CN117319025A - Abnormal behavior detection method and device for network traffic and electronic equipment - Google Patents

Abnormal behavior detection method and device for network traffic and electronic equipment Download PDF

Info

Publication number
CN117319025A
CN117319025A CN202311245593.3A CN202311245593A CN117319025A CN 117319025 A CN117319025 A CN 117319025A CN 202311245593 A CN202311245593 A CN 202311245593A CN 117319025 A CN117319025 A CN 117319025A
Authority
CN
China
Prior art keywords
information
configuration information
login
detection configuration
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311245593.3A
Other languages
Chinese (zh)
Inventor
李永健
桂子霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202311245593.3A priority Critical patent/CN117319025A/en
Publication of CN117319025A publication Critical patent/CN117319025A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/1396Protocols specially adapted for monitoring users' activity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device and electronic equipment for detecting abnormal behavior of network traffic, wherein the method comprises the following steps: generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected; loading detection configuration information through a detection platform, and collecting flow data packets in a network environment; detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet. When the abnormal behavior of the network traffic is detected in the mode, the user can flexibly detect the abnormal behavior which is wanted to be found in the network by configuring the quantitative index of the abnormal behavior in a self-defined mode, and the detection flexibility is improved, so that the detection efficiency is improved.

Description

Abnormal behavior detection method and device for network traffic and electronic equipment
Technical Field
The present invention relates to the field of network management technologies, and in particular, to a method and an apparatus for detecting abnormal behavior of network traffic, and an electronic device.
Background
In the prior art, abnormal behaviors in the flow are detected mainly through IDS (Intrusion Detection Systems, intrusion detection system) rules, the rules need to be updated in real time, the rules are relatively fixed, the flexibility and the practicability are poor, and the flow is huge and bloated; then, whether the detection result is correct or not is compared, more time is consumed, and the problem of low efficiency exists.
Disclosure of Invention
In view of the above, the present invention aims to provide a method, an apparatus and an electronic device for detecting abnormal behavior of network traffic, so as to improve detection flexibility and thus detection efficiency.
In a first aspect, an embodiment of the present invention provides a method for detecting abnormal behavior of network traffic, where the method includes: generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected;
loading detection configuration information through a detection platform, and collecting flow data packets in a network environment;
detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet.
Further, the abnormal behavior includes: mail sensitive information transmission; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
acquiring first quantization indexes configured by a user for mail sensitive information transmission and corresponding first provided information of each first quantization index; wherein the first quantization index comprises: safe login position, abnormal communication time, controlled sender mailbox and controlled sensitive keywords;
and generating first detection configuration information corresponding to mail sensitive information transmission according to each first provided information and each first quantization index.
Further, the abnormal behavior includes: abnormal login; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
acquiring second quantization indexes configured by a user for abnormal login and second provided information corresponding to each second quantization index respectively; wherein the second quantization index comprises: secure login location, abnormal communication time, login protocol, controlled login account, login target server IP;
And generating second detection configuration information corresponding to the abnormal login according to each second provided information and each second quantization index.
Further, the abnormal behavior includes: illegal connection; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
acquiring third quantization indexes of the illegal connection configuration of the user and third provided information corresponding to each third quantization index respectively; wherein the third quantization index comprises: secure login location, abnormal communication time, controlled internal IP;
and generating third detection configuration information corresponding to the illegal connection according to each third provided information and each third quantization index.
Further, the traffic packet includes: the method comprises the steps of current IP address, current login account number, current login position, current communication time, current keyword, current login protocol, current server IP and current mailbox account number; the first detection configuration information includes: safe login position information, abnormal communication time information, controlled sender mailbox information and controlled sensitive keyword information; the second detection configuration information includes: secure login location information, abnormal communication time information, login protocol information, controlled login account information, login target server IP information; the third detection configuration information includes: safety login position information, abnormal communication time information and controlled internal IP information;
Detecting the flow data packet based on the detection configuration information, and if the flow data matched with the detection configuration information exists in the flow data packet, generating alarm information corresponding to the abnormal behavior to be detected comprises the following steps:
comparing the first detection configuration information with the flow data packet to obtain a first comparison result, and generating first alarm information corresponding to mail sensitive information transmission if the first comparison result indicates that the current mail account is the same as the controlled sender mail information, the current communication time is the same as the abnormal communication time information, the current keyword is the same as the controlled sensitive keyword information, and the current login position is different from the safe login position information;
comparing the second detection configuration information with the flow data packet to obtain a second comparison result, and generating second alarm information corresponding to abnormal login if the second comparison result indicates that the current server IP is identical to the login target server IP information, the current communication time is identical to the abnormal communication time information, the current login protocol is identical to the login protocol information, and the current login position is different from the safe login position information;
and comparing the third detection configuration information with the flow data packet to obtain a third comparison result, and if the third comparison result indicates that the IP address is the same as the controlled internal IP information, the current communication time is the same as the abnormal communication time information, the current login position is different from the safe login position information, generating third alarm information corresponding to the illegal connection.
Further, the method further comprises:
if the target flow data matched with the detection configuration information does not exist in the flow data packet, judging whether the detection configuration information is correct or not;
if the detection configuration information is incorrect, repeating the step of generating detection configuration information corresponding to the abnormal behavior to be detected based on the pre-acquired quantization index configured to the abnormal behavior to be detected until target flow data matched with the detection configuration information exists in the flow data packet;
and if the detection configuration information is correct, repeating the step of detecting the flow data packet based on the detection configuration information until the target flow data matched with the detection configuration information exists in the flow data packet.
Further, the method further comprises:
judging whether the alarm information has threat or not;
if the alarm information has threat, judging whether the alarm information has false alarm;
if false alarm exists in the alarm information, repeating the step of judging whether the configuration information is correct or not until the false alarm does not exist in the alarm information;
if the alarm information does not have false alarm, solving the abnormal behavior corresponding to the alarm information.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting abnormal behavior of network traffic, where the apparatus includes:
The configuration module is used for generating detection configuration information corresponding to the abnormal behavior to be detected based on the pre-acquired quantization index configured for the abnormal behavior to be detected;
the acquisition module is used for loading detection configuration information through the detection platform and acquiring flow data packets in a network environment;
the detection module is used for detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, where the memory stores a computer program executable on the processor, and where the processor implements the steps of any of the methods described above when the processor executes the computer program.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, which when executed by a processor performs the steps of the method of any of the above.
The invention provides a method, a device and electronic equipment for detecting abnormal behavior of network traffic, wherein the method comprises the following steps: generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected; loading detection configuration information through a detection platform, and collecting flow data packets in a network environment; detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet. When the abnormal behavior of the network traffic is detected in the mode, the user can flexibly detect the abnormal behavior which is wanted to be found in the network by configuring the quantitative index of the abnormal behavior in a self-defined mode, and the detection flexibility is improved, so that the detection efficiency is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the above objects, features and advantages of the present invention more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for detecting abnormal behavior of network traffic according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for detecting abnormal behavior of network traffic according to an embodiment of the present invention;
Fig. 3 is a schematic diagram of an operation flow of network traffic detection according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an abnormal behavior detection device for network traffic according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The network traffic has some abnormal behaviors without attack characteristics, the abnormal behaviors cannot be detected by a conventional detection method and a tool, and if the damage caused by the unresolved problem is that the real attack behavior is missed, the system account is stolen, and serious safety problem or economic loss is generated. In the prior art, abnormal behaviors in the flow are detected mainly through IDS rules, the rules need to be updated in real time, the rules are relatively fixed, the flexibility and the practicability are poor, and the flow is huge and bloated; then, whether the detection result is correct or not is compared, more time is consumed, and the problem of low efficiency exists.
Based on the above, the embodiment of the invention provides a method, a device and an electronic device for detecting abnormal behavior of network traffic, and the technology can be applied to applications needing to detect abnormal behavior in the network traffic.
For the convenience of understanding the present embodiment, first, a method for detecting abnormal behavior of network traffic disclosed in the present embodiment will be described in detail, as shown in fig. 1, where the method includes the following steps:
step S102, based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, detection configuration information corresponding to the abnormal behavior to be detected is generated.
The abnormal behavior to be detected is usually a risk behavior with strong confidentiality, and the behavior is not an attack behavior, can normally initiate network session connection, but does not accord with a normal use situation, and needs further investigation.
In actual implementation, the abnormal behavior to be detected, such as mail sensitive information transmission, abnormal login, illegal connection and the like, can be determined according to the actual requirement of the user, then quantization indexes (namely detection items, such as safe login positions, abnormal communication time and the like) are configured for the abnormal behavior to be detected, detection configuration information corresponding to the abnormal behavior to be detected is generated according to information provided by the user on the quantization indexes, such as safe login position information (which can be an address of an office network), abnormal communication time information (which can be between 0 point and 6 am), and the like, and specific quantization indexes and detection configuration information can be configured in a self-defining manner according to the actual requirement of the user and application scenes.
Step S104, loading detection configuration information through the detection platform and collecting flow data packets in the network environment.
The above-mentioned detection platform can be generally understood as a flow detection platform (flow probe) capable of collecting flow data packets in a network environment and generating alarm data according to characteristics of the data packets. In this embodiment, an APT (Advanced Persistent Threat ) attack early warning platform may be used, through which network traffic may be detected and risk behaviors therein may be found, to generate alert information.
The traffic data packet may be understood as a TCP/IP traffic data packet, and generally includes traffic data (i.e., packet characteristics), such as a current login location, a current communication time, etc. corresponding to the traffic data packet in the currently collected network environment.
Step S106, detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet.
When the method is actually implemented, after the flow detection platform loads detection configuration information, whether message characteristics (target flow data) consistent with the detection configuration information exist in the flow (collected flow data packet) or not can be judged; specifically, the flow playback tool may perform packet playback (for example, by using a command tcpreplay of a linux playback packet, a real network flow effect can be simulated) or configure a switch mirror flow according to a theoretical throughput, and determine whether the flow packet accords with detection configuration information corresponding to the to-be-detected abnormal behavior without the attack feature, if so, an abnormal behavior alarm is generated, so as to achieve the purpose that a user can flexibly monitor the abnormal behavior without the attack feature in the network flow. Assuming that the "secure login location information corresponding to the to-be-detected abnormal behavior of the attack-free feature is an address where the office network is located," the abnormal communication time information is between 0 and 6 am, "the traffic data packet includes traffic data such as a current login location and a current communication time, and if the IP address corresponding to the current login location is different from the address where the office network is located, and the current communication time accords with the abnormal communication time information (for example, the current communication time is 3 am, since 3 am is between 0 and 6 am, the current communication time is considered to accord with the abnormal communication time information), the traffic data (such as the current login location and the current communication time) in the traffic data packet is considered to be the target traffic data matched with the detection configuration information, that is, the traffic data packet accords with the to-be-detected abnormal behavior of the attack-free feature, so that an abnormal behavior alarm can be generated (that is, alarm information corresponding to the to-be-detected abnormal behavior is generated).
The embodiment of the invention provides a method for detecting abnormal behavior of network traffic, which comprises the following steps: generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected; loading detection configuration information through a detection platform, and collecting flow data packets in a network environment; detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet. When the abnormal behavior of the network traffic is detected in the mode, the user can flexibly detect the abnormal behavior which is wanted to be found in the network by configuring the quantitative index of the abnormal behavior in a self-defined mode, and the detection flexibility is improved, so that the detection efficiency is improved.
The embodiment of the invention also provides another method for detecting the abnormal behavior of the network traffic, which is realized on the basis of the method of the embodiment; the method mainly describes a process of generating detection configuration information corresponding to abnormal behaviors to be detected and a process of detecting the flow data packet, as shown in fig. 2, and comprises the following steps:
Step S202, acquiring first quantization indexes configured by a user for mail sensitive information transmission and first provided information corresponding to each first quantization index respectively; wherein the first quantization index comprises: secure login location, abnormal communication time, controlled sender mailbox, controlled sensitive keywords.
Step S204, according to each first providing information and each first quantization index, first detection configuration information corresponding to mail sensitive information transmission is generated.
In actual implementation, the abnormal behavior of the attack-free feature to be detected in the network traffic may include mail sensitive information transmission, and when the mail sensitive information transmission is detected, configuration information of the mail sensitive information transmission is usually required to be generated according to the requirement of a user (i.e., a user).
Specifically, a first quantization index (i.e., a detection item of mail sensitive information transmission) configured by a user for mail sensitive information transmission may be obtained first, such as a switch state, an abnormal behavior type, a policy name, a secure login location, an abnormal communication time, a controlled sender mailbox, a controlled sensitive keyword, and the like; then, according to the actual application situation of the user, the first providing information corresponding to each first quantization index is obtained, for example, the first providing information corresponding to the switch state may be on or off, the first providing information corresponding to the abnormal behavior type may be mail sensitive information transmission, the first providing information corresponding to the policy name may be user-defined mail sensitive information transmission, the first providing information corresponding to the safe login location may be an IP address corresponding to the office network used by the user, for example, 192.168.100.1-192.168.100.80 (it is to be noted that the IP address and the geographic location are mapped and bound, and have a mapping relation, so that the corresponding actual geographic location information may be obtained through the IP address, when the IP address corresponding to the office network used by the user is selected, the safe geographic location corresponding to the login IP address is also selected), the first providing information corresponding to the abnormal communication time may be a time between 0 and 24 points (for example, between 0 point and 6 point), the first providing information corresponding to the controlled sender mailbox may be the monitored sender mailbox (for example, the controlled sender mailbox 123456@qq.com) and the first keyword (for example, the keyword may be a keyword, the keyword may be provided).
In summary, the above-mentioned first detection configuration information (i.e. configuration field) corresponding to the mail sensitive information transmission may be referred to as the following example:
switch state: opening;
abnormal behavior type: mail sensitive information transmission;
policy name: the transmission of the user-defined mail sensitive information;
secure login location: 192.168.100.1-192.168.100.80;
abnormal communication time: 0 to 6 am;
controlled sender mailboxes: 123456@qq.com;
controlled sensitive keywords: an amount of money.
Step S206, obtaining second quantization indexes configured by the user for abnormal login and second provided information corresponding to each second quantization index respectively; wherein the second quantization index comprises: secure login location, abnormal communication time, login protocol, controlled login account, login target server IP.
Step S208, according to each second providing information and each second quantization index, generating second detection configuration information corresponding to abnormal login.
In actual implementation, the abnormal behavior of the attack-free feature to be detected in the network traffic may also include abnormal login, and when detecting the abnormal login, configuration information of the abnormal login needs to be generated according to the requirement of a user (i.e., the user).
Specifically, a second quantitative indicator (i.e., an abnormal login detection item) configured by the user for abnormal login may be obtained first, such as a switch state, an abnormal behavior type, a policy name, a secure login location, an abnormal communication time, a login protocol, a controlled login account, a login target server IP, and the like; then, according to the actual application situation of the user, the second providing information corresponding to each second quantization index is obtained, for example, the second providing information corresponding to the switch state may be on, the second providing information corresponding to the abnormal behavior type may be off, the second providing information corresponding to the policy name may be abnormal login, the second providing information corresponding to the policy name may be self-defined abnormal login, the second providing information corresponding to the secure login location may be an IP address corresponding to the office network used by the user (for example, 192.168.100.1-192.168.100.80), the second providing information corresponding to the abnormal communication time may be a time between 0 and 24 points (for example, between 0 point and 6 early morning), the second providing information corresponding to the login protocol may be a protocol used for login (for example, HTTP, FTP, etc.), the second providing information corresponding to the controlled login account may be a monitored account number (for example, company important mailbox "123456@qq.com"), and the second providing information corresponding to the login target server IP may be a monitored server IP address (for example, 192.168.100.10).
In summary, the second detection configuration information (i.e., configuration field) corresponding to the abnormal login may be referred to as the following example:
switch state: opening;
abnormal behavior type: abnormal login;
policy name: custom exception logging;
secure login location: such as 192.168.100.1-192.168.100.80;
abnormal communication time: 0 to 6 am;
login protocol: HTTP;
controlled login account: 123456@qq.com;
login target server IP:192.168.100.10.
step S210, obtaining third quantization indexes of the illegal connection configuration and third provided information corresponding to each third quantization index respectively by a user; wherein the third quantization index comprises: secure login location, abnormal communication time, controlled internal IP.
Step S212, third detection configuration information corresponding to the illegal connection is generated according to each third provided information and each third quantization index.
Specifically, a third quantitative index (i.e., a detection item of the illegal connection) of the illegal connection configuration by the user, such as a switch state, an abnormal behavior type, a policy name, a secure login position, an abnormal communication time and a controlled internal IP, can be obtained first; and then, according to the actual application situation of the user, obtaining third provided information corresponding to each third quantization index respectively, for example, the third provided information corresponding to the switch state may be on or off, the third provided information corresponding to the abnormal behavior type may be illegal connection, the third provided information corresponding to the policy name may be custom illegal connection, the third provided information corresponding to the secure login position may be an IP address (such as 192.168.100.1-192.168.100.80) corresponding to the office network used by the user, the third provided information corresponding to the abnormal communication time may be a time (such as 0 point to 6 am) between 0 and 24 points, and the third provided information corresponding to the controlled internal IP may be a monitored internal IP/IP segment (such as 192.168.100.20).
In summary, the third detection configuration information (i.e. configuration field) corresponding to the above-mentioned illegal connection may be referred to as the following example:
switch state: opening;
abnormal behavior type: illegal connection;
policy name: custom violation connections;
secure login location: such as 192.168.100.1-192.168.100.80;
abnormal communication time: 0 to 6 am;
controlled internal IP:192.168.100.20.
step S214, comparing the first detection configuration information with the flow data packet to obtain a first comparison result, and if the first comparison result indicates that the current mailbox account is the same as the mailbox information of the controlled sender, the current communication time is the same as the abnormal communication time information, the current keyword is the same as the controlled sensitive keyword information, the current login position is different from the safe login position information, generating first alarm information corresponding to mail sensitive information transmission.
The traffic packet may include: the method comprises the steps of current IP address, current login account number, current login position, current communication time, current keyword, current login protocol, current server IP and current mailbox account number; the first detection configuration information may include: secure login location information, abnormal communication time information, controlled sender mailbox information, controlled sensitive keyword information.
When the method is actually implemented, after the first detection configuration information is loaded, the first detection configuration information can be compared with the currently acquired flow data packet to obtain a first comparison result, and whether first alarm information corresponding to mail sensitive information transmission is generated or not is judged according to the first result; specifically, if the current login location corresponding to the data packet is different from the secure login location information, but the current mailbox account is the same as the controlled sender mailbox information, the current communication time is the same as the abnormal communication time information, and the current keyword is the same as the controlled sensitive keyword information after comparison, for example, the current login location is 192.168.100.89, the secure login location information is "192.168.100.1-192.168.100.80", that is, the current login location is not in the secure login location information, but the current mailbox account and the controlled sender mailbox information are both "123456@qq.com", the current communication time and the abnormal communication time information are both "between 0 point and 6 a.m., and the current keyword and the controlled sensitive keyword information are both the amount of money, then the first alarm information corresponding to the mail sensitive information transmission can be generated (which is equivalent to that after the first detection configuration information is completed, if the important account is logged in at an unsafe address, and a mail containing the sensitive information keyword is sent at the abnormal communication time, an abnormal mail transmission abnormal mail action alarm can be generated), the abnormal mail sensitive mail action is not an attack action, but can be in accordance with normal mail transmission and reception, but normal use is not required.
Step S216, comparing the second detection configuration information with the flow data packet to obtain a second comparison result, and if the second comparison result indicates that the current server IP is identical to the login target server IP information, the current communication time is identical to the abnormal communication time information, the current login protocol is identical to the login protocol information, the current login position is different from the safe login position information, generating second alarm information corresponding to the abnormal login.
The second detection configuration information may include: secure login location information, abnormal communication time information, login protocol information, controlled login account information, and login target server IP information.
When the method is actually implemented, after the second detection configuration information is loaded, the second detection configuration information can be compared with the flow data packet which is currently acquired to obtain a second comparison result, and whether second alarm information corresponding to abnormal login is generated or not is judged according to the second result; specifically, if the current login location corresponding to the data packet is different from the secure login location information after comparison, but the current server IP is the same as the login target server IP information, the current communication time is the same as the abnormal communication time information, the controlled login account information is the same as the current login account, and the current login protocol is the same as the login protocol information, for example, the current login location is 192.168.100.89, the secure login location information is "192.168.100.1-192.168.100.80", that is, the current login location is not in the secure login location information, but the current server IP and the login target server IP information are 192.168.100.10, the current login account and the controlled login account information are "123456@qq.com", the current communication time and the abnormal communication time information are between "0 point and 6 am", and the current login protocol and the login protocol information are HTTP, then the second alarm information corresponding to the abnormal login can be generated (which is equal to the second detection configuration information, if the second detection configuration information is completed, the important is not logged in the configured address, and the configured server is used for monitoring the abnormal communication time, that is not normally logged in the normal login, the abnormal login behavior is required, but the abnormal login behavior is not normally required.
Step S218, comparing the third detection configuration information with the flow data packet to obtain a third comparison result, and if the third comparison result indicates that the IP address is the same as the controlled internal IP information, the current communication time is the same as the abnormal communication time information, the current login position is different from the safe login position information, generating third alarm information corresponding to the illegal connection.
The third detection configuration information may include: secure login location information, abnormal communication time information, controlled internal IP information.
When the method is actually implemented, after loading the third detection configuration information, the third detection configuration information can be compared with the currently acquired flow data packet to obtain a third comparison result, and whether third alarm information corresponding to illegal connection is generated or not is judged according to the third result; specifically, if after comparison, the current login location corresponding to the data packet is different from the secure login location information, but the current communication time is the same as the abnormal communication time information, and the IP address is the same as the controlled internal IP information, for example, the current login location is 192.168.100.89, the secure login location information is "192.168.100.1-192.168.100.80", that is, the current login location is not in the secure login location information, but the current communication time and the abnormal communication time information are between "0 point and 6 am", and the current IP address and the controlled internal IP information are 192.168.100.20, then third alarm information corresponding to the illegal connection can be generated (which is equivalent to that after the third detection configuration information is completed, if the monitored internal IP/IP segment is not in the configured address, and if the network connection is initiated at the abnormal time, an abnormal behavior alarm of the illegal connection can be generated), the behavior "illegal connection" is not an attack behavior, and the network session connection can be initiated normally, but does not conform to the normal use scenario, and therefore, the investigation is required.
Step S220, if the target flow data matched with the detection configuration information does not exist in the flow data packet, judging whether the detection configuration information is correct.
Step S222, if the detection configuration information is incorrect, repeating the step of generating the detection configuration information corresponding to the abnormal behavior to be detected based on the pre-acquired quantization index configured to the abnormal behavior to be detected until the target flow data matched with the detection configuration information exists in the flow data packet.
Step S224, if the detection configuration information is correct, the step of detecting the flow data packet based on the detection configuration information is repeatedly executed until the target flow data matched with the detection configuration information exists in the flow data packet.
Specifically, if the APT attack early-warning platform loads the configuration information in the above steps, the flow collection and analysis function is started, when abnormal behavior detection is performed on real network flow, whether the detected configuration information is configured correctly can be judged if the detected configuration information is not detected, if the configuration is correct, the step of loading the configuration information is generally repeated, the information in the flow is detected until target flow data matched with the detected configuration information exists in the flow data packet (namely, the flow matched with the configuration is detected), if the configuration is incorrect, a single configuration item can be modified, the detected configuration information corresponding to the abnormal behavior to be detected is regenerated until the target flow data matched with the detected configuration information exists in the flow data packet.
Furthermore, when the detection configuration information is generated, the configuration item can be modified generally so that the flow respectively meets and does not meet the conditions corresponding to the abnormal behaviors to be detected, then the network flow is detected to see whether the risk alarm data are generated, if the risk alarm data are generated under the conditions, the alarm data are not generated under the conditions, and the normal function of the configuration item is indicated; otherwise, the abnormal function of the configuration item is described.
Step S226, judging whether the alarm information has threat.
Step S228, if the alarm information has threat, judging whether the alarm information has false alarm.
When the method is actually implemented, the flow conforming to the configuration is detected, and after the alarm information is generated, a user can research and judge the alarm information to judge whether threat exists. Specifically, the host computer IP and the user generating the abnormal behavior can be acquired through the risk data acquisition interface of the probe platform, and the risk behavior (equivalent to the abnormal behavior corresponding to the alarm information) is judged to determine whether false alarm exists.
Step S230, if the alarm information has false alarm, the step of judging whether the detection configuration information is correct is repeatedly executed until the alarm information has no false alarm.
Step S232, if the alarm information does not have false alarm, solving the abnormal behavior corresponding to the alarm information.
For a better understanding of the above embodiments, reference may be made to a schematic flow diagram of the operation of network traffic detection as shown in fig. 3.
When the detection flow starts, the detection requirement (namely, the abnormal behavior to be detected) can be determined first, and the detection configuration (namely, the detection configuration information corresponding to the abnormal behavior to be detected) is generated; then loading the detection configuration, carrying out flow detection, judging whether alarm information is generated, if no alarm information is generated, further judging whether the detection configuration is correct, if so, continuing to carry out the steps of loading the detection configuration and carrying out flow detection, and if not, continuing to carry out the step of generating the detection configuration until the alarm information is generated; if the alarm information is generated, the alarm is developed and judged, whether the alarm information has false alarm is judged, if the false alarm exists, the step of judging whether the detection configuration is correct can be continuously executed, if the false alarm does not exist, the risk (abnormal behavior corresponding to the alarm information) can be solved, and then the whole detection flow is ended.
According to the abnormal behavior detection method for the network traffic, provided by the embodiment, the quantitative index and the detection configuration information of the abnormal behavior are flexible and configurable, and the user can flexibly detect the abnormal behavior which is wanted to be found in the network through the user-defined configuration; in addition, according to the characteristics of the current IP address, the current login account, the current login position, the current communication time, the current keyword, the current login protocol, the current server IP, the current mailbox account and the like in the flow, matching judgment can be carried out with the custom configuration information, and the detection efficiency and the detection accuracy of abnormal behaviors are improved.
The embodiment of the invention provides a structural schematic diagram of a device for detecting abnormal behavior of network traffic, as shown in fig. 4, the device comprises: the configuration module 40 is configured to generate detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected; the acquisition module 41 is used for loading detection configuration information through the detection platform and acquiring flow data packets in the network environment; the detection module 42 is configured to detect the flow data packet based on the detection configuration information, and generate alarm information corresponding to the abnormal behavior to be detected if there is target flow data matching the detection configuration information in the flow data packet.
The device for detecting the abnormal behavior of the network traffic provided by the embodiment of the invention generates detection configuration information corresponding to the abnormal behavior to be detected based on the pre-acquired quantitative index of the configuration of the abnormal behavior to be detected; loading detection configuration information through a detection platform, and collecting flow data packets in a network environment; detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if the target flow data matched with the detection configuration information exists in the flow data packet. When the device detects the abnormal behavior of the network flow, the user can flexibly detect the abnormal behavior which is wanted to be found in the network by configuring the quantitative index of the abnormal behavior by self definition, and the detection flexibility is improved, so that the detection efficiency is improved.
Further, the abnormal behavior includes: mail sensitive information transmission; the configuration module is also used for acquiring first quantization indexes configured by a user for mail sensitive information transmission and first provided information corresponding to each first quantization index respectively; wherein the first quantization index comprises: safe login position, abnormal communication time, controlled sender mailbox and controlled sensitive keywords; and generating first detection configuration information corresponding to mail sensitive information transmission according to each first provided information and each first quantization index.
Further, the abnormal behavior includes: abnormal login; the configuration module is also used for acquiring second quantization indexes configured by the user for abnormal login and second provided information corresponding to each second quantization index respectively; wherein the second quantization index comprises: secure login location, abnormal communication time, login protocol, controlled login account, login target server IP; and generating second detection configuration information corresponding to the abnormal login according to each second provided information and each second quantization index.
Further, the abnormal behavior includes: illegal connection; the configuration module is also used for acquiring third quantization indexes of the illegal connection configuration and third provided information corresponding to each third quantization index respectively by a user; wherein the third quantization index comprises: secure login location, abnormal communication time, controlled internal IP; and generating third detection configuration information corresponding to the illegal connection according to each third provided information and each third quantization index.
Further, the traffic packet includes: the method comprises the steps of current IP address, current login account number, current login position, current communication time, current keyword, current login protocol, current server IP and current mailbox account number; the first detection configuration information includes: safe login position information, abnormal communication time information, controlled sender mailbox information and controlled sensitive keyword information; the second detection configuration information includes: secure login location information, abnormal communication time information, login protocol information, controlled login account information, login target server IP information; the third detection configuration information includes: safety login position information, abnormal communication time information and controlled internal IP information; the detection module is further used for comparing the first detection configuration information with the flow data packet to obtain a first comparison result, and generating first alarm information corresponding to mail sensitive information transmission if the first comparison result indicates that the current mail account number is the same as the controlled sender mail information, the current communication time is the same as the abnormal communication time information, the current keyword is the same as the controlled sensitive keyword information, and the current login position is different from the safe login position information; comparing the second detection configuration information with the flow data packet to obtain a second comparison result, and generating second alarm information corresponding to abnormal login if the second comparison result indicates that the current server IP is identical to the login target server IP information, the current communication time is identical to the abnormal communication time information, the current login protocol is identical to the login protocol information, and the current login position is different from the safe login position information; and comparing the third detection configuration information with the flow data packet to obtain a third comparison result, and if the third comparison result indicates that the IP address is the same as the controlled internal IP information, the current communication time is the same as the abnormal communication time information, the current login position is different from the safe login position information, generating third alarm information corresponding to the illegal connection.
Further, the apparatus further comprises: if the target flow data matched with the detection configuration information does not exist in the flow data packet, judging whether the detection configuration information is correct or not; if the detection configuration information is incorrect, repeating the step of generating detection configuration information corresponding to the abnormal behavior to be detected based on the pre-acquired quantization index configured to the abnormal behavior to be detected until target flow data matched with the detection configuration information exists in the flow data packet; and if the detection configuration information is correct, repeating the step of detecting the flow data packet based on the detection configuration information until the target flow data matched with the detection configuration information exists in the flow data packet.
Further, the apparatus further comprises: judging whether the alarm information has threat or not; if the alarm information has threat, judging whether the alarm information has false alarm; if false alarm exists in the alarm information, repeating the step of judging whether the configuration information is correct or not until the false alarm does not exist in the alarm information; if the alarm information does not have false alarm, solving the abnormal behavior corresponding to the alarm information.
The device for detecting the abnormal behavior of the network traffic provided by the embodiment of the invention has the same implementation principle and technical effects as those of the embodiment of the method for detecting the abnormal behavior of the network traffic, and the embodiment part of the device for detecting the abnormal behavior of the network traffic can refer to the corresponding content in the embodiment of the method for detecting the abnormal behavior of the network traffic.
The embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device includes a processor 130 and a memory 131, where the memory 131 stores machine executable instructions that can be executed by the processor 130, and the processor 130 executes the machine executable instructions to implement the method for detecting abnormal behavior of network traffic.
Further, the electronic device shown in fig. 5 further includes a bus 132 and a communication interface 133, and the processor 130, the communication interface 133, and the memory 131 are connected through the bus 132.
The memory 131 may include a high-speed random access memory (RAM, random Access Memory), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 133 (which may be wired or wireless), and may use the internet, a wide area network, a local network, a metropolitan area network, etc. Bus 132 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 5, but not only one bus or type of bus.
The processor 130 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware or instructions in software in processor 130. The processor 130 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 131, and the processor 130 reads the information in the memory 131, and in combination with its hardware, performs the steps of the method of the foregoing embodiment.
The embodiment of the invention also provides a computer readable storage medium, which stores computer executable instructions that, when being called and executed by a processor, cause the processor to implement the method for detecting abnormal behavior of network traffic, and specific implementation can be seen in the method embodiment and will not be described herein.
The method, the device and the electronic equipment for detecting the abnormal behavior of the network traffic provided by the embodiment of the invention comprise a computer readable storage medium storing program codes, and the instructions included in the program codes can be used for executing the method described in the method embodiment, and specific implementation can be referred to the method embodiment and will not be repeated here.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention for illustrating the technical solution of the present invention, but not for limiting the scope of the present invention, and although the present invention has been described in detail with reference to the foregoing examples, it will be understood by those skilled in the art that the present invention is not limited thereto: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. A method for detecting abnormal behavior of network traffic, the method comprising: generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected;
loading the detection configuration information through a detection platform, and collecting flow data packets in a network environment;
And detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if target flow data matched with the detection configuration information exists in the flow data packet.
2. The method of claim 1, wherein the abnormal behavior comprises: mail sensitive information transmission; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
acquiring first quantization indexes configured by a user for mail sensitive information transmission, and respectively corresponding first provided information of each first quantization index; wherein the first quantization index includes: safe login position, abnormal communication time, controlled sender mailbox and controlled sensitive keywords;
and generating first detection configuration information corresponding to the mail sensitive information transmission according to each first provided information and each first quantization index.
3. The method of claim 2, wherein the abnormal behavior comprises: abnormal login; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
Acquiring second quantization indexes configured by a user for abnormal login and second provided information corresponding to each second quantization index respectively; wherein the second quantization index comprises: secure login location, abnormal communication time, login protocol, controlled login account, login target server IP;
and generating second detection configuration information corresponding to the abnormal login according to each second provided information and each second quantization index.
4. A method according to claim 3, wherein the abnormal behaviour comprises: illegal connection; based on a pre-acquired quantization index for configuring the abnormal behavior to be detected, the step of generating detection configuration information corresponding to the abnormal behavior to be detected comprises the following steps:
acquiring third quantization indexes of illegal connection configuration of a user and third provided information corresponding to each third quantization index respectively; wherein the third quantization index includes: secure login location, abnormal communication time, controlled internal IP;
and generating third detection configuration information corresponding to the illegal connection according to each third provided information and each third quantization index.
5. The method of claim 4, wherein the traffic data packet comprises: the method comprises the steps of current IP address, current login account number, current login position, current communication time, current keyword, current login protocol, current server IP and current mailbox account number; the first detection configuration information includes: safe login position information, abnormal communication time information, controlled sender mailbox information and controlled sensitive keyword information; the second detection configuration information includes: secure login location information, abnormal communication time information, login protocol information, controlled login account information, login target server IP information; the third detection configuration information includes: safety login position information, abnormal communication time information and controlled internal IP information;
Detecting the flow data packet based on the detection configuration information, and if the flow data packet has flow data matched with the detection configuration information, generating alarm information corresponding to the abnormal behavior to be detected comprises the following steps:
comparing the first detection configuration information with the flow data packet to obtain a first comparison result, and generating first alarm information corresponding to the mail sensitive information transmission if the first comparison result indicates that the current mail account number is the same as the controlled sender mail information, the current communication time is the same as the abnormal communication time information, the current keyword is the same as the controlled sensitive keyword information, and the current login position is different from the safe login position information;
comparing the second detection configuration information with the flow data packet to obtain a second comparison result, and generating second alarm information corresponding to the abnormal login if the second comparison result indicates that the current server IP is identical to the login target server IP information, the current communication time is identical to the abnormal communication time information, the current login protocol is identical to the login protocol information, and the current login position is different from the safe login position information;
Comparing the third detection configuration information with the flow data packet to obtain a third comparison result, and generating third alarm information corresponding to the illegal connection if the third comparison result indicates that the IP address is the same as the controlled internal IP information, the current communication time is the same as the abnormal communication time information, and the current login position is different from the safe login position information.
6. The method according to claim 1, wherein the method further comprises:
if the target flow data matched with the detection configuration information does not exist in the flow data packet, judging whether the detection configuration information is correct or not;
if the detection configuration information is incorrect, repeating the step of generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected until target flow data matched with the detection configuration information exists in the flow data packet;
and if the detection configuration information is correct, repeating the step of detecting the flow data packet based on the detection configuration information until target flow data matched with the detection configuration information exists in the flow data packet.
7. The method of claim 6, wherein the method further comprises:
judging whether the alarm information has threat or not;
if the alarm information has threat, judging whether the alarm information has false alarm or not;
if false alarm exists in the alarm information, repeating the step of judging whether the detection configuration information is correct or not until false alarm does not exist in the alarm information;
if the alarm information does not have false alarm, solving the abnormal behavior corresponding to the alarm information.
8. An abnormal behavior detection apparatus for network traffic, the apparatus comprising:
the configuration module is used for generating detection configuration information corresponding to the abnormal behavior to be detected based on a pre-acquired quantization index configured for the abnormal behavior to be detected;
the acquisition module is used for loading the detection configuration information through the detection platform and acquiring a flow data packet in a network environment;
the detection module is used for detecting the flow data packet based on the detection configuration information, and generating alarm information corresponding to the abnormal behavior to be detected if target flow data matched with the detection configuration information exists in the flow data packet.
9. An electronic device comprising a memory, a processor, the memory having stored thereon a computer program executable on the processor, characterized in that the processor, when executing the computer program, implements the steps of the method of any of the preceding claims 1-7.
10. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the steps of the method according to any of the preceding claims 1-7.
CN202311245593.3A 2023-09-25 2023-09-25 Abnormal behavior detection method and device for network traffic and electronic equipment Pending CN117319025A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311245593.3A CN117319025A (en) 2023-09-25 2023-09-25 Abnormal behavior detection method and device for network traffic and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311245593.3A CN117319025A (en) 2023-09-25 2023-09-25 Abnormal behavior detection method and device for network traffic and electronic equipment

Publications (1)

Publication Number Publication Date
CN117319025A true CN117319025A (en) 2023-12-29

Family

ID=89286029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311245593.3A Pending CN117319025A (en) 2023-09-25 2023-09-25 Abnormal behavior detection method and device for network traffic and electronic equipment

Country Status (1)

Country Link
CN (1) CN117319025A (en)

Similar Documents

Publication Publication Date Title
EP3598329A1 (en) Information processing method, information processing system, and program
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN106537872B (en) Method for detecting attacks in a computer network
CN110636075A (en) Operation and maintenance management and control and operation and maintenance analysis method and device
CN111131126B (en) Attack detection method and device
CN110677287A (en) Threat alarm generating method and device based on systematic attack
CN113489713A (en) Network attack detection method, device, equipment and storage medium
CN111277561B (en) Network attack path prediction method and device and security management platform
CN110868418A (en) Threat information generation method and device
CN102447707A (en) DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN114598506B (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
CN114301700A (en) Method, device, system and storage medium for adjusting network security defense scheme
US11694489B2 (en) Message monitoring system, message transmission electronic control unit, and monitoring electronic control unit
CN117201273A (en) Automatic analysis and noise reduction method and device for safety alarm and server
CN109462617B (en) Method and device for detecting communication behavior of equipment in local area network
CN106899977B (en) Abnormal flow detection method and device
CN113765850A (en) Internet of things anomaly detection method and device, computing equipment and computer storage medium
CN117319025A (en) Abnormal behavior detection method and device for network traffic and electronic equipment
CN116614287A (en) Network security event evaluation processing method, device, equipment and medium
CN104219219A (en) Method, server and system for handling data
CN114584356A (en) Network security monitoring method and network security monitoring system
CN109462503B (en) Data detection method and device
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality
CN114154160B (en) Container cluster monitoring method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination