CN115278681A - 5G communication network attack graph generation method and system based on regional collaboration - Google Patents
5G communication network attack graph generation method and system based on regional collaboration Download PDFInfo
- Publication number
- CN115278681A CN115278681A CN202210735593.0A CN202210735593A CN115278681A CN 115278681 A CN115278681 A CN 115278681A CN 202210735593 A CN202210735593 A CN 202210735593A CN 115278681 A CN115278681 A CN 115278681A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- attack
- current
- communication
- communication node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 224
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000005192 partition Methods 0.000 claims abstract description 98
- 238000013508 migration Methods 0.000 claims abstract description 15
- 230000005012 migration Effects 0.000 claims abstract description 11
- 230000009191 jumping Effects 0.000 claims description 34
- 239000011159 matrix material Substances 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 12
- 230000007704 transition Effects 0.000 claims description 8
- 230000001960 triggered effect Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 abstract description 10
- 230000035515 penetration Effects 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for generating a 5G communication network attack graph based on regional collaboration, wherein the method comprises the following steps: s1: determining the topology of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises a security vulnerability and an empty vulnerability; s2: migrating the current information attack authority of the attacker from the current vulnerability to a next associated security vulnerability in the same communication node; s3: judging whether the current communication node has an associated security vulnerability, if so, skipping to S2, and if not, generating an internal attack path of the current partition; s4: according to the current information attack authority of an attacker, migrating the current vulnerability to the relevant vulnerability in the next partition, and generating a cross-partition attack path between two adjacent partitions; s5: and judging whether the target attack node is reached, if not, skipping to S2, and if so, outputting a 5G communication network attack graph. By combining internal attack path search and cross-region attack path search and introducing null vulnerability for path migration, a more comprehensive attack path diagram can be obtained.
Description
Technical Field
The invention belongs to the technical field of 5G communication network information security, and particularly relates to a method and a system for generating a 5G communication network attack graph based on regional collaboration.
Background
The 5G communication network is widely applied to the fields of smart power grids, smart medical treatment, smart manufacturing and the like as a new information communication technology. However, due to the characteristics of flexibility of a 5G communication network topology, differentiation of communication services and the like, more vulnerabilities are exposed to the application scene based on 5G. Meanwhile, the network attack behavior is gradually complicated and intelligentized, and the security threat of the communication network is further aggravated.
At present, when an information system or a network is oriented to attack penetration, an attacker often gradually realizes node intrusion on the system by using the correlation characteristic between security vulnerabilities, and finally, the attack target is reached. The existing system attack modeling and attack path identification method is mainly realized based on an attack graph generation method, the incidence relation of the network vulnerabilities is identified by judging whether the attacker authority after the vulnerabilities are utilized is improved, the utilized vulnerabilities are vulnerabilities capable of directly attacking nodes, the attack states of the next step are determined, and finally attack paths of multi-step behaviors are formed.
However, the 5G communication network is an open and flexible system, and an attacker can perform network penetration at any position of the network or in a communication service stage. Compared with the traditional information system or network, the 5G communication network vulnerabilities are independent, the vulnerability migration requirements are different from those of the traditional information network, and the traditional attack graph generation method applied to the information network cannot comprehensively identify the attack path of the 5G communication network.
Disclosure of Invention
In view of the above defects or improvement requirements of the prior art, the present invention provides a method and a system for generating a 5G communication network attack graph based on regional coordination, which aim to comprehensively identify a 5G communication network attack path.
In order to achieve the above object, according to an aspect of the present invention, there is provided a method for generating a 5G communication network attack graph based on regional coordination, including:
step S1: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises a security vulnerability and an empty vulnerability, the security vulnerability is used for directly attacking communication nodes, and the empty vulnerability is a vulnerability migrated based on a communication relation;
step S2: migrating the current information attack authority of the attacker to a next associated security vulnerability in the same communication node from the current vulnerability according to the current information attack authority of the attacker, taking the newly attacked vulnerability as the current vulnerability and updating the current information attack authority of the attacker according to information obtained from the newly attacked vulnerability;
and step S3: judging whether the current communication node has an associated security vulnerability, if so, skipping to the step S2, and if not, generating an attack path inside the current partition;
and step S4: taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and migrating the current vulnerability to the related vulnerability in the next partition according to the current information attack authority of an attacker to generate a cross-partition attack path between two adjacent partitions;
step S5: and judging whether the target attack node is reached, if not, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, skipping to the step S2, and if so, outputting a 5G communication network attack graph.
In one embodiment, in step S2, a current intra-partition attack path is generated by using intra-partition attack graph model SAG = < Attpri, SAT, SAGsrc, SAGdest, SAGAttpath >, where Attpri represents current information attack authority of an attacker, and SAT = < v =i,vjRepresents an attacker from the current vulnerability viMigration to the next vulnerability vjState transition process of vjIs viAssociated next vulnerability and viAnd vjAnd both the SAGSrc and the SAGDest are positioned in the same partition, the SAGAttpath represents the node positions before and after state migration, and the SAGAttpath represents a partition internal attack path sequence and is used for storing the current vulnerability and the searched associated vulnerability to generate the current partition internal attack path.
In one embodiment, in step S4, a cross-region attack path is generated by using a constructed network cross-region attack graph model CAG = < Compri, CAT, cagrc, CAGdest, CAGAttpath > where Compri represents the current information attack authority of an attacker; CAT = < CAGsrc, CAGdest, vi,vjDenotes the vulnerability v of the attacker from the current partition node CAGsrciVulnerability v migrating to next partition node CAGdestjIn a state transition process of, wherein vjIs viAssociated next vulnerability and viAnd vjThe SAGAttpath represents a cross-region attack path sequence and is used for storing the current vulnerability and the searched associated vulnerability to generate a cross-region attack path.
In one embodiment, the 5G communication network comprises four partitions, namely a terminal comprising n communication nodes, an access network comprising m communication nodes, a bearer network comprising k communication nodes and a core network comprising w communication nodes;
in step S1, the topology of the 5G communication network is represented as:
G=<NE,NA,NB,NR,EA,AB,BR>,
NE={e1,e2,…,en},NA={a1,a2,…,am},NB={b1,b2,…,bk},NR={r1,r2,…,rw},
wherein N isE,NA,NB,NRRespectively representing a terminal communication node set, an access network communication node set, a bearer network communication node set and a core network communication node set, enDenotes the nth communication node of the terminal, amRepresenting the mth communication node of the access network, bkDenotes the kth communication node of the bearer network, rwRepresenting the w-th communication node of the core network;
the method comprises the steps that EA, AB and BR respectively represent a cross-region connectivity matrix from a terminal to an access network, a cross-region connectivity matrix from the access network to a bearer network and a cross-region connectivity matrix from the bearer network to a core network, wherein C (X, Y) represents connectivity between a communication node X and a communication node Y, when the communication node X is communicated with the communication node Y, C (X, Y) =1, and otherwise, C (X, Y) =0.
In one embodiment, a communication link table of a network communication node is first constructed, and the cross-region connectivity matrix is established based on the communication link table.
In one embodiment, the information of each vulnerability comprises a precondition Precon and a postcondition Postcon;
in step S2:
migrating the current information attack authority of the attacker from the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack authority of the attacker, wherein the migrating comprises the following steps: defining the current information attack authority of an attacker as Attpri, and taking the security vulnerability meeting the condition that Attpri is more than or equal to Precon in the current communication node as the next associated vulnerability;
updating the current information attack authority of the attacker according to the information acquired from the newly attacked vulnerability, wherein the current information attack authority comprises the steps of taking the newly attacked vulnerability as the current vulnerability and taking the post-condition of the newly attacked vulnerability as the current information attack authority;
in step S4:
migrating the current information attack authority of the attacker from the current vulnerability to the relevant vulnerability in the next partition, wherein the migrating comprises the following steps: defining the current information attack authority of an attacker as Compri, and using the loopholes meeting Compri more than or equal to Precon in the communication nodes of the next subarea as the associated loopholes in the next subarea;
updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, wherein the method comprises the following steps: and taking the newly attacked vulnerability as the current vulnerability and taking the post condition of the next vulnerability as the current information attack authority.
In one embodiment, step S4 includes:
step S41: judging the type of the current communication node, if the current communication node is a terminal communication node, jumping to step S42, if the current communication node is an access network communication node, jumping to step S45, and if the current communication node is a bearer network communication node, jumping to step S46;
step S42: judging whether the current terminal communication node is unregistered, if not, jumping to a step S43, and if so, jumping to a step S44;
step S43: judging whether Compri is greater than or equal to the precondition of the next partition empty bug, if so, attacking the bug of which the precondition is less than or equal to Compri in the next partition as the associated bug, and jumping to the step S5, otherwise, jumping to the step S47;
step S44: judging whether Compri is greater than or equal to the precondition of the security vulnerability of the next partition, if so, attacking the security vulnerability of which the precondition is less than or equal to Compri in the next partition as the associated vulnerability, and jumping to the step S5, otherwise, jumping to the step S47;
step S45: judging whether the current access network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
step S46: judging whether the communication node of the current bearing network is communicated with the next subarea, if so, jumping to the step S43, and if not, jumping to the step S47;
step S47: and (6) ending.
In one embodiment, in step S4, when the next related vulnerability cannot be searched, the search is ended.
In one embodiment, before step S2, an initialization step is further included, in which the communication network attack graph is cleared, information of an attacker is given to attack an initial authority, and a first attack node and a target attack node are determined.
According to another aspect of the present invention, there is provided a 5G communication network attack graph generation system based on regional coordination, including:
the system comprises an information collection unit and a communication unit, wherein the information collection unit is used for obtaining a topological structure, a communication node set and a vulnerability set of the 5G communication network, and the vulnerability set comprises a security vulnerability and an empty vulnerability, wherein the security vulnerability is used for directly attacking communication nodes, and the empty vulnerability is a vulnerability migrated based on a communication relation;
the intra-partition attack path searching unit is used for migrating the current bug to the next associated security bug in the same communication node according to the current information attack authority of the attacker, taking the newly attacked bug as the current bug and updating the current information attack authority of the attacker according to the information obtained from the newly attacked bug;
the first judgment unit is used for judging whether the current communication node has the associated security vulnerability, if so, the internal attack path search unit of the partition is continuously triggered to search for a new vulnerability, and if not, the internal attack path of the current partition is generated;
the cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current region as the current vulnerability and generating a cross-region attack path between two adjacent regions according to the current information attack authority of an attacker to migrate from the current vulnerability to the related vulnerability in the next region;
and the second judgment unit is used for judging whether the target attack node is reached, if not, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, then continuing to trigger the intra-partition attack path searching unit to search for the new vulnerability, and if so, outputting a 5G communication network attack graph.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
according to the particularity of a network architecture, when a researcher occurs in network attack trans-regional migration, an attacker can perform vulnerability migration based on the connectivity of adjacent partition nodes, when a next partition node is communicated with a current node, the next partition node is defined to have an empty vulnerability, the empty vulnerability is an invalid vulnerability, the invalid vulnerability indicates that the attacker can migrate from the current node to a next partition based on the empty vulnerability but cannot attack the system, the authority cannot be improved, the migration of the vulnerability in the traditional scheme is based on an effective vulnerability, and whether the vulnerability is related or not is judged by judging whether the authority is improved or not, namely the security vulnerability defined by the application.
Meanwhile, the method divides the path generation into two basic processes, namely an internal attack path and a cross-region attack path, and the search process is orderly and comprehensively scanned according to the layers through the cyclic process of internal search, cross-region search and internal search, so that a more comprehensive attack path graph can be quickly generated.
Drawings
Fig. 1 is a flowchart illustrating steps of a method for generating a 5G communication network attack diagram based on regional coordination according to an embodiment;
FIG. 2 is a topology diagram of a 5G communication network according to an embodiment;
FIG. 3 is a simplified topology diagram of a 5G communication network according to an embodiment;
FIG. 4 is a flowchart illustrating the generation of an attack graph within a network partition according to an embodiment;
fig. 5 is a flowchart of generating a network cross-region attack diagram according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, in an embodiment, the method for generating a 5G communication network attack graph based on regional coordination includes the following steps:
step S100: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises a security vulnerability and an empty vulnerability, the security vulnerability is used for directly attacking the communication nodes, and the empty vulnerability is a vulnerability migrated based on a communication relation.
As shown in fig. 2, which is a basic structure diagram of a 5G communication network, the environment includes four partitions, i.e., a terminal, an access network, a bearer network, and a core network, each partition has 1 or more communication nodes, and each communication node may have one or more vulnerabilities. Before generating the attack path, the topology of the target communication network needs to be known and vulnerabilities in the network need to be scanned.
In one embodiment, the topology of the 5G communication network may be mathematically characterized. Specifically, when the terminal has n communication nodes, the access network has m communication nodes, the bearer network has k communication nodes, and the core network has w communication nodes, the topology of the 5G communication network may be characterized as follows:
G=<NE,NA,NB,NR,EA,AB,BR>
wherein N isEFor the terminal communication node set, with eiRepresenting the ith communication node in the terminal partition, the terminal communication node set can be represented as:
NE={e1,e2,…,en}
wherein N isAFor the access network communication node set, with aiRepresenting the ith communication node in the access network partition, the access network communication node set can be represented as:
NA={a1,a2,…,am}
wherein N isBFor the access network communication node set, with biRepresenting the ith communication node in the bearer network partition, the bearer network communication node set may be represented as:
NB={b1,b2,…,bk}
wherein N isRAs a core network communication node set, with riRepresenting the ith communication node in a core network partition, the core network communication node set may be represented as:
NR={r1,r2,…,rw}
where EA is a cross-region connectivity matrix from the terminal to the access network, C (X, Y) represents connectivity between the communication node X and the communication node Y, when the communication node X and the communication node Y are connected, C (X, Y) =1, otherwise, C (X, Y) =0, and the cross-region connectivity matrix from the terminal to the access network may be represented as
Wherein AB is a cross-region connectivity matrix from the access network to the bearer network, and is represented as
Wherein, BR is a cross-region connectivity matrix from a bearer network to a core network and is expressed as
The network topology is characterized to be in the mathematical form, and cross-region connectivity of nodes in adjacent partitions can be judged through a mathematical calculation method, so that the air loophole of cross-region attack can be identified.
Taking n =3,m =3,k =4,w =1 as an example, that is, as shown in fig. 2, the terminal area includes three communication terminals C1, C2, and C3; the access network comprises three base stations, namely BS1, BS2 and BS 3; the bearer network as a forwarding link comprises four relay nodes, namely LN1, LN2, LN3 and LN 4; the virtual network elements inside the core network are uniformly covered by the CN nodes.
In one embodiment, the process of performing mathematical characterization includes:
and S1.1, performing topology-based functional node decomposition on the network according to the basic topology structure of the 5G communication network, and simplifying the model.
In the present embodiment, a simplified architecture diagram of a network topology model is shown in fig. 3.
And S1.2, establishing a communication link list of the network communication nodes according to the connection relation among different nodes in the communication network.
In the present embodiment, the communication link table of the network communication node is shown in table 1 below.
Table 1 communication link table for network communication nodes
| C1 | C2 | C3 | BS1 | BS2 | BS3 | LN1 | LN2 | LN3 | LN4 | CN | |
| C1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| C2 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| C3 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
| BS1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| BS2 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
| BS3 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 |
| LN1 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 1 |
| LN2 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 |
| LN3 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 1 |
| LN4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
| CN | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
And S1.3, performing mathematical representation on the topological structure of the 5G communication network according to the communication link table of the network communication node.
In this embodiment, the topology of the 5G communication network is specifically characterized as follows:
G=<NE,NA,NB,NR,EA,AB,BR>
NE={C1,C2,C3}
NA={BS1,BS2,BS3}
NB={LN1,LN2,LN3,LN4}
NR={CN}
BR=[C(LN1,CN)C(LN2,CN)C(LN3,CN)C(LN4,CN)]4×1
meanwhile, in step S100, network vulnerability information, including null vulnerabilities and security vulnerabilities, needs to be grasped. The information of each vulnerability includes a precondition Precon and a postcondition Postcon, the precondition is the authority required for attacking the vulnerability, and the postcondition is the new authority acquired after the vulnerability is attacked. And uniformly expressing the knowledge of the network vulnerabilities through the vulnerability set V according to the vulnerability attribute information of different nodes of the network. The communication network vulnerability set represents vulnerabilities or flaws existing in all communication device nodes of the network. Specifically, a vulnerability set may be defined as V = { V = { V = }1,v2,…,vzV and for any hole viHas v atiAnd = < Vid, VIn, VTy, inf, precon, postcon >, wherein Vid is the unique identification of the vulnerability node, VIn represents the uniform standard number of the vulnerability in the public vulnerability library, VTy represents the vulnerability exploitation type, and Inf is the specific description of the vulnerability content.
According to the method, the precondition of the null vulnerability is that the cross-region connectivity with the current node is met, and the precondition of the null vulnerability is null, namely an attacker can carry out path migration through the null vulnerability and migrate from the current node to the next node, but cannot carry out substantial attack on the next node and cannot acquire new permission based on the null vulnerability. The identification of the empty vulnerability can be determined based on the node connection relationship introduced above.
Besides, the empty vulnerability needs to be determined, the security vulnerability of the network needs to be scanned, and the security vulnerability information is obtained. The security vulnerability is a vulnerability which can be directly used by an attacker to attack the node, and the attacker can actually attack the network and decode useful information based on the security vulnerability, so that the attack authority of the attacker is expanded. Specifically, as table 2 is a security vulnerability table in an embodiment, where security vulnerability information about a 5G communication network in the table is a reasonable assumption to ensure that the security vulnerability information does not lose generality.
Table 2 network security vulnerability information table
In one embodiment, the communication nodes and corresponding vulnerabilities of the entire network may be unified and integrated through the communication node attribute set Comtrib,
Comtrib={cb1,cb2,…,cb(n+m+k+w)}
wherein cb isiFor the attributes of a communication node i in the network, for any communication node, there are
cbi=<Id,Vuls,Ast,Serv>
Wherein, id is the identifier of the communication node i, vuls represents the security vulnerability set existing in the node, ast is the asset value or importance degree of the communication node in the network, and Serv is the description of the specific communication service provided by the communication node.
Step S200: and migrating the current information attack authority of the attacker to the next associated security vulnerability in the same communication node from the current vulnerability according to the current information attack authority of the attacker, and updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability.
In the initialization phase, an initial attack vulnerability and a target attack node are determined. And after the initial attack vulnerability is determined, searching an attack path in the partition by taking the vulnerability as the current vulnerability. Meanwhile, during the search of the attack path inside the partition, the path migration is carried out only based on the security vulnerability.
In a specific embodiment, a partitioned internal attack graph model is established:
SAG=<Attpri,SAT,SAGsrc,SAGdest,SAGAttpath>
wherein, attpri represents the current information attack authority of the attacker, namely the attacker attacks the current leakageHole viThe rights updated later. SAT = < vi,vjRepresents an attacker from the current vulnerability viMigration to the next vulnerability vjState transition process of vjIs viAssociated next vulnerability and viAnd vjAll in the same partition, in this model, vjOnly a security breach. SAGSrc and SAGDest respectively represent the positions of nodes before and after state migration, and in the model, the nodes represented by SAGSrc and SAGDest in the same partition are the same. And once the associated vulnerability is searched, the associated vulnerability is added into the SAGAttPath, the associated vulnerability is taken as the current vulnerability, and the authority acquired from attacking the associated vulnerability is taken as the current attack authority.
Step S300: and judging whether the current communication node has the associated vulnerability or not, if so, skipping to the step S220, otherwise, generating an attack path inside the current partition, and skipping to the step S300.
Fig. 4 is a schematic diagram illustrating a process for generating a partitioned internal attack path in an embodiment, where an SAGsrc vulnerability set is empty, which indicates that if no vulnerability exists in an initial attack node, an attack cannot be performed on a network, and a search is completed. And accessing all the vulnerabilities of the SAGSrc, showing that no related vulnerability exists in the current node, and finishing the search. Through the above steps S200 and S300, the current intra-partition attack path can be generated.
Step S400: and taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and migrating the current information attack authority of an attacker from the current vulnerability to the related vulnerability in the next partition to generate a cross-partition attack path between two adjacent partitions.
In the step, the last security vulnerability of the current internal attack path of the partition is used as the current vulnerability, the attack authority acquired from the last security vulnerability of the current internal attack path of the partition is used as the current attack authority, whether the next partition has the related vulnerability or not is identified, if yes, vulnerability migration is carried out, and if not, searching is finished.
In a specific embodiment, a partitioned internal attack graph model is established:
CAG=<Compri,CAT,CAGsrc,CAGdest,CAGAttpath>
wherein Compri represents the current information attack authority of an attacker; CAT = < CAGsrc, CAGdest, vi,vjDenotes the vulnerability v of the attacker from the current partition node CAGsrciVulnerability v migrating to next partition node CAGdestjIn a state transition process of, wherein vjIs viAssociated next vulnerability and viAnd vjAnd SAGAttpath represents a cross-region attack path sequence and is used for storing the current vulnerability and the searched associated vulnerability to generate a cross-region attack path.
In this embodiment, a cross-region attack constraint cagconstraint may be established, and the current information attack authority of the attacker is migrated from the current security vulnerability to the associated security vulnerability in the next partition, so as to satisfy:
wherein Compri represents the current information attack authority of an attacker;
when the current node CAGsrc is at the terminal NEThe next partition CAGdest is the access network NAWhen the method is used:
if the current terminal node is not registered, namely EA AB BR → False, the precondition of the current attack authority and the next associated vulnerability is only required to be satisfied
Migration can be carried out, and the security vulnerability with the precondition less than or equal to Compri in the next partition is taken as the associated vulnerability to attack;
if the current terminal node is registered, namely EA AB BR → True, the precondition of the current attack authority and the next associated vulnerability only needs to satisfy Compri ≧ vnull[Precon]Can migrate, vnullAnd taking the vulnerability with the precondition less than or equal to Compri in the next partition as a related vulnerability to attack, wherein the security vulnerability and the null vulnerability which meet the conditions can be taken as related vulnerabilities to generate a plurality of possible cross-region attack paths, so that the attack path search is more comprehensive.
When the current node CAGsrc is in the access network NAThe next partition CAGdest is the carrying network NBThe method comprises the following steps:
if the current node and the bearer network NBConnectivity, AB → True, then as long as the current attack right and precondition for the next associated vulnerability are satisfied Compri ≧ vnull[Precon]Can migrate, vnullAnd taking the vulnerability with the precondition less than or equal to Compri in the next partition as a related vulnerability to attack, wherein the security vulnerability and the null vulnerability which meet the conditions can be taken as related vulnerabilities to generate a plurality of possible cross-region attack paths, so that the attack path search is more comprehensive.
When the current node CAGsrc is in the carrying network NBThe next partition CAGdest is the access network NRWhen the method is used:
if the current node and the access network NRConnectivity, i.e., BR → True, then as long as the preconditions for the current attack authority and the next associated vulnerability are satisfied Compri ≧ vnull[Precon]Can migrate, vnullAnd taking the vulnerability with the precondition less than or equal to Compri in the next partition as a related vulnerability to attack, wherein the security vulnerability and the null vulnerability which meet the conditions can be taken as related vulnerabilities to generate a plurality of possible cross-region attack paths, so that the attack path search is more comprehensive.
Based on the above analysis, in an embodiment, as shown in fig. 5, the step S400 specifically includes the following sub-steps:
step S410: judging the type of the current communication node, if the current communication node is the terminal communication node, jumping to step S420, if the current communication node is the access network communication node, jumping to step S450, and if the current communication node is the bearer network communication node, jumping to step S460.
It can be understood that, before step S410, an attack initiating node CAGsrc and a target attack node CAGdest' are determined, where the attack initiating node CAGsrc is a node where the last security vulnerability of the attack path inside the current partition is located, and the target attack node is a node that is initially set and needs to be attacked finally.
Specifically, as shown in fig. 5, in step S410, it may be determined whether the CAGsrc is a terminal communication node, and if so, the process jumps to step S420;
if not, continuing to judge whether the node is an access network communication node, if so, skipping to the step S450;
if not, continuously judging whether the network is a load bearing network, if so, jumping to the step S460; if not, the search is ended.
Step S420: and judging whether the current terminal communication node is unregistered, namely judging whether EA & AB & BR → False is met, if not, jumping to the step S430, and if so, jumping to the step S440.
Step S430: determining whether Compri is greater than or equal to the precondition for the next partition null hole, i.e., whether Compri ≧ v is satisfiednull[Precon]If yes, using the vulnerability with precondition less than or equal to Comp in the next partition as the associated vulnerability to attack, and realizing state transition<src,dest,vsrc,vdest>→ CAT and jumps to step S500, if not, jumps to step S470.
Step S440: determining whether Compri is greater than or equal to the precondition for the next partition security vulnerability, i.e., determining whether Compri satisfies
If yes, taking the security vulnerability with the precondition less than or equal to Compri in the next partition as the associated vulnerability for attacking, and realizing state transition<src,dest,vsrc,vdest>→ CAT and jumps to step S500, if not, jumps to step S470.
Step S450: and judging whether the current access network communication node is communicated with the next partition, namely judging whether AB → True is met, if so, jumping to the step S430, and if not, jumping to the step S470.
Step S460: and judging whether the current access network communication node is communicated with the next partition, namely judging whether the BR → True is met, if so, jumping to the step S430, and if not, jumping to the step S470.
In short, when the attack initiation node is a terminal area communication node, if the node is not registered in the network, that is, EAsrc · AB · BR → False, implementing a cross-area attack from the terminal to the access network requires an access network vulnerability to implement an illegal intrusion of the node (the attacker communication authority is greater than the access area vulnerability precondition). If the node is registered in the network, namely EAsrc, AB, BR → True, the attacker realizes the cross-region penetration from the terminal to the access network and only needs to meet the communication of cross-region communication nodes; further, when the initiating node is an access network area or a bearer network communication node, the partition vulnerability can be traversed as long as cross-area communication node communication is satisfied to realize attack gradual penetration. On the basis of the network partition attack path sequence, an adjacent region target attack node and an initial node are used as an initial node and a target node of the cross-region attack path sequence, and the cross-region attack path sequence CAGAttpath adds the initial node CAGsrc. Taking a terminal area and an access network area as examples, a target node of an attack sequence of the terminal area is taken as an initial node CAGsrc of a cross-area attack graph, and an initial node of the attack sequence of the access network area is taken as a target node CAGdes of the cross-area attack graph. If the cross-region attack graph constraint CAGconstraint is met between the cross-region initial node and the target node, adding a cross-region target node CAGdest to the cross-region attack path sequence, and ending the search of the attack path; otherwise, continuing to search the path.
Step S500: and judging whether the target attack node is reached, if not, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, skipping to the step S200, and if so, outputting a 5G communication network attack graph.
Through the above steps S100 to S500, a comprehensive 5G communication network attack graph can be generated.
Correspondingly, the application also relates to a system for generating the 5G communication network attack graph based on the regional collaboration, which corresponds to the method, and the system specifically comprises the following steps:
the system comprises an information collection unit and a communication unit, wherein the information collection unit is used for obtaining a topological structure, a communication node set and a vulnerability set of the 5G communication network, and the vulnerability set comprises a security vulnerability and an empty vulnerability, wherein the security vulnerability is used for directly attacking communication nodes, and the empty vulnerability is a vulnerability migrated based on a communication relation;
the intra-partition attack path searching unit is used for migrating the current vulnerability to the next associated security vulnerability in the same communication node according to the current information attack authority of the attacker, taking the newly attacked vulnerability as the current vulnerability and updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability;
the first judgment unit is used for judging whether the current communication node has the associated security vulnerability, if so, the internal attack path search unit of the partition is continuously triggered to search for a new vulnerability, and if not, the internal attack path of the current partition is generated;
the cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current region as the current vulnerability, migrating the current vulnerability to the related vulnerability in the next region according to the current information attack authority of the attacker, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, and generating a cross-region attack path between the two adjacent regions;
and the second judgment unit is used for judging whether the target attack node is reached, if not, the newly attacked vulnerability is taken as the current vulnerability, the current information attack authority of the attacker is updated according to the information obtained from the newly attacked vulnerability, then the internal attack path search unit of the subarea is continuously triggered to search the new vulnerability, and if so, the 5G communication network attack graph is output.
It should be noted that the system for generating a 5G communication network attack diagram based on regional coordination is a method for generating a 5G communication network attack diagram based on regional coordination, each unit of the system is configured to execute a corresponding step, and has a function of implementing the corresponding step, and specific details thereof refer to the above description, and are not described again.
In a word, the method and the system for generating the 5G communication network attack graph based on the regional coordination realize the identification of the network attack path by improving the traditional attack generation method and the abstract network topology structure, and are beneficial to enhancing the safe deployment of the 5G communication network. Meanwhile, the invention provides a network partition topology abstract expression method based on the incidence matrix for the end-to-end service transmission characteristic and the topological structure characteristic of the 5G communication network, and the network is divided into a terminal area, an access network area, a carrying network area and a core network area, and the incidence matrix is utilized to realize the mathematical description of the connectivity of adjacent area communication nodes, thereby being beneficial to providing a uniform topological structure framework for the construction of a network attack graph model. Moreover, aiming at the particularity of the attack penetration mechanism of the 5G communication network, the invention provides a region collaborative attack graph generation method, and the network cross-domain attack security constraint is designed by defining a subarea attack graph model and a cross-region attack graph model, so that corresponding attack path identification methods are provided for different attack scenes of the network.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for generating a 5G communication network attack graph based on regional collaboration is characterized by comprising the following steps:
step S1: determining a topological structure of a 5G communication network, and acquiring a communication node set and a vulnerability set, wherein the vulnerability set comprises a security vulnerability and an empty vulnerability, the security vulnerability is used for directly attacking communication nodes, and the empty vulnerability is a vulnerability migrated based on a communication relation;
step S2: migrating the current information attack authority of the attacker to a next associated security vulnerability in the same communication node from the current vulnerability according to the current information attack authority of the attacker, taking the newly attacked vulnerability as the current vulnerability and updating the current information attack authority of the attacker according to information obtained from the newly attacked vulnerability;
and step S3: judging whether the current communication node has an associated security vulnerability, if so, skipping to the step S2, and if not, generating an attack path inside the current partition;
and step S4: taking the last security vulnerability of the attack path in the current partition as the current vulnerability, and migrating the current vulnerability to the related vulnerability in the next partition according to the current information attack authority of an attacker to generate a cross-partition attack path between two adjacent partitions;
step S5: and judging whether the target attack node is reached, if not, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, skipping to the step S2, and if so, outputting a 5G communication network attack graph.
2. The method as claimed in claim 1, wherein in step S2, the current intra-partition attack path is generated using intra-partition attack graph model SAG = < Attpri, SAT, SAGsrc, SAGdest, SAGAttpath > where Attpri represents the current information attack authority of the attacker, SAT = < vi,vjRepresents an attacker from the current vulnerability viMigration to next vulnerability vjState transition process of vjIs viAssociated next vulnerability and viAnd vjAnd both the SAGSrc and the SAGDest are positioned in the same partition, the SAGAttpath represents the node positions before and after state migration, and the SAGAttpath represents a partition internal attack path sequence and is used for storing the current vulnerability and the searched associated vulnerability to generate the current partition internal attack path.
3. The method as claimed in claim 1, wherein in step S4, the cross-region attack path is generated by using a cross-region attack graph model CAG = < Compri, CAT, cagrc, CAGdest, CAGAttpath > constructed, where Compri represents the current information attack authority of the attacker; CAT = < CAGsrc, CAGdest, vi,vjDenotes the vulnerability v of the attacker from the current partition node CAGsrciLeakage migrating to next partition node CAGdestHole vjIn a state transition process of, wherein vjIs viAssociated next vulnerability and viAnd vjThe SAGAttpath represents a cross-region attack path sequence and is used for storing the current vulnerability and the searched associated vulnerability to generate a cross-region attack path.
4. The method for generating the attack graph of the 5G communication network according to claim 1, wherein the 5G communication network comprises four partitions, namely a terminal with n communication nodes, an access network with m communication nodes, a bearer network with k communication nodes and a core network with w communication nodes;
in step S1, the topology of the 5G communication network is represented as:
G=<NE,NA,NB,NR,EA,AB,BR>,
NE={e1,e2,…,en},NA={a1,a2,…,am},NB={b1,b2,…,bk},NR={r1,r2,…,rw},
wherein N isE,NA,NB,NRRespectively representing a terminal communication node set, an access network communication node set, a bearer network communication node set and a core network communication node set, enDenotes the nth communication node of the terminal, amRepresenting the mth communication node of the access network, bkDenotes the kth communication node of the bearer network, rwRepresenting the w-th communication node of the core network;
the method comprises the steps that EA, AB and BR respectively represent a cross-region connectivity matrix from a terminal to an access network, a cross-region connectivity matrix from the access network to a bearer network and a cross-region connectivity matrix from the bearer network to a core network, wherein C (X, Y) represents connectivity between a communication node X and a communication node Y, when the communication node X is communicated with the communication node Y, C (X, Y) =1, and otherwise, C (X, Y) =0.
5. The method of claim 4, wherein a communication link table of a network communication node is first constructed, and the cross-region connectivity matrix is established based on the communication link table.
6. The method for generating the attack graph of the 5G communication network according to claim 1, wherein the information of each vulnerability includes a precondition Precon and a postcondition Postcon;
in step S2:
migrating the current information attack authority of the attacker from the current vulnerability to a next associated security vulnerability in the same communication node according to the current information attack authority of the attacker, wherein the migrating comprises the following steps: defining the current information attack authority of an attacker as Attpri, and taking the security vulnerability meeting the condition that Attpri is more than or equal to Precon in the current communication node as the next associated vulnerability;
updating the current information attack authority of the attacker according to the information acquired from the newly attacked bug, wherein the method comprises the steps of taking the newly attacked bug as the current bug and taking the post-condition of the newly attacked bug as the current information attack authority;
in step S4:
migrating the attack authority from the current vulnerability to the associated vulnerability in the next partition according to the current information of the attacker, wherein the migrating comprises the following steps: defining the current information attack authority of an attacker as Compri, and using the loopholes meeting Compri more than or equal to Precon in the communication nodes of the next subarea as the associated loopholes in the next subarea;
updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, wherein the method comprises the following steps: and taking the newly attacked vulnerability as the current vulnerability and taking the post condition of the next vulnerability as the current information attack authority.
7. The 5G communication network attack graph generation method according to claim 4, wherein the step S4 includes:
step S41: judging the type of the current communication node, if the current communication node is a terminal communication node, jumping to a step S42, if the current communication node is an access network communication node, jumping to a step S45, and if the current communication node is a bearer network communication node, jumping to a step S46;
step S42: judging whether the current terminal communication node is unregistered, if not, skipping to the step S43, and if so, skipping to the step S44;
step S43: judging whether Compri is greater than or equal to the precondition of the next partition empty bug, if so, attacking the bug of which the precondition is less than or equal to Compri in the next partition as the associated bug, and jumping to the step S5, otherwise, jumping to the step S47;
step S44: judging whether Compri is greater than or equal to the precondition of the security vulnerability of the next partition, if so, attacking the security vulnerability of which the precondition is less than or equal to Compri in the next partition as the associated vulnerability, and jumping to the step S5, otherwise, jumping to the step S47;
step S45: judging whether the current access network communication node is communicated with the next partition, if so, jumping to the step S43, and if not, jumping to the step S47;
step S46: judging whether the communication node of the current bearer network is communicated with the next subarea, if so, jumping to the step S43, and if not, jumping to the step S47;
step S47: and (6) ending.
8. The method for generating the attack graph of the 5G communication network as claimed in claim 1, wherein in step S4, when the next related bug cannot be searched, the search is ended.
9. The method for generating the attack graph of the 5G communication network according to claim 1, further comprising an initialization step before the step S2, wherein the initialization step comprises the steps of clearing the attack graph of the communication network, giving information to an attacker for attacking initial authority, and determining a first attack node and a target attack node.
10. A5G communication network attack graph generation system based on regional coordination is characterized by comprising:
the system comprises an information collection unit, a communication node set and a vulnerability set, wherein the vulnerability set comprises a security vulnerability and an empty vulnerability, the security vulnerability is used for directly attacking communication nodes, and the empty vulnerability is a vulnerability migrated based on a connectivity relationship;
the intra-partition attack path searching unit is used for migrating the current bug to the next associated security bug in the same communication node according to the current information attack authority of the attacker, taking the newly attacked bug as the current bug and updating the current information attack authority of the attacker according to the information obtained from the newly attacked bug;
the first judgment unit is used for judging whether the current communication node has the associated security vulnerability, if so, the internal attack path search unit of the partition is continuously triggered to search for a new vulnerability, and if not, the internal attack path of the current partition is generated;
the cross-region attack path searching unit is used for taking the last security vulnerability of the attack path in the current region as the current vulnerability and generating a cross-region attack path between two adjacent regions according to the current information attack authority of an attacker to migrate from the current vulnerability to the related vulnerability in the next region;
and the second judgment unit is used for judging whether the target attack node is reached, if not, taking the newly attacked vulnerability as the current vulnerability, updating the current information attack authority of the attacker according to the information obtained from the newly attacked vulnerability, then continuing to trigger the intra-partition attack path searching unit to search for the new vulnerability, and if so, outputting a 5G communication network attack graph.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735593.0A CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735593.0A CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115278681A true CN115278681A (en) | 2022-11-01 |
| CN115278681B CN115278681B (en) | 2024-04-19 |
Family
ID=83764845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210735593.0A Active CN115278681B (en) | 2022-06-27 | 2022-06-27 | 5G communication network attack graph generation method and system based on regional collaboration |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115278681B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
| US20200099704A1 (en) * | 2018-09-21 | 2020-03-26 | Electronics And Telecommunications Research Institute | Method and apparatus for generating semantic attack graph |
-
2022
- 2022-06-27 CN CN202210735593.0A patent/CN115278681B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101695033A (en) * | 2009-09-25 | 2010-04-14 | 上海交通大学 | Network fragility analyzing system based on privilege lift |
| US20200099704A1 (en) * | 2018-09-21 | 2020-03-26 | Electronics And Telecommunications Research Institute | Method and apparatus for generating semantic attack graph |
Non-Patent Citations (4)
| Title |
|---|
| YANBIN SUN ET.AL: "Automated Attack and Defense Framework toward 5G Security", 《 IEEE NETWORK》, 30 March 2020 (2020-03-30), pages 247 * |
| 常昊;秦元庆;周纯杰;: "基于贝叶斯攻击图的工控系统动态风险评估", 信息技术, no. 10, 23 October 2018 (2018-10-23) * |
| 张波;周诚;李伟伟;李千目;: "网络攻击节点路径高效检测模型仿真研究", 计算机仿真, no. 08, 15 August 2017 (2017-08-15) * |
| 金丽娜;: "计算机网络攻击图的生成研究与探索", 长春大学学报, no. 12, 30 December 2009 (2009-12-30) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115278681B (en) | 2024-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wu et al. | A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities | |
| CN109800573B (en) | Social network protection method based on degree anonymity and link disturbance | |
| CN106105115A (en) | The service chaining originated by service node in network environment | |
| US7516475B1 (en) | Method and apparatus for managing security policies on a network | |
| CN106656591A (en) | Method for detecting and eliminating rule conflicts among multiple applications in software-defined network | |
| Casteigts et al. | Distributed maintenance of anytime available spanning trees in dynamic networks | |
| CN114827002B (en) | Multi-domain network security path calculation method, system, device, medium and terminal | |
| Shang | Resilient group consensus in heterogeneously robust networks with hybrid dynamics | |
| CN114326403A (en) | Multi-agent system security convergence control method based on node information privacy protection | |
| Santos et al. | Assessment of connectivity-based resilience to attacks against multiple nodes in SDNs | |
| Manocha et al. | Improved spider monkey optimization‐based multi‐objective software‐defined networking routing with block chain technology for Internet of Things security | |
| Drees et al. | Churn-and dos-resistant overlay networks based on network reconfiguration | |
| Ni et al. | A novel design method of high throughput blockchain for 6G networks: performance analysis and optimization model | |
| CN115278681B (en) | 5G communication network attack graph generation method and system based on regional collaboration | |
| Grace et al. | A distributed architecture meta-model for self-managed middleware | |
| CN114221815A (en) | Intrusion detection method, storage medium and system based on honey arranging net | |
| Nazari et al. | Blocking in fully connected networks of arbitrary size | |
| CN113395183B (en) | Virtual node scheduling method and system for network simulation platform VLAN interconnection | |
| Adrah et al. | A network design algorithm for multicast communication architectures in smart transmission grids | |
| US20070094371A1 (en) | Method and an apparatus for creating visual representations of farms that enables connecting farms securely | |
| Xia et al. | Consensus-based filtering under false data injection attacks | |
| CN108566388B (en) | SDN flow rule conflict detection method and system based on bloom filter | |
| Nacéra et al. | A new two level hierarchy structuring for node partitioning in ad hoc networks | |
| CN115102743B (en) | Multi-layer attack graph generation method for network security | |
| CN109905722A (en) | A kind of method and relevant device of determining suspicion node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |