C & C command control, transverse movement in the network and the like, so as to prevent the impending or ongoing attacks.
In the related art, in daily network security maintenance, analysis and early warning are generally performed based on a known IOA attack method and a behavior rule corresponding to the technology. The IOA attack behavior rules commonly used at present come from the MITER ATT & CK attack knowledge base, sample behaviors from honeypot and sandbox run-out and hot attack events. However, the known IOA behavior rules have limitations and hysteresis, and based on these historical rules, unknown IOA attack behavior rules cannot be identified and acquired, so that the strategy for performing early warning based on the known IOA attack behavior rules has a potential safety hazard.
Disclosure of Invention
In order to solve or partially solve the problems in the related art, the application provides an attack behavior rule obtaining method, an attack behavior rule obtaining device and electronic equipment, which can find and obtain unknown target IOA attack behavior rules in time and effectively improve the early warning capability of network security.
A first aspect of the present application provides an attack behavior rule obtaining method, including:
acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are obtained by detection according to known attack rules;
removing behavior data matched with the known IOA behavior rule and the white behavior rule from the initial attack behavior data to obtain target attack behavior data;
and generating a target IOA behavior rule according to the target attack behavior data.
In an embodiment, the initial attack behavior data includes behavior data associated with "known attack events that match the known IOA rules".
In an embodiment, after the step of obtaining the initial attack behavior data, the method further includes: and extracting the initial attack behavior data by adopting a known IOC rule, and acquiring the processed initial attack behavior data matched with the known IOC rule. Correspondingly, the removing the behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data includes: and eliminating the behavior data matched with the known IOA behavior rule and the white behavior rule in the processed initial attack behavior data to obtain target attack behavior data.
In one embodiment, the attack behavior rule obtaining method is applied to a cloud server; accordingly, the obtaining of the initial attack behavior data includes: and acquiring initial attack behavior data respectively sent by each agent.
Generating a target IOA behavior rule according to the target attack behavior data, wherein the target IOA behavior rule comprises the following steps: acquiring occurrence counts of behaviors contained in the target attack behavior data, wherein the occurrence counts are obtained by executing statistical analysis operations according to initial attack behavior data respectively sent by each agent; generating a target IOA behavior rule based on the occurrence count of the behavior.
In one embodiment, the method for determining the occurrence count of the behavior includes: respectively constructing a tracing directed graph based on the initial attack behavior data respectively sent by each agent; and clustering each tracing directed graph to obtain the occurrence count of similar behaviors.
In one embodiment, the generating the target IOA behavior rule based on the occurrence count of the behavior includes
Based on the occurrence count of the behaviors, performing sequencing display on the extracted candidate IOA behavior rules according to the priority; and generating a final target IOA behavior rule based on the operation result of the user.
In an embodiment, before removing the behavior data matched with the known IOA behavior rule and the white behavior rule from the initial attack behavior data to obtain the target attack behavior data, the method includes: and constructing a tracing directed graph according to the initial attack behavior data.
Correspondingly, the removing the behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data includes: pruning removes behavior data in the traceable directed graph that matches known IOA behavior rules and white behavior rules.
A second aspect of the present application provides an attack behavior rule obtaining apparatus, including:
the data acquisition module is used for acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are obtained by detection according to known attack rules;
the data processing module is used for removing behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data;
and the rule generating module is used for generating a target IOA behavior rule according to the target attack behavior data.
A third aspect of the present application provides an electronic device comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method as described above.
A fourth aspect of the present application provides a computer-readable storage medium having stored thereon executable code, which, when executed by a processor of an electronic device, causes the processor to perform the method as described above.
The technical scheme provided by the application can comprise the following beneficial effects:
according to the technical scheme, the known attack event detected according to the known attack rule is obtained, so that initial attack behavior data can be obtained according to the behavior data and/or the associated data of the known attack event, interference data in the initial attack behavior data are removed according to the known IOA behavior rule and the white behavior rule, target attack behavior data are determined in the rest data, and therefore the target IOA behavior rule can be generated. By the design, unknown target IOA behavior rules can be obtained in daily network security maintenance, so that maintainers can conveniently make response strategies in advance, find early warning in time, update records of the known IOA behavior rules in time, and reduce potential safety hazards of daily network security maintenance. Therefore, the method for actively extracting the unknown IOA behavior rule avoids passively relying on the MITER ATT & CK to attack the knowledge base, can actively extract the IOA behavior rule, and avoids misinformation caused by the fact that the MITER ATT & CK attacks the knowledge base and does not receive the behavior rule. In addition, the method is completely different from the active extraction method of the honeypot sandbox, because part of malicious samples have honeypot sandbox escape means, the honeypot sandbox cannot run out of the attack behavior, and in addition, the samples of the attack type are directly collected along with the aggravation of the attack trend without files, so the attack behavior of the attack type cannot run out of the honeypot sandbox.
In the research and development process, the situation that attack methods related to one attack event are completely new under the condition that few attack methods are involved is found, and generally known attack methods and unknown attack methods are mixed and used, so that theoretical feasibility is provided for finding unknown attack threats from part of known attack threats, and the technical scheme applied by the user is further provided.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following more particular descriptions of exemplary embodiments of the application as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout the exemplary embodiments of the application.
Fig. 1 is a schematic flowchart of an attack behavior rule obtaining method shown in an embodiment of the present application;
fig. 2 is another schematic flow chart of an attack behavior rule obtaining method shown in the embodiment of the present application;
fig. 3 is another schematic flow chart of an attack behavior rule obtaining method shown in the embodiment of the present application;
fig. 4 is a schematic structural diagram of an attack behavior rule obtaining apparatus shown in the embodiment of the present application;
fig. 5 is another schematic structural diagram of an attack behavior rule obtaining apparatus shown in the embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device shown in an embodiment of the present application.
Detailed Description
Embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While embodiments of the present application are illustrated in the accompanying drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms "first," "second," "third," etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Because the known IOA behavior rules have limitations and hysteresis, the unknown IOA attack behavior rules cannot be identified and acquired based on the early warning strategies adopted by the historical rules in daily network security maintenance, so that the strategy for early warning based on the known IOA attack behavior rules has potential safety hazards. In view of the above problems, embodiments of the present application provide an attack behavior rule obtaining method, which can discover and obtain an unknown IOA attack behavior rule in time, and effectively improve the early warning capability of network security.
The technical solutions of the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart illustrating an attack behavior rule obtaining method according to an embodiment of the present application.
Referring to fig. 1, the present embodiment provides an attack behavior rule obtaining method, which includes:
s110, acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are detected according to known attack rules.
In this step, the execution main body may be a terminal device or a server, and the terminal device may obtain initial attack behavior data generated on the body; or the cloud server may acquire the initial attack behavior data from different terminal devices in real time or periodically.
The known attack rule may be a known IOA (Indicators of attack) behavior rule, or may be a known ioc (Indicators of compliance) rule. And detecting according to the known IOA behavior rule and/or the known IOC rule, so that behavior data associated with the known attack rule is found in the acquired data, and the attack event is determined to occur according to the known attack rule, namely the known attack event. The "associated behavior data" in step S110 specifically refers to: behavioral data associated with, but not hit by, a known attack event. For example, if a known attack event is an event composed of behaviors matching with the known IOA behavior rule X, the behavior data associated with the attack event may be the corresponding behavior data before, during and/or after the occurrence of the attack event.
Of course, in the embodiment of the present application, the initial attack behavior data may or may not include behavior data in a known attack event (i.e., behavior data matching a known attack rule).
And S120, eliminating the behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data.
It will be appreciated that the initial attack behavior data may contain not only behavior data matching unknown IOA behavior rules, but also other data, such as behavior data matching white behavior rules and behavior data matching known IOA behavior rules. In order to find unknown behavior rules from the initial attack behavior data and reduce the interference of the known rules, the initial attack behavior data can be screened according to the known IOA behavior rules and the white behavior rules, the behavior data matched with the known IOA behavior rules and the white behavior rules are eliminated, and then the residual data with the unknown behavior rules, namely the target attack behavior data, is obtained.
And S130, generating a target IOA behavior rule according to the target attack behavior data.
In this step, the target attack behavior data may be processed according to a preset format or an empirical rule, such as TTPs (i.e., Tactics, Techniques, and Procedures), to generate a target IOA behavior rule. It is understood that the obtained target IOA behavior rule can be regarded as a known IOA behavior rule, and is used in the loop execution of steps S110 and S120.
Of course, in order to make the target IOA behavior rule more accurate, a step of manual feedback may be added in this step S130.
In step S130, the target attack behavior data may be all output as target IOA behavior rules to be determined manually, and then final target IOA behavior rules are generated according to manual feedback of security personnel.
In addition, the target attack behavior data can be processed, similar behaviors are aggregated, the similar behaviors are aggregated into a target IOA behavior rule to be determined manually, and then the target IOA behavior rule is generated through manual feedback.
As can be seen from this example, in the attack behavior rule obtaining method of the present application, the known attack event detected according to the known attack rule is obtained, so that the known attack event is used as an entry point to obtain associated initial attack behavior data, interference data in the initial attack behavior data is removed according to the known IOA behavior rule and the white behavior rule, and target attack behavior data is determined in remaining data, so that the target IOA behavior rule can be generated. By the design, unknown target IOA behavior rules can be obtained in daily network security maintenance, so that maintainers can conveniently make response strategies in advance, find early warning in time, update records of the known IOA behavior rules in time, and reduce potential safety hazards of daily network security maintenance.
Fig. 2 is another flowchart schematic diagram of an attack behavior rule obtaining method shown in the embodiment of the present application.
Referring to fig. 2, the present embodiment provides an attack behavior rule obtaining method, which includes:
s210, initial attack behavior data is obtained, wherein the initial attack behavior data comprises behavior data associated with a known attack event matched with the known IOA rule.
In the embodiment of the present application, an execution subject is taken as a cloud server as an example for description. However, some technical features related to the cloud server are not bound to the cloud server, and a person skilled in the art needs to pay attention to the technical features.
The known attack rule may specifically be a known IOA rule.
It is known that attack rules select IOA rules, whereas non-IOC rules have certain benefits, namely: the probability of extracting an unknown IOA rule using an IOA rule may be greater. This is because the attack-related behaviors are often correlated, which may be reflected in time, but the degree of correlation of different attacks is different, for example, some attacks, whose respective attack behaviors are relatively dispersed in time, some attack behaviors are relatively concentrated in time,
thus, unknown IOA behavior rules may be more heavily encapsulated when we select behavior data associated with behaviors that match known IOA rules. But when we select an IOC rule, the behavior associated with the IOC rule is so many that the initial attack behavior data we include may not include unknown attack behavior rules.
Therefore, we choose the known attack rules to be IOA behavior rules rather than IOC rules, considering that the unknown attack behavior data is included with as high a probability as possible.
The attack rule is specifically known here to be selected as an IOA rule, and is not a technical means of binding with a cloud server.
In the embodiment of the application, the agent performs IOA rule matching on the acquired data, and according to a matching result, initial attack behavior data is acquired from the acquired data and is sent to the cloud server. For example, the initial attack behavior data may include behavior data that matches known IOA rules and associated ambient behavior data, or the initial attack behavior data may include only associated ambient behavior data.
In this embodiment, the execution subject is a cloud server, and in this case, the initial attack behavior data sent by each agent is acquired. Wherein each agent may be a proxy client, a proxy server, a network proxy device, a security agent, etc., for example only. The cloud server may obtain the initial attack behavior data from different sources, so as to expand the data base for obtaining the target attack behavior data, and may perform priority ranking on the extracted target IOA behavior rules, which will be explained in detail in the subsequent step S240.
And S220, extracting the initial attack behavior data by adopting the known IOC rule, and acquiring the processed attack behavior data matched with the known IOC rule.
It can be understood that the acquired behavior data amount is multiplied based on the wide acquisition source of the initial attack behavior data. There may be false positive events, i.e., the initial attack behavior data contains regular events or rare events that are not attack events. The IOC (Indicators of compatibility, loss index) is a process of recording the characteristics and evidence of an event in a structured manner. The IOC contains everything from a host and network perspective, not just malware, it could be a working directory name, an outgoing file name, a login event, a persistence mechanism, an IP address, a domain name, or even a malware network protocol signature. The IOC features may be, among others, SHA1 files, SHA2 files, DNS addresses or IP addresses with unique identifications. Based on the method, according to the known IOC rule with the IOC characteristics, when the initial attack behavior data contains data matched with the known IOC rule, the initial attack behavior data can be screened according to accurate strong characteristic IOC information, effective attack behavior data is obtained through filtering, and the processed attack behavior data matched with the known IOC rule is obtained. For example, the initial attack behavior data relates to a lot of file creating behaviors, and one of the file behavior data is selected if the IOC SHA1 hits a malicious file; if there is no hit IOC maliciousness index, then not select first.
And S230, eliminating the behavior data matched with the known IOA behavior rule and the white behavior rule from the processed initial attack behavior data to obtain target attack behavior data.
In the step, in the initial attack behavior data obtained after the screening according to the IOC characteristics, the matching can be more efficiently carried out in the remaining initial attack behavior data according to the known IOA behavior rules and the white behavior rules, so as to remove the behavior data of the known attack rules and the behavior data of the white behavior rules.
In order to improve the elimination efficiency, in an embodiment, a tracing directed graph is constructed according to initial attack behavior data. And further, constructing a tracing directed graph according to the processed initial attack behavior data. Further, a source tracing directed graph is respectively constructed based on the processed initial attack behavior data respectively sent by each agent. The tracing directed graph may be a tree structure or a graph data structure, which is determined according to actual situations.
In one embodiment, pruning removes behavior data in the traceback directed graph that matches known IOA behavior rules and white behavior rules. The target attack behavior data can be obtained by pruning in each tracing directed graph respectively, or by pruning in the tracing directed graphs obtained after similar clustering of each tracing directed graph (similar clustering is mainly used for counting in the subsequent S240).
It can be understood that the tracing directed graph includes nodes and connection edges between different nodes, and by using the connection edges and the nodes, the tracing directed graph can represent data flow and control flow relationships between system objects, so as to connect nodes having causal connection. That is, by presenting the initial attack behavior data in the form of a traceback directed graph, the process behaviors associated with the known IOA behavior rules and the process behaviors associated with the white behavior rules can be made explicit, thereby facilitating clearer and more efficient culling of these redundant data.
S240, acquiring occurrence counts of behaviors contained in the target attack behavior data; based on the occurrence count of the behavior, target IOA behavior rules are generated.
When the execution end is specifically a cloud server, the cloud server may obtain initial attack behavior data sent from each agent, so that behaviors included in target attack behavior data may be counted, and when the occurrence frequency is relatively high, it is indicated that the threat degree is relatively large, and it should be determined as soon as possible whether the behavior with relatively high count is a target IOA behavior rule, or it may be determined directly that the behavior with relatively high occurrence count is the target IOA behavior rule. Of course, to be accurate, human validation should be added to this step as much as possible.
In a specific implementation manner, similar behavior occurrence counts can be counted through a similar clustering algorithm of a tracing directed graph, and then a target IOA behavior rule is determined according to the number of the counts. The execution sequence of the similar clustering of the tracing-oriented graph may be executed when performing pruning in step S230, or certainly, the similar clustering may be performed after performing pruning in step S240.
The occurrence count is obtained by performing statistical analysis operation according to the initial attack behavior data respectively sent by each agent. Of course, the meaning of directly calculating the count from the initial attack behavior data is not limited herein, that is, the count may be based on the target attack behavior data, and in this case, the count is indirectly calculated from the initial attack behavior data, and these are all within the scope of the present application. In order to improve the statistical efficiency, the occurrence count is obtained by performing a statistical analysis operation according to target attack behavior data in the initial attack behavior data sent by each agent. That is, the occurrence counts of the same or similar behaviors contained in the target attack behavior data of the same agent source or different agent sources may be counted, that is, the occurrence counts of only the behaviors having unknown IOA behavior rules may be counted without counting the occurrence counts of the behavior data matching the known IOA behavior rules and the white behavior rules.
In order to improve the statistical efficiency, in an embodiment, each tracing digraph is clustered to obtain occurrence counts of similar behaviors. That is to say, in a feasible implementation manner, after the corresponding traceable directed graphs are respectively constructed and pruned based on the processed initial attack behavior data respectively sent by each agent, the traceable directed graphs after pruning can be clustered to obtain the occurrence count of similar behaviors; of course, in the foregoing step S230, it is stated that similar clustering can be performed before pruning, and these operations can be adjusted accordingly according to actual situations.
In one embodiment, based on occurrence counts of similar behaviors, the extracted candidate IOA behavior rules are displayed in a sequencing mode according to the priority; and generating a final target IOA behavior rule based on the operation result of the user.
In the target attack behavior data, different behaviors respectively have corresponding IOA behavior rules, and the priorities of the candidate IOA behavior rules are determined by extracting corresponding candidate IOA behavior rules from the target attack behavior data and sequencing the candidate IOA behavior rules according to corresponding occurrence counts respectively. The larger the occurrence count, the wider the influence range, and the higher the priority to be handled. Based on this, through displaying the sorted candidate IOA behavior rules, the user can select the candidate IOA behavior rules with larger occurrence count and higher priority as the final target IOA behavior rules, so that the security experts can analyze and confirm preferentially and extract a coping strategy.
As can be seen from this example, according to the attack behavior rule obtaining method of the present application, after initial attack behavior data is obtained by performing matching according to a known IOA rule, further confirmation is performed according to a known IOC rule, false-alarm data is excluded, robustness of a processing result is improved, and further elimination is performed based on the processed initial attack behavior data, so that purer target attack behavior data is obtained; and finally, counting the occurrence counts of all behaviors in the target attack behavior data, thereby screening and obtaining the target IOA behavior rule. By the design, more threatening unknown IOA behavior rules can be screened from a large amount of initial attack behavior data more efficiently, so that timely discovery and early warning can be realized.
Fig. 3 is another flowchart schematic diagram of an attack behavior rule obtaining method shown in the embodiment of the present application.
Referring to fig. 3, the present embodiment provides an attack behavior rule obtaining method, which includes:
s310, acquiring initial attack behavior data sent by each agent respectively.
The execution subject of this embodiment may be a cloud server, and the cloud server receives initial attack behavior data sent by each agent.
And S320, extracting the initial attack behavior data by adopting the known IOC rule, and acquiring the processed attack behavior data matched with the known IOC rule.
This step is the same as the introduction of step S220, and is not described herein.
And S330, respectively constructing the tracing digraphs based on the initial attack behavior data respectively sent by each agent, and clustering the tracing digraphs to obtain the occurrence count of the similar behaviors.
Preferably, after the initial attack behavior data sent by each agent is processed in step S320, a source directed graph is constructed from the processed attack behavior data, so that the source directed graph is more accurate and simplified.
Clustering is carried out on each tracing directed graph according to a correlation algorithm, and occurrence counts corresponding to various similar behaviors can be obtained through statistics.
And S340, pruning to remove the behavior data matched with the known IOA behavior rule and the white behavior rule in the tracing directed graph to obtain target attack behavior data.
The tracing directed graph contains behavior data matched with the known IOA behavior rules and the white behavior rules, and the behavior data matched with the known IOA behavior rules and the white behavior rules can be pruned in batches according to occurrence counts of all similar behaviors to obtain target attack behavior data.
S350, acquiring occurrence counts of behaviors contained in the target attack behavior data; based on the occurrence count of the behaviors, the extracted candidate IOA behavior rules are displayed in a sequencing mode according to the priority; and generating a final target IOA behavior rule based on the operation result of the user.
It will be appreciated that the occurrence counts of different behaviors may be the same or different, and that by size ordering, behaviors with higher counts and higher priorities may be determined. By acquiring the behavior rules corresponding to the behaviors as candidate IOA behavior rules and screening the behavior rules through the occurrence counts of the corresponding behaviors, a user can conveniently and intuitively select the final target IOA behavior rule from the candidate IOA behavior rules.
According to the example, the attack behavior rule obtaining method can more efficiently screen out more threatening target IOA behavior rules from a large amount of initial attack behavior data obtained by different agents so as to discover and early warn in time.
Corresponding to the embodiment of the application function implementation method, the application also provides an attack behavior rule acquisition device and a corresponding embodiment.
Fig. 4 is a schematic structural diagram of an attack behavior rule obtaining apparatus according to an embodiment of the present application.
Referring to fig. 4, the present embodiment provides an attack behavior rule obtaining apparatus, which includes a data obtaining module 410, a data processing module 420, and a rule generating module 430. Wherein:
the data obtaining module 410 is configured to obtain initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are detected according to known attack rules.
The data processing module 420 is configured to remove behavior data that matches the known IOA behavior rule and the white behavior rule from the initial attack behavior data to obtain target attack behavior data.
The rule generating module 430 is configured to generate a target IOA behavior rule according to the target attack behavior data.
In a specific embodiment, the attack behavior rule obtaining device is applied to a cloud server, and the data obtaining module 410 is configured to obtain initial attack behavior data sent by each agent respectively. Optionally, the initial attack behavior data includes behavior data associated with "known attack events that match the known IOA rules".
Referring to fig. 5, fig. 5 is another schematic structural diagram of an attack behavior rule obtaining apparatus shown in the embodiment of the present application.
Further, the data processing module 420 includes a filtering module 421, where the filtering module 421 is configured to extract the initial attack behavior data by using the known IOC rule, and obtain the processed initial attack behavior data matched with the known IOC rule. By the design, false alarm attack data acquired by the data acquisition module can be filtered.
Further, the data processing module 420 includes a composition module 422, and the composition module 422 is configured to construct a traceable directed graph from the initial attack behavior data. Preferably, the composition module 422 is configured to construct a tracing directed graph based on the initial attack behavior data sent by each agent respectively.
Further, the data processing module 420 includes a clustering module 423, and the clustering module 423 is configured to obtain occurrence counts of behaviors included in the target attack behavior data, where the occurrence counts are obtained after performing a statistical analysis operation according to initial attack behavior data respectively sent by each agent. Preferably, the clustering module 423 is configured to cluster the source directed graphs to obtain occurrence counts of similar behaviors.
Further, the data processing module 420 includes a removing module 424, where the removing module 424 is configured to remove, from the processed initial attack behavior data, behavior data that matches with the known IOA behavior rule and the white behavior rule, so as to obtain target attack behavior data. Preferably, the culling module 424 is configured to prune the behavior data in the traceback directed graph that matches the known IOA behavior rules and the white behavior rules.
Further, the rule generation module 430 is configured to generate the target IOA behavior rule based on the occurrence count of the behavior. Preferably, the rule generating module 430 is configured to rank and display the extracted candidate IOA behavior rules according to the precedence priority based on the occurrence count of the behavior; and generating a final target IOA behavior rule based on the operation result of the user.
In conclusion, the attack behavior rule obtaining device can solve the problem of automatic extraction of unknown IOA attack behavior rules, can timely discover and obtain unknown target IOA attack behavior rules from the known attack behavior rules, and effectively improves the early warning capability of network security.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The attack behavior rule obtaining device may be in the form of an image file, and the image file may be executed and then run in the form of a container or a virtual machine, so as to implement the attack behavior rule obtaining method. Certainly, the method is not limited to the form of an image file, and as long as some software forms capable of implementing the attack behavior rule obtaining method described in the present application are within the protection scope of the present application, for example, the method may also be a software module implemented in a hypervisor (virtual machine monitor) in a cloud computing platform.
Fig. 6 is a schematic structural diagram of an electronic device shown in an embodiment of the present application.
Referring to fig. 6, the electronic device 10 includes a memory 1010 and a processor 1020.
The Processor 1020 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device 10 of the present application may be a single hardware device, or may be a cluster formed by multiple hardware devices, for example, a cloud computing platform.
The cloud computing platform is a cluster which organizes a plurality of independent server physical hardware resources into pooled resources by adopting computing virtualization, network virtualization and storage virtualization technologies and provides services for the outside.
The current cloud computing platform supports several service modes:
SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full rights;
PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development, quality control or production server;
IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.
The memory 1010 may include various types of storage units, such as system memory, Read Only Memory (ROM), and permanent storage. The ROM may store, among other things, static data or instructions for the processor 1020 or other modules of the computer. The persistent storage device may be a read-write storage device. The persistent storage may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off. In some embodiments, the persistent storage device employs a mass storage device (e.g., magnetic or optical disk, flash memory) as the persistent storage device. In other embodiments, the permanent storage may be a removable storage device (e.g., floppy disk, optical drive). The system memory may be a read-write memory device or a volatile read-write memory device, such as a dynamic random access memory. The system memory may store instructions and data that some or all of the processors require at runtime. Further, the memory 1010 may comprise any combination of computer-readable storage media, including various types of semiconductor memory chips (e.g., DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic and/or optical disks, among others. In some embodiments, memory 1010 may include a removable storage device that is readable and/or writable, such as a Compact Disc (CD), a digital versatile disc read only (e.g., DVD-ROM, dual layer DVD-ROM), a Blu-ray disc read only, an ultra-dense disc, a flash memory card (e.g., SD card, min SD card, Micro-SD card, etc.), a magnetic floppy disk, or the like. Computer-readable storage media do not contain carrier waves or transitory electronic signals transmitted by wireless or wired means.
The memory 1010 has stored thereon executable code that, when processed by the processor 1020, may cause the processor 1020 to perform some or all of the methods described above.
Furthermore, the method according to the present application may also be implemented as a computer program or computer program product comprising computer program code instructions for performing some or all of the steps of the above-described method of the present application.
Alternatively, the present application may also be embodied as a computer-readable storage medium (or non-transitory machine-readable storage medium or machine-readable storage medium) having executable code (or a computer program or computer instruction code) stored thereon, which, when executed by a processor of an electronic device, causes the processor to perform part or all of the steps of the above-described methods according to the present application.
Having described embodiments of the present application, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (10)
1. An attack behavior rule obtaining method is characterized by comprising the following steps:
acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are obtained by detection according to known attack rules;
removing behavior data matched with the known IOA behavior rule and the white behavior rule from the initial attack behavior data to obtain target attack behavior data;
and generating a target IOA behavior rule according to the target attack behavior data.
2. The method according to claim 1, wherein the initial attack behavior data includes behavior data associated with "known attack events that match the known IOA rules".
3. The method of acquiring offensive behavior rules according to claim 2, further comprising, after the step of acquiring initial offensive behavior data:
extracting the initial attack behavior data by adopting a known IOC rule to obtain processed initial attack behavior data matched with the known IOC rule;
correspondingly, the removing the behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data includes:
and eliminating the behavior data matched with the known IOA behavior rule and the white behavior rule in the processed initial attack behavior data to obtain target attack behavior data.
4. The method for acquiring the attack behavior rule according to claim 1, applied to a cloud server;
accordingly, the obtaining of the initial attack behavior data includes:
acquiring initial attack behavior data respectively sent by each agent;
generating a target IOA behavior rule according to the target attack behavior data, wherein the target IOA behavior rule comprises the following steps:
acquiring occurrence counts of behaviors contained in the target attack behavior data, wherein the occurrence counts are obtained by executing statistical analysis operations according to initial attack behavior data respectively sent by each agent;
generating a target IOA behavior rule based on the occurrence count of the behavior.
5. The method according to claim 4, wherein the method for determining the occurrence count of the behavior is:
respectively constructing a tracing directed graph based on the initial attack behavior data respectively sent by each agent;
and clustering each tracing directed graph to obtain the occurrence count of the similar behaviors.
6. The method according to claim 4, wherein generating the target IOA behavior rule based on the occurrence count of the behavior comprises:
based on the occurrence count of the behaviors, performing sequencing display on the extracted candidate IOA behavior rules according to the priority;
and generating a final target IOA behavior rule based on the operation result of the user.
7. The method according to any one of claims 1 to 6, wherein before removing, from the initial attack behavior data, behavior data that matches known IOA behavior rules and white behavior rules to obtain target attack behavior data, the method includes:
constructing a tracing directed graph according to the initial attack behavior data;
correspondingly, the removing the behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data includes:
pruning removes behavior data in the traceable directed graph that matches known IOA behavior rules and white behavior rules.
8. An attack behavior rule acquisition apparatus, comprising:
the data acquisition module is used for acquiring initial attack behavior data; the initial attack behavior data comprises behavior data associated with known attack events, and the known attack events are obtained by detection according to known attack rules;
the data processing module is used for removing behavior data matched with the known IOA behavior rule and the white behavior rule in the initial attack behavior data to obtain target attack behavior data;
and the rule generating module is used for generating a target IOA behavior rule according to the target attack behavior data.
9. An electronic device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method of any one of claims 1-7.
10. A computer-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210743014.7A CN115118500B (en) | 2022-06-28 | 2022-06-28 | Attack behavior rule acquisition method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210743014.7A CN115118500B (en) | 2022-06-28 | 2022-06-28 | Attack behavior rule acquisition method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115118500A true CN115118500A (en) | 2022-09-27 |
| CN115118500B CN115118500B (en) | 2023-11-07 |
Family
ID=83330905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210743014.7A Active CN115118500B (en) | 2022-06-28 | 2022-06-28 | Attack behavior rule acquisition method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115118500B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116781396A (en) * | 2023-07-20 | 2023-09-19 | 北京火山引擎科技有限公司 | Method, apparatus, device and storage medium for attack behavior detection |
Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7587759B1 (en) * | 2002-02-04 | 2009-09-08 | Mcafee, Inc. | Intrusion prevention for active networked applications |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| US20160330193A1 (en) * | 2015-05-05 | 2016-11-10 | Mcafee, Inc. | Using Trusted Platform Module To Build Real Time Indicators of Attack Information |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
| CN107040517A (en) * | 2017-02-22 | 2017-08-11 | 南京邮电大学 | A kind of cognitive intrusion detection method towards cloud computing environment |
| US9747446B1 (en) * | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
| CN108306857A (en) * | 2017-12-26 | 2018-07-20 | 努比亚技术有限公司 | Abnormal operation hold-up interception method, Network Security Device and computer readable storage medium |
| US20180262521A1 (en) * | 2017-03-13 | 2018-09-13 | Molbase (Shanghai) Biotechnology Co., Ltd | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis |
| CN109450946A (en) * | 2018-12-27 | 2019-03-08 | 浙江大学 | A kind of unknown attack scene detection method based on alert correlation analysis |
| US20190253438A1 (en) * | 2018-02-13 | 2019-08-15 | Go-Idea Ltd. | Analysis Method for Network Flow and System |
| CN110351260A (en) * | 2019-06-28 | 2019-10-18 | 广州准星信息科技有限公司 | A kind of Intranet attack method for early warning, device and storage medium |
| CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
| US20200186569A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Security Rule Generation Based on Cognitive and Industry Analysis |
| CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
| US10897472B1 (en) * | 2017-06-02 | 2021-01-19 | Enigma Networkz, LLC | IT computer network threat analysis, detection and containment |
| US20210037027A1 (en) * | 2019-08-02 | 2021-02-04 | Crowdstrike, Inc. | Malicious incident visualization |
| CN112818307A (en) * | 2021-02-25 | 2021-05-18 | 深信服科技股份有限公司 | User operation processing method, system, device and computer readable storage medium |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113037713A (en) * | 2021-02-07 | 2021-06-25 | 深信服科技股份有限公司 | Network attack resisting method, device, equipment and storage medium |
| CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
| CN113961923A (en) * | 2021-10-29 | 2022-01-21 | 绿盟科技集团股份有限公司 | Method, device, equipment and storage medium for acquiring threat information |
| CN113971279A (en) * | 2021-10-21 | 2022-01-25 | 中国工商银行股份有限公司 | Network security management method, server and network security competition system |
-
2022
- 2022-06-28 CN CN202210743014.7A patent/CN115118500B/en active Active
Patent Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7587759B1 (en) * | 2002-02-04 | 2009-09-08 | Mcafee, Inc. | Intrusion prevention for active networked applications |
| US9747446B1 (en) * | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
| US20160330193A1 (en) * | 2015-05-05 | 2016-11-10 | Mcafee, Inc. | Using Trusted Platform Module To Build Real Time Indicators of Attack Information |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN106778260A (en) * | 2016-12-31 | 2017-05-31 | 网易无尾熊(杭州)科技有限公司 | Attack detection method and device |
| CN107040517A (en) * | 2017-02-22 | 2017-08-11 | 南京邮电大学 | A kind of cognitive intrusion detection method towards cloud computing environment |
| US20180262521A1 (en) * | 2017-03-13 | 2018-09-13 | Molbase (Shanghai) Biotechnology Co., Ltd | Method for web application layer attack detection and defense based on behavior characteristic matching and analysis |
| US10897472B1 (en) * | 2017-06-02 | 2021-01-19 | Enigma Networkz, LLC | IT computer network threat analysis, detection and containment |
| CN108306857A (en) * | 2017-12-26 | 2018-07-20 | 努比亚技术有限公司 | Abnormal operation hold-up interception method, Network Security Device and computer readable storage medium |
| US20190253438A1 (en) * | 2018-02-13 | 2019-08-15 | Go-Idea Ltd. | Analysis Method for Network Flow and System |
| US20200186569A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Security Rule Generation Based on Cognitive and Industry Analysis |
| CN109450946A (en) * | 2018-12-27 | 2019-03-08 | 浙江大学 | A kind of unknown attack scene detection method based on alert correlation analysis |
| CN110602032A (en) * | 2019-06-19 | 2019-12-20 | 上海云盾信息技术有限公司 | Attack identification method and device |
| CN110351260A (en) * | 2019-06-28 | 2019-10-18 | 广州准星信息科技有限公司 | A kind of Intranet attack method for early warning, device and storage medium |
| US20210037027A1 (en) * | 2019-08-02 | 2021-02-04 | Crowdstrike, Inc. | Malicious incident visualization |
| CN111628990A (en) * | 2020-05-22 | 2020-09-04 | 北京金山云网络技术有限公司 | Attack recognition method and device and server |
| CN112910895A (en) * | 2021-02-02 | 2021-06-04 | 杭州安恒信息技术股份有限公司 | Network attack behavior detection method and device, computer equipment and system |
| CN113037713A (en) * | 2021-02-07 | 2021-06-25 | 深信服科技股份有限公司 | Network attack resisting method, device, equipment and storage medium |
| CN112818307A (en) * | 2021-02-25 | 2021-05-18 | 深信服科技股份有限公司 | User operation processing method, system, device and computer readable storage medium |
| CN113612749A (en) * | 2021-07-27 | 2021-11-05 | 华中科技大学 | Intrusion behavior-oriented tracing data clustering method and device |
| CN113971279A (en) * | 2021-10-21 | 2022-01-25 | 中国工商银行股份有限公司 | Network security management method, server and network security competition system |
| CN113961923A (en) * | 2021-10-29 | 2022-01-21 | 绿盟科技集团股份有限公司 | Method, device, equipment and storage medium for acquiring threat information |
Non-Patent Citations (1)
| Title |
|---|
| 王一萍, 陈波, 吴坚: "基于数据挖掘的入侵检测系统的研究", 兵工自动化, no. 04, pages 31 - 33 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116781396A (en) * | 2023-07-20 | 2023-09-19 | 北京火山引擎科技有限公司 | Method, apparatus, device and storage medium for attack behavior detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115118500B (en) | 2023-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7260844B1 (en) | Threat detection in a network security system | |
| US10291630B2 (en) | Monitoring apparatus and method | |
| CN107454103B (en) | Network security event process analysis method and system based on time line | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN111625841B (en) | Virus processing method, device and equipment | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN109714346B (en) | Searching and killing method and device for back door files | |
| CN110959158A (en) | Information processing apparatus, information processing method, and information processing program | |
| CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
| CN113098828A (en) | Network security alarm method and device | |
| CN115118500B (en) | Attack behavior rule acquisition method and device and electronic equipment | |
| CN112636942A (en) | Method and device for monitoring service host node | |
| CN111859399A (en) | Vulnerability detection method and device based on oval | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN112153062A (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN112560030A (en) | File monitoring method and device, electronic equipment and computer readable storage medium | |
| CN114760113B (en) | Abnormality alarm detection method and device, electronic equipment and storage medium | |
| JP2017068691A (en) | Diagnostic program, diagnostic method and diagnostic apparatus | |
| CN112769971B (en) | IPv6 address security detection method and device, electronic equipment and storage medium | |
| CN111967968B (en) | Block chain-based vulnerability processing method and device | |
| TW201928746A (en) | Method and apparatus for detecting malware | |
| CN115037790A (en) | Abnormal registration identification method, device, equipment and storage medium | |
| CN114629696A (en) | Security detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |