CN1968280A - System and method for detecting and filtering invalid header field - Google Patents
System and method for detecting and filtering invalid header field Download PDFInfo
- Publication number
- CN1968280A CN1968280A CNA2006101456604A CN200610145660A CN1968280A CN 1968280 A CN1968280 A CN 1968280A CN A2006101456604 A CNA2006101456604 A CN A2006101456604A CN 200610145660 A CN200610145660 A CN 200610145660A CN 1968280 A CN1968280 A CN 1968280A
- Authority
- CN
- China
- Prior art keywords
- header field
- invalid
- tabulation
- legal
- specific
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a system for checking and filtering illegal head domain, and relative method, wherein said system comprise that: strategy server and strategy executor; and the method comprises that: setting legal and illegal head domain lists; based on said lists, generating the filter strategy of illegal head domain; based on said strategy, filtering the data pack with illegal head domain. The invention can check and filter illegal head domain on SIP (Session Initiation Protocol) message on IMS (IP Multimedia Subsystem).
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of system and method that invalid header field is detected and filters.
Background technology
IMS is a kind of core network subsystem of supporting IP multimedia service that 3GPP (Third Generation Partnership Projects, 3G (Third Generation) Moblie partnership) proposes in the R5 release criteria.IMS is based upon on the basis of a whole set of agreement that comprises SIP, has merged multiple business such as data, voice and multimedia.It, makes various types of clients to set up IP communication end to end by IMS, and can obtain needed service quality by the extensive adaptation to access technology based on the IP technology.
IMS not only supports 2G, 3G to move access way, also supports the access way of fixed network, and may develop into later the amalgamation core net that existing public network such as support and Internet inserts.The IMS system meets NGN (Next Generation Network, next generation network) theory, be complete mobile telecommunication in IP multimedia system, can be used as the basis that miscellaneous service merges with mechanism such as the needed authentication of actual Operation Network, safety and chargings.
According to IDS (Intrusion Detection System, intruding detection system) present situation and development trend, the intruding detection system technology that is applicable to universal network is comparative maturity, and obtained to be extensive use of, but, also there is not the mature technology of intrusion detection aspect at present in the signaling aspect of telecom operators' network.Conventional telecommunication network is higher because of equipment, protocol-specific degree, its attack of carrying out the signaling aspect is difficult to carry out, but along with communication network gradually to the IPization development, the cost that communication network is carried out the attack of signaling aspect greatly reduces.Therefore, telecommunication apparatus supplier is necessary to realize effectively the Intrusion Detection Protection System of signaling aspect in its solution.
The Session Initiation Protocol agent entity has been realized the SIP request is routed to UAS (UAC:User AgentClient, User Agent Client) and with response message be routed to corresponding UAC (User AgentServer, subscriber proxy server) function, the Session Initiation Protocol agent entity is being paid sip message before next jumps, and need carry out routing iinformation according to actual conditions and select and message is necessarily revised.The Session Initiation Protocol agent entity is at first carried out steps such as syntax check, URI format checking, maximum preceding rotary head territory inspection, loop detection to sip message when receiving sip message.Wherein, in the syntax check step, RFC3261 requires validity checking is carried out in the sip message request, and to verifying with request message and asking preceding transfer part to divide relevant header field to carry out syntax check, but remainder for sip message, no matter whether legal, the Xin Lingdaili entity is not handled, and these parts remain unchanged in repeating process.
RFC3261 guarantees that to the definition of Xin Lingdaili syntax check Session Initiation Protocol realizes expanding eaily, but with the transparent transmission mechanism of the irrelevant header field of route also for the application based on SIP has brought certain security threat, be in particular in following two aspects:
1, business such as the transparent transmission of any customized extension header field of the terminal short message that can realize utilizing the message such as call request of IMS network end-to-end transmission to realize effectively escaping chargeing, chat.
2, in illegal expansion header field, the call request message that wraps this type of illegal expansion header field can effectively pass through the IMS network and may kill and wound comprising that all nodes on the Correspondent Node message pathway cause terminal with the malicious attack Data Encapsulation.
In a kind of mobile network's security architecture of prior art, (the Demilitarized Zone at core net DMZ has been proposed, isolated area) mechanism of state-detection, NIDS sniffer and the intrusion prevention of area configurations and realization on-line, this security architecture has stronger versatility and isomerism, can adapt to different platforms and agreement.
The shortcoming of the mobile security framework of above-mentioned prior art is: the invasion signature analysis that the difficult realization of this framework is centralized.This framework requires each node to make a strategic decision according to local information, requires each node to provide more resource to be used for data are analyzed, and then, according to the data analysis of each single node whether whole net environment is occurred attacking data flow and judges.Because the networked distributed nature of modern communication technology makes that the above-mentioned decision scheme in this framework is inaccurate.
Summary of the invention
The purpose of this invention is to provide a kind of system and method that invalid header field is detected and filters, realized the scheme that detects and filter at invalid header field of centralized management in extendible mode.
The objective of the invention is to be achieved through the following technical solutions:
A kind of system that invalid header field is detected and filters comprises: policy server and strategy execution assembly, wherein,
Policy server: be used to dispose the tabulation of legal and invalid header field, generate filtering policy according to described legal and invalid header field tabulation, and should filter policy distribution and arrive the strategy execution assembly to invalid header field;
Strategy execution assembly: be used to carry out the filtering policy that policy server issues,, the packet that carries the invalid header field of listing in the described invalid header field tabulation carried out filtration treatment according to described filtering policy.
A kind of method that invalid header field is detected and filters comprises step:
A, the tabulation of the legal and invalid header field of configuration generate filtering policy to invalid header field according to described legal and invalid header field tabulation;
B, according to described filtering policy, the packet that carries the invalid header field of listing in the tabulation of described invalid header field is carried out filtration treatment.
As seen from the above technical solution provided by the invention, the present invention is provided with one and concentrates policy server (Policy Server) and a plurality of distributed strategy execution assemblies of realizing (PEP), policy server generates the filtering policy to invalid header field according to static+dynamic black/white list, and being issued to the strategy execution assembly, the strategy execution assembly detects and filters according to the invalid header fields such as sip message invalid header field of this filtering policy to the IMS solution.Thereby realized the scheme that detects and filter at invalid header field of distributed centralized management in extendible mode.Compare with prior art, have following advantage:
1, at RFC3261 agency by agreement mechanism malice header field transparent transmission is failed to provide the reality of effective protection, the scheme and the implementation method of the detection controlling mechanism of distributed IMS solution sip message invalid header field transparent transmission have been proposed, this scheme can prevent effectively because the multiple business that causes of malice invalid header field transparent transmission is usurped and at the attack forms such as transparent transmission of the attack data of terminal and other network elements, help further strengthening the safety of IMS solution core net and terminal.
2, the detection controlling mechanism to non-standard SIP header field has realized a signaling aspect intrusion prevention system prototype, and static+dynamic black/white name single-unit has been realized the intrusion detection method based on feature, guaranteed the effective detection to known signaling header field attack method.The present invention can realize based on unusual Intrusion Detection Technique, can realize the black/white list is learnt and dynamically updated in the signaling header field attack of system's the unknown, guarantees that system can respond to novel signaling header field attack timely and effectively.
3, in scheme of the present invention, provide unified management function by single policy server to a plurality of strategy execution assemblies, be convenient to realize that the filtering policy of invalid header field is system-wide unified the renewal.A plurality of strategy execution assembly distributed earths report abnormal information, help finding timely and effectively the dynamically updating of filtering policy of novel abnormal head domain information and invalid header field.
Description of drawings
Fig. 1 is the structural representation of the embodiment of mobile network's security architecture of the present invention;
Fig. 2 is the structural representation of the embodiment of policy server of the present invention;
Fig. 3 is the process chart of the embodiment of the method that invalid header field is detected and filters of the present invention;
Fig. 4 is that the allocation plan that protection IMS core defence Access Layer plane signaling of the present invention is attacked is realized schematic diagram;
Fig. 5 is that the allocation plan of protection IMS core defence intercarrier interface Signaling attack of the present invention is realized schematic diagram;
Fig. 6 is that the allocation plan of protection application server of the present invention is realized schematic diagram.
Embodiment
The invention provides a kind of system and method that invalid header field is detected and filters, major technique characteristics of the present invention are: be provided with one and concentrate policy server and a plurality of distributed strategy execution assembly of realizing, policy server is to invalid header field definition static state+dynamic black/white list, generate filtering policy according to static+dynamic black/white list to invalid header field, and being issued to the strategy execution assembly, the strategy execution assembly detects and filters invalid header fields such as sip message invalid header fields according to this filtering policy.And the message packets that obtains of will sampling is reported to policy server.
Detect and be filtered into example with packet below, describe system and method for the present invention in conjunction with the accompanying drawings in detail sip message.
The structural representation of the embodiment of mobile network's security architecture of the present invention comprises as shown in Figure 1: policy server, strategy execution assembly and log server.
1, the structural representation of the embodiment of policy server as shown in Figure 2, main being responsible for to SIP invalid header field definition static state+dynamic black/white list, according to this static state+dynamically black/white name single module generates the filtering policy to invalid header field information, and the filtering policy that generates is issued to the strategy execution assembly.
Policy server comprises: static dark/white list module, dynamic black/white name single module, policy distribution module, tactful generation module, invalid header field detection module and reporting information buffer module.Wherein, static and dynamic black/white name single module, policy distribution module and reporting information buffer module are essential modules, and all the other modules can be selected to implement according to the level of security and the specific implementation situation of system's expection.Introduce the operation principle of each module in the policy server below respectively.
(1): static dark/white list module: comprising: static white list, static dark list.Disposable generation when system initialization, static white list defines the SIP header field of SIP header field, the support of current I MS system and the following expection expansion of RFC3261 definition, and the detection controlling mechanism of the non-standard header field transparent transmission of IMS is carried out acquiescence to static white list and allowed the strategy that passes through.The static dark list according to system initialization before online known malice header field define.The common factor of the header field of above-mentioned static dark list and static state/header field that dynamic white list is comprised is an empty set.In system's actual motion, the system security management personnel can list specific header field in static dark/white list according to actual needs.
(2): dynamic black/white name single module: comprising: dynamic white list, dynamic blacklist.When system initialization, dynamically the black/white list is an empty set.The header field that does not have to cover at system's static dark/white list that tactful executive module is reported by the invalid header field detection module in service is discerned and is judged, the legal specific header field that identifies is added dynamic white list, the illegal specific header field that identifies is added dynamic blacklist.Simultaneously, to being listed in each the specific header field unified Definition weights in the dynamic black/white list, determine that according to the height of weights the performance of this specific header field meets the degree of normal behaviour model, weights are more little, and the degree that specific header field meets the normal behaviour model is high more.
(3): the policy distribution module: be used for from static dark/white list module and dynamically black/white name single module acquisition invalid header field and the tabulation of legal header field, format obtaining the header field tabulation, generate the filtering policy of invalid header field and this filtering policy is handed down to part or all of strategy execution assembly.
(4): the header field message processing module: when the specific header field of invalid header field detection module output has record in dynamic black/white name single module, then whether this specific header field according to invalid header field detection module output shows parameters such as malice feature, and the weights dynamic calculation of this specific header field that writes down in the dynamic black/white name single module, adjusts the weights of this specific header field.And judge whether dynamically in the black/white list this specific header field being moved, if then move accordingly according to the relationship analysis of the weights of this specific header field and predefine threshold value.
When the specific header field of invalid header field detection module output does not write down in static dark/white list module and dynamic black/white name single module, then this specific header field is generated initial weight, and should add corresponding dynamic black/white list by specific header field according to the weights of this specific header field and the relation of predefine threshold value.
When the specific header field of invalid header field detection module output dynamically exists in the black/white list, but when on network, not occurring for a long time, then this specific header field information is carried out burin-in process.
(5): the invalid header field detection module: be used for detecting each specific header field that sip message that the strategy execution assembly reported and be buffered in buffering area carries, judge whether this each specific header field comprises fallacious message, this each current header field is generated the increment (or negative increment) of weights, and whether this weights increment (or negative increment) and this each specific header field comprised parameter information such as malice feature and report the header field message processing module.
2, strategy execution assembly: in mobile network's security architecture of the present invention, a policy server can be managed one or more strategy execution assemblies.The strategy execution assembly comprises: filtration treatment module and report processing module.
Wherein, filtration treatment module: be used for regularly downloading and carry out filtering policy from the policy distribution module of policy server.Promptly according to the filtering policy that obtains, the protocol stack of control Session Initiation Protocol agent entity filters the SIP packet that carries the invalid header field of listing in static dark list and the dynamic blacklist.This filtering policy includes but not limited to delete this invalid header field information and the whole SIP packet of deletion etc.
Wherein, report processing module: be used for the sip message of protocol stack being sampled, and the sip message that obtains of will sampling is reported to the buffering area of policy server to preserve according to the performance and the current system load situation of Session Initiation Protocol agent entity.
3, log server (Log Server): main being responsible for carried out statistic record and reporting system administrative staff to the higher malice sip message header field of the detected frequency of occurrences of policy server, the system manager can take in static blacklist list with the malice header field that the high frequency that writes down in the dynamic blacklist occurs according to this statistical information, and the higher level is reported the appearance of novel malice header field.
Above-mentioned policy server, strategy execution assembly are according to the optional distributed configuration of actual conditions or be integrated in same node and realize that distributed configuration mode has been realized the management of single policy server to a plurality of strategy execution assemblies; Decision-making module and PEP Executive Module guarantee that at the integrated collocation strategy of single node this technical scheme can effectively be adapted to small-scale system and realize.
The handling process of the embodiment of a kind of method that invalid header field is detected and filters provided by the invention comprises the steps: as shown in Figure 3
Step 3-1: the strategy execution assembly sip message header field that obtains of will sampling reports strategic server.
In the present invention, the strategy execution assembly need be sampled to the sip message in the protocol stack according to the performance and the current system load situation of Session Initiation Protocol agent entity.
The sip message of handling because of the protocol stack of Session Initiation Protocol agent entity is a magnanimity, is reported to policy server to cause heavier burden to system handles, storage capacity and network the sip message of magnanimity.Therefore, report processing module in a sampling period, the sip message in the protocol stack is sampled according to the algorithm of setting.
There is the victim utilization and effectively escapes the potential threat that detects because in the identical time period of interval, carry out the algorithm of sampling processing again, therefore, the strategy execution assembly uses the sampling algorithm of stochastical sampling in a sampling period usually, and this sampling algorithm includes but not limited to following specific implementation:
If the sampling period is Tp, carry out sample collection s time in each sampling period:
Time-count=0;
For (i=0; I<s; I++)/* in a sampling period, carry out i time the sampling */
t=rand(0,Tp/s)
Time-count=Time-count+t;
Sleep (t); / * wait for the * that samples behind the duration t/
SIP_message-pickup-and-CACHE; / * sampling */
}
Sleep (Tp-Time-count); / * wait sampling period end */
SIP_messagecached-report; / * report sampled data */
Then, the strategy execution assembly sip message that obtains of will sampling is reported to the buffering area of policy server to preserve.
Step 3-2: the invalid header field detection module detects the sip message of preserving in the buffering area, and the characterisitic parameter information of the header field of the sip message that detect to obtain and sip message is reported the header field message processing module.
The sip message of preserving in the buffering area that the invalid header field detection module reports tactful executive module detects, whether the header field of determining each sip message and sip message is unusual, and obtain corresponding characterisitic parameter, the characterisitic parameter information of the header field of the sip message that obtains and sip message is reported the header field message processing module.
Because use single algorithm possibly can't accurately judge each sip message with and header field whether unusual, therefore, for reducing wrong report and rate of failing to report, the invalid header field detection module can be used in combination some kinds of algorithms and detect, the each several part algorithm independently realizes, can independence or be used in combination.
Above-mentioned invalid header field detection module can adopt but be not limited to three kinds of following algorithms.
1, algorithm 1.
Algorithm 1 can detect the non-standard header field that comprises in the header field of the sip message of preserving in the above-mentioned buffering area.
Detection algorithm (the slope algorithm appears in specific non-standard header field in a large number in the short time) at specific header field
The unsupported header field U of non-standard header field=current system (the standard header field that defines among the ﹁ RFC3261)
Definition structure body Nonstandard_field:
Struct?Nonstandard_field{
String?field_name;
Integer?field_count;
}nf[n];
The definition native system is the ThresholdT1 of Nonstandard_field.field_count under normal circumstances;
When each sampling period finishes, carry out following detection:
For(int?i=0;i<n;i++){
If (nf (i) .field_count>T1)/* if the occurrence number of specific non-standard header field surpass defined threshold*/
Nf (i) is determined as attack field; / * then judge this header field message may comprise attack information */
Report?nf(i).field_name;
Reset?nf[i];
}
}
2, algorithm 2.
This algorithm can detect the unusual sip message that comprises in the sip message of preserving in the above-mentioned buffering area according to the behavior of sip message.
The basic functional principle of this algorithm is: the work of sip message is based on the request/response mechanism of signaling aspect, network does not contain under the situation of attack, this request and legal response have certain proportionate relationship, and under network contains attack condition, unusual message will cause the balance of this proportionate relationship doubly to be destroyed, thereby cause y[n] increase, by to y[n] observation can effectively judge whether attack.The CUSUM algorithm is widely used in network/transport layer DoS attack and detects, and this paper is introduced into the application layer of IMS solution, realizes based on unusual detection technique.The specific implementation process of this algorithm is as follows.
At first behavior of user's normal messages and abnormal behaviour are defined:
The behavior of user's normal messages includes but not limited to: UAC (User Agent Client) module is to the request message of UAS (subscriber proxy server) module and the UAS module response message to the UAC module in normal registration, the session flow process.
The behavior of user's unexpected message is defined as the behavior that is not inconsistent with the behavior of user's normal messages in registration, the session flow process, include but not limited to: the improper message behavior in the register flow path, can not set up session or be not the message behavior of a legitimate conversation part, not have the unusual message of legal subsequent response or subsequent response message etc.
This algorithm is to the normal behaviour modeling of system, and the deviation according to the normal behaviour model of real system behavior and foundation in the network operation detects the unusual sip message of preserving in the above-mentioned buffering area with abnormal behaviour.
The normal behaviour model that the present invention sets up is: the working method of Session Initiation Protocol responds the request of UAC UAS initiation request, UAS based on UAC.Under the network normal condition, the request of validated user is served and responded according to actual conditions, this request and response exist with certain proportion, containing attack condition and assailant at network fails to realize and fully adapts under the situation of this normal behaviour model, can define normal behavior model by this proportionate relationship, network abnormal behaviour be detected based on the normal behaviour model.The normal behaviour model required system trial run a period of time, obtained guaranteeing that system does not have under the attack condition.
Concrete processing procedure based on this algorithm of CUSUM (cumulative sum, accumulation and algorithm) algorithm is as follows:
1, parameter-definition:
Definition SIP_request_sent_to is the request message sum that is comprised registration and session flow process in the sense cycle by specific UAC to specific UAS.
Definition SIP_request_response_from is registered and the legal response message sum of session flow process to comprising of UAC by specific UAS in the sense cycle, requires this counter effectively to add up the behavior of user's normal messages and rejects the behavior of user's unexpected message.
If delta[n], and n=0,1,2...} is the difference (1) of interior SIP_request_sent_to of an observation cycle and SIP_response_received_from,
Above-mentioned delta[n] relevant with network size.Be subjected to the influence of host number and observation cycle length in the network.For making this algorithm have the influence that versatility also reduces various dependence factors as much as possible more, above-mentioned formula (1) is carried out following variation:
delta[n]=SIP_request_sent_to[n]-SIP_response_received_from[n];//(n=0,1...)(1)
smoothed_fn[0]=0;
smoothed_fn[n]=α*smoothed_fn[n-1]+(1-α)*SIP_response_received_from[n]//(n=1,2...);
X[n]=delta[n]/smoothed_fn[n];//(2) (2)
From above-mentioned formula 2, can see smoothed_fn[i], l=0,1,2...} can be obtained by the SIP_response_received_from recursive calculation, in other words to smoothed_fn[i] can calculate in real time and upgrade.N in formula (1) and (2) has represented the observation time sequence number, and constant α ∈ [0..1] is that predefined is good, through the conversion of formula (2), X[n] only relevant with current network flow, and do not rely on the length of network environment and observation time.Therefore X[n], and n=0,1,2..} can be considered as a static random process.
Max_avg_X does not have X[n under the attack condition at network] maximum of expectation, through type (3), we obtain X2[n].
X2[n]=X[n]-max_avg_X //(3)
Under network does not have attack condition, and X2[n], n=0,1...} and X2[n] mean value less than 0;
y[n]=(y[n-1]+X2[n])
+ //(4)
y[0]=0
In above-mentioned formula (4), x when x>0
+=x, x when x<=0
+=0.Y[n] represented this moment the time series of signaling aspect ddos attack whether to occur.We define threshold value Threshold according to network environment and predefined level of security, if y[n]>Threshold then can judge the signaling DoS attack has taken place.
if(y[n]>Threshold){
......
this?is?attack_flow;
y[n]=β*Threshold; //(0<β<1) (5)
}
When occurring the signaling DoS attack in the network and being detected by this algorithm, y[n] within a short period of time is fast rise, according to the CUSUM algorithm after improving, to attacking ongoing y[n] cut down, by converse feedback in real time to y[n] cut down, guaranteeing not can be because of y[n] add up for a long time to cause attacking finish back y[n] can not effectively drop under the Threshold, the situation of wrong report promptly takes place, can effectively determine DoS attack concluding time through improved CUSUM algorithm based on request/response mechanism.
3, algorithm 3.
This algorithm detects the unusual sip message that comprises in the sip message of preserving in the buffering area according to the physical length feature of the sip message of preserving in the message-length feature of inhomogeneity sip message under the normal condition and the buffering area.
Under the more stable situation of network and the terminal supported, various message all has certain length characteristic, length such as INVITE generally all is distributed between 1380~1542byte, and the length of 100trying message generally is distributed between 287~799byte.Therefore, to the physical length of the dissimilar sip message preserved in the buffering area and under normal circumstances the length of the sip message of same kind compare, if the length range deviation of the physical length of sip message and the sip message under the normal condition surpasses the legal range of setting, determine that then this sip message is a unexpected message, the header field of this sip message is an invalid header field.
Whether the accuracy of detection of this algorithm depends on to a great extent to have introduced in the current network and may cause the sip message length range changes under the normal condition new business and new terminal, network equipment, if introduced above-mentioned new business and new terminal, network equipment, then should forbid the alarm report of this algorithm.And all kinds of sip messages are not had at network calculate once more under the attack condition and upgrade message-length scope under the normal condition.
The unusual sip message that the invalid header field detection module comprises in the sip message that detection has obtained to preserve in the above-mentioned buffering area, or behind the unusual header field that comprises in the sip message of preserving in the above-mentioned buffering area, can determine further whether this unusual sip message or unusual header field comprise characterisitic parameter information such as fallacious message, the header field of above-mentioned unusual sip message or unusual header field are generated the increment (or negative increment) of weights, and whether this weights increment (or negative increment) and each unusual sip message or unusual header field comprised characterisitic parameter information such as fallacious message and report the header field message processing module.
Step 3-3: the characterisitic parameter information of unusual sip message that the header field message processing module reports according to the invalid header field detection module or unusual header field, the weights of the characteristic header field that writes down in the dynamic black/white name single module are dynamically adjusted.
The header field message processing module receives the header field of the unusual sip message that the invalid header field detection module reports or the increment (or negative increment) of unusual header field weights, and after whether each unusual sip message or unusual header field comprise characterisitic parameter information such as fallacious message, check the header field or the unusual header field that whether write down this unusual sip message in the dynamic black/white name single module.
When the header field of above-mentioned unusual sip message or unusual header field in static dark/white list module with when dynamically not writing down in the black/white name single module, then the header field message processing module generates initial weight to this specific header field, and should add corresponding dynamic black/white list by specific header field according to the relation of this initial weight and predefine threshold value.
Header field or unusual header field record in dynamic black/white list when above-mentioned unusual sip message, and when in network, often occurring, then the header field message processing module is according to the header field of the above-mentioned unusual sip message that writes down in information that receives and the dynamic black/white list or the weights information of unusual header field, header field or unusual header field to above-mentioned unusual sip message are dynamically adjusted, and judge whether dynamically in the black/white list this specific header field is being moved according to the relationship analysis of the weights of this specific header field and predefine threshold value, if then move accordingly.
Such as, be put into the specific header field of dynamic blacklist if in special time period, do not continue to increase its malice performance, then reduce the weights of this specific header field, be lower than certain threshold values A1 until its weights, and moved to dynamic white list.
Be put into the specific header field in the dynamic white list if in special time period, show the malice feature, then strengthen the weights of this specific header field, be higher than certain threshold values A2, should list interim blacklist in by specific header field until its weights.
The above-mentioned process that the weights of specific header field are dynamically adjusted can be represented with following program language:
If the weights increment (or decrement) that specific header field invalid header field detection module is reported is Power_incr, current observation header field field[i] dynamic black and white lists algorithm as follows:
If (field[i] .property==positive) if not/* method header field detection module judges specific exceptions header field in the sense cycle and is positive, then to the weights of this header field do increment handle */
field[i].power+=Power_incr;
If field[i] .power>A2/* is if weights surpass legal header field upper limit A2, then is judged to be attack information, the * that blacklists it/
field[i]is?set?to?dynamic-blacklist
}
else
If (field[i] .property==negative) if not/* method header field detection module judges specific exceptions header field in the sense cycle and is negative, then to the weights of this header field do negative increment handle */
field[i].power-=Power_incr;
If (field[i] .power<A1)/* is if weights are lower than invalid header field lower limit A1, judges that then this header field no longer possesses attack signature, with its list in white list */
field[i]is?set?to?dynamic-whitelist
}
In the said procedure language, but arrangement A1==A2, this situation helps being judged by accident the fast quick-recovery of the header field of listing dynamic blacklist in, but exist the intermittent attack of particular attack header field to cause this header field frequently redirect and the situation of jolting in dynamic black/white list, there be certain threat in system handles resource and network stabilization.
But arrangement A1<A2, after this situation requires specific header field to be put into dynamic blacklist, even its traffic characteristic is optimum in a period of time, still must be limited in a period of time, up to its performance enough good (be field[i] .power<A1<A2) ability is listed it in dynamic white list, but still may cause occurring higher wrong report situation, and therefore need effectively to adjust the magnitude relationship of A1 and A2 according to actual conditions, guarantee between a plurality of factors such as system's accuracy of detection and stability, to try to achieve balance.
When the header field of above-mentioned unusual sip message or unusual header field record in dynamic black/white list, but when on network, not occurring for a long time, then this specific header field information is carried out burin-in process.
The principle of above-mentioned burin-in process is: do not occur if specific header field is long-time in network, think that then this header field situation does not exist, be conserve network resources, and prevent that the hacker from designing the resource exhaustion attack at this guard system, so will reclaim to the related resource that this header field distributes.
Step 3-4, policy distribution module generate filtering policy and are handed down to the strategy execution assembly, and the strategy execution assembly filters the SIP packet that carries invalid header field according to the filtering policy that obtains.
Policy distribution module in the strategic server is from static dark/white list module and dynamically obtain whole invalid header fields and the tabulation of legal header field the black/white name single module, and whole invalid header fields and the corresponding weights information of legal header field, the invalid header field and the tabulation of legal header field that obtain are formatd, generate corresponding filtering policy.
Filtering policy is regularly downloaded and carry out to the strategy execution assembly from above-mentioned policy distribution module, according to the filtering policy that obtains, the protocol stack of control Session Initiation Protocol agent entity carries out filtration treatment to the SIP packet that carries the invalid header field of listing in static dark list and the dynamic blacklist.This filtering policy includes but not limited to delete specific header field information and the whole SIP packet of deletion etc.The protocol stack of control Session Initiation Protocol agent entity does not carry out filtration treatment to the SIP packet that carries the legal header field of listing in static white list and the dynamic white list.
Because of may cause wrong report to a certain degree under specific circumstances based on unusual signaling aspect message detection, in actual applications, for guaranteeing not occur wrong report, can forbid and report processing module, invalid header field detection module in the strategy execution assembly, and forbid dynamic black/white list function.The policy distribution module only generates filtering policy according to static dark/white list module, and the strategy execution assembly carries out filtration treatment according to this filtering policy to the SIP packet.This scheme can provide in the initial stage that system fully realizes dynamically updating the black/white list can run strategy, can reduce system's rate of false alarm effectively, will not possess the function that detects unknown attack message header field but cost is a system.
The Distributed Detection that the sip message invalid header field that proposes among the distributed computing architecture of the many network elements of IMS solution and the present invention detects control is filtered and concentrated the administration module of realizing is consistent.The described mobile network's security architecture of the invention described above can be configured among the IMS, and based on the thought of layering defence, it is as follows that the sip message invalid header field detects the optional allocation plan of control architecture in IMS:
Concentrate optional and OMU (the Operating and MaintanceSystem of policy server that realizes, Operation ﹠ Maintenance System) on same physical node, realizes, perhaps, use a station server to manage independently at local domain, policy server carries out believable communication with the PEP module based on network management interface.According to protection network element feature, the deployment scheme of PEP comprises following several:
The allocation plan (PCSCF (Proxy Call Session Control Function, Proxy Call Session Control Function) realizes at local domain) that scheme 1, protection IMS core defence Access Layer plane signaling are attacked
According to each IMS equipment supplier's specific implementation, the configuration mode that inserts side IMS mainly comprises two kinds: a kind of is that SBC and PCSCF are integrated in the PCSCF marginalisation configuration mode on the same equipment; Another kind is that SBC is inserting the side configuration, and PCSCF disposes as core network element.Be divided into SBC according to the SBC specific implementation and support dual modes such as signaling NAT and Xin Lingdaili.
For SBC (SBC Session Border Controller; the convenient controller of session) and PCSCF close the situation of establishing; for at the SIP Signaling attack of signaling aspect protection IMS core defence, on the PCSCF of all marginalisations of IMS core, dispose PEP from end side.
For the situation that SBC and PCSCF set up separately, be PCSCF configuration PEP.Simultaneously, thought based on depth defense detects and filters attacking data flow at the front end of IMS as much as possible, effectively support the SBC Xin Lingdaili and realized under the situation of PEP of SBC version at SBC, but on SBC Xin Lingdaili module arrangement PEP Executive Module.Do not support at SBC under the situation of Xin Lingdaili because of SBC can't carry out encoding and decoding to sip message, so SBC can't implement the PEP Executive Module under this situation.
The allocation plan (PCSCF realizes in the visit territory) that scheme 2, protection IMS core defence Access Layer plane signaling are attacked
The realization schematic diagram of this scheme as shown in Figure 4.Visit territory PCSCF may belong to different operators with local IMS core, its network management interface can not directly dock, at this situation, territory PCSCF be can not realize visiting and the PEP of enforcement and communicating by letter of local policy server gone up, so require integrated realization on visit territory PCSCF under this situation with policy server and PEP, in view of the information that reports according to single PEP node under this situation may be not enough to carry out effective decision-making, so the dynamic black/white name single-unit of suggestion forbidding is only realized the static dark/white list mechanism based on feature under this situation.
The allocation plan of scheme 3, protection IMS core defence intercarrier interface Signaling attack.
The realization schematic diagram of this scheme as shown in Figure 5.Intercarrier interface need guarantee that on the one hand local exchange is not influenced by the attack data flow of office point, opposite end, needs simultaneously to guarantee that local office point can not mail to the office point, opposite end with attacking data flow.According to the definition of 3GPP related protocol, ICSCF (Inquiry Call Session ControlFunction inquires CSCF) is responsible for communicating by letter of local exchange IMS territory and IMS office point, opposite end, and BGCF is responsible for the intercommunication in local exchange IMS territory and CS territory, opposite end.
The intercommunication situation in interoffice IMS territory is provided for ICSCF, sampling and reporting module for PEP strategy execution assembly need be divided into In-Bound and Out-Bound two parts, Out-Bound is responsible for local exchange IMScore to the sampling of the attack data flow of office point, opposite end with report, and In-Bound PEP module is responsible for the office point, opposite end to the attack data flow sampling of local office point with report.Optional In-Bound and the Out-Bound of not distinguishing of PEP strategy execution assembly policy enforcement function carries out filtering policy according to the method for unanimity.
For BGCF (Border Gateway Control Function, outlet webmaster controlled function) provides the situation of local exchange IMS territory and opposite end CS territory intercommunication, in view of CS (circuit switch, circuit commutative field) network closure in territory is stronger, CS territory terminal is to the situations such as use of the repeatedly protocol conversion between the core network element and a large amount of special equipments, the CS territory to the attack in IMS territory difficulty carry out, so BGCF only needs to detect and filter on the direction in CS territory in the IMS territory, the PEP strategy execution assembly of realization and local policy server trusted communications provides attack data flow detection and the filtration of local IMS territory to CS territory, opposite end on the BGCF functional module of local exchange IMS territory.
The allocation plan of scheme 4, protection application server (AS, Application Server)
The realization schematic diagram of this scheme as shown in Figure 6.Communicate by standard Session Initiation Protocol interface between application server and the local IMS core, specific AS can be provided respectively by different operation equipment suppliers with IMS core, here Session Initiation Protocol stack that supposition can't the rigid AS of requirement and application program under the attack of signaling aspect and IMS core have equal level of security, it is considered herein that simultaneously specific AS may be done the attack source by hacker's utilization, launches a offensive to IMS core or other network elements.SCSCF (the Service Call Session Control Function that event communicates for direct and AS, service call conversation control function) uses the PEP collocation method that is similar to intercarrier interface ICSCF, utilize same strategy execution assembly to carry out filtering policy, according to attack data flow be from IMS core to AS's or be derived from AS and with IMScore be purpose realize respectively attack the sampling of data flow and report.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (13)
1, a kind of system that invalid header field is detected and filters is characterized in that, comprising: policy server and strategy execution assembly, wherein,
Policy server: be used to dispose the tabulation of legal and invalid header field, generate filtering policy according to described legal and invalid header field tabulation, and should filter policy distribution and arrive the strategy execution assembly to invalid header field;
Strategy execution assembly: be used to carry out the filtering policy that policy server issues,, the packet that carries the invalid header field of listing in the described invalid header field tabulation carried out filtration treatment according to described filtering policy.
2, system according to claim 1 is characterized in that, described system also comprises:
Log server: be used for the invalid header field information that the detected described invalid header field of policy server is listed is carried out statistic record and reported the system manager.
3, system according to claim 1 is characterized in that, described strategy execution assembly specifically comprises:
Filtration treatment module: be used for regularly downloading and the execution filtering policy,, the packet that carries the invalid header field of listing in the described invalid header field tabulation carried out filtration treatment according to described filtering policy from policy server;
Report processing module: be used for needs are detected with the packet of filtration treatment and sample, and report policy server.
4, system according to claim 3 is characterized in that, described decision service implement body comprises:
Static dark/white list module: be used for the legal and invalid header field tabulation of configuring static when system initialization; The legal header field tabulation of described static state and the common factor of the header field that the invalid header field tabulation is comprised are empty set;
Dynamic black/white name single module: be used for dynamic legal and invalid header field tabulation in system's running configuration; Each specific header field in the described dynamic legal and invalid header field tabulation is disposed corresponding weights;
Policy distribution module: be used for generating the filtering policy of invalid header field, this filtering policy is handed down to the strategy execution assembly from static dark/white list module and dynamically black/white name single module acquisition invalid header field and the tabulation of legal header field.
5, system according to claim 4 is characterized in that, described policy server also comprises:
Header field parameter detection module: be used for detecting each specific header field that packet that the strategy execution assembly reports carries, judge whether each specific header field comprises the malice feature, obtain the parameter information of each specific header field and pass to the header field message processing module;
Header field message processing module: the parameter information of each the specific header field that passes over according to the header field parameter detection module, and the weights information of the corresponding specific header field that writes down in the dynamic black/white name single module, determine the weights of described each specific header field, described each specific header field is arranged in the legal and invalid header field tabulation of corresponding dynamic.
6, according to each described system of claim 1 to 5, it is characterized in that, described policy server and strategy execution assembly are integrated in same node and realize, perhaps, described policy server and distributed different nodes, the corresponding one or more strategy execution assemblies of policy server of being arranged on of strategy execution assembly.
7, system according to claim 6 is characterized in that, described system is arranged in the internet multimedia subnet IMS system.
8, system according to claim 7 is characterized in that, described packet comprises: the Session initiation protocol SIP message packets of IP Multimedia System IMS solution.
9, a kind of method that invalid header field is detected and filters is characterized in that, comprises step:
A, the tabulation of the legal and invalid header field of configuration generate filtering policy to invalid header field according to described legal and invalid header field tabulation;
B, according to described filtering policy, the packet that carries the invalid header field of listing in the tabulation of described invalid header field is carried out filtration treatment.
10, method according to claim 9 is characterized in that, described steps A specifically comprises:
The tabulate common factor of the header field that comprised of A1, the legal and invalid header field tabulation of configuring static when system initialization, the legal header field tabulation of described static state and invalid header field is an empty set;
A2, according to the parameter information of the specific header field of sampling and each packet of buffer memory, the dynamic legal and invalid header field tabulation of configuration in system's running; Each specific header field in the described dynamic legal and invalid header field tabulation is disposed corresponding weights;
A3, acquisition invalid header field and the tabulation of legal header field from described static state and dynamic legal and invalid header field tabulation generate the filtering policy to invalid header field.
11, method according to claim 10 is characterized in that, described steps A 2 specifically comprises:
A21, in the sampling period of setting, needs are detected with the packet of the message of filtration treatment sample, the packet that sampling is obtained carries out buffer memory;
A22, each packet of described buffer memory is detected, determine whether the specific header field of each packet comprises the malice feature, obtain the parameter information of the specific header field of each packet;
A23, according to the parameter information of described each specific header field, and the weights information of the corresponding specific header field that writes down in the dynamic black/white name single module, determine the weights of described each specific header field, described each specific header field is arranged in the legal and invalid header field tabulation of corresponding dynamic.
12, method according to claim 11 is characterized in that, described steps A 23 specifically comprises:
When the specific header field of described cached data packet does not write down in described static state and dynamic legal and invalid header field tabulation, parameter information according to the described specific header field that obtains, described specific header field is generated initial weight, and described specific header field is added the legal and invalid header field tabulation of corresponding dynamic according to the relation of described initial weight and predefine threshold value;
When the specific header field of described cached data packet writes down in described dynamic legal and invalid header field tabulation, parameter information according to the described specific header field that obtains, weights to described specific header field are dynamically adjusted, and according to the relation of the weights of adjusted described specific header field and predefine threshold value described specific header field are moved in described dynamic legal and invalid header field tabulation accordingly.
13, according to claim 9,10,11 or 12 described methods, it is characterized in that described step B specifically comprises:
According to described filtering policy, the packet that carries the invalid header field of listing in described static state and the dynamic invalid header field tabulation is deleted processing; Perhaps, the invalid header field of listing in described static state in the described packet and the dynamic invalid header field tabulation is deleted processing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101456604A CN100550912C (en) | 2006-11-23 | 2006-11-23 | The system and method that invalid header field is detected and filters |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101456604A CN100550912C (en) | 2006-11-23 | 2006-11-23 | The system and method that invalid header field is detected and filters |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1968280A true CN1968280A (en) | 2007-05-23 |
| CN100550912C CN100550912C (en) | 2009-10-14 |
Family
ID=38076815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101456604A Expired - Fee Related CN100550912C (en) | 2006-11-23 | 2006-11-23 | The system and method that invalid header field is detected and filters |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100550912C (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010054558A1 (en) * | 2008-11-13 | 2010-05-20 | 华为终端有限公司 | Method, device and system for realizing the security mechanism of multimedia ringing tone services |
| CN101115232B (en) * | 2007-08-28 | 2010-12-08 | 中国联合网络通信集团有限公司 | Roaming control method and system for accessing to IP multimedia subsystem network through SBC |
| CN101459561B (en) * | 2009-01-09 | 2011-05-04 | 北京邮电大学 | Apparatus and method for detecting SIP message flooding attack based on CUSUM algorithm |
| CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN102075939A (en) * | 2010-12-31 | 2011-05-25 | 华为技术有限公司 | Method, equipment and system for preventing service embezzlement |
| CN102148720A (en) * | 2010-11-22 | 2011-08-10 | 北京邮电大学 | Method and system for detecting distributed denial of service (DDoS) vulnerability of internet protocol (IP) multimedia subsystem |
| CN101459677B (en) * | 2009-01-09 | 2012-02-29 | 北京邮电大学 | Detection method for SIP message flooding attack |
| CN103927481A (en) * | 2013-12-17 | 2014-07-16 | 哈尔滨安天科技股份有限公司 | Malicious code detecting method and system based on character string weight adjusting |
| CN104094575A (en) * | 2012-02-14 | 2014-10-08 | 瑞典爱立信有限公司 | Method and apparatus for improved handling of ims node blacklisting |
| CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
| CN109040126A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of IMS network SIP flood attack |
| CN109040127A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
| CN110535808A (en) * | 2018-05-24 | 2019-12-03 | 华为技术有限公司 | A kind of monitoring of tools, deregistering method and device |
| CN111917789A (en) * | 2020-08-08 | 2020-11-10 | 詹能勇 | Data processing method based on big data and Internet of things communication and cloud computing platform |
-
2006
- 2006-11-23 CN CNB2006101456604A patent/CN100550912C/en not_active Expired - Fee Related
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101115232B (en) * | 2007-08-28 | 2010-12-08 | 中国联合网络通信集团有限公司 | Roaming control method and system for accessing to IP multimedia subsystem network through SBC |
| CN102257784B (en) * | 2008-11-13 | 2016-04-06 | 华为终端有限公司 | A kind of method, equipment and system realizing security mechanism of multimedia ringing tone services |
| WO2010054558A1 (en) * | 2008-11-13 | 2010-05-20 | 华为终端有限公司 | Method, device and system for realizing the security mechanism of multimedia ringing tone services |
| CN101459677B (en) * | 2009-01-09 | 2012-02-29 | 北京邮电大学 | Detection method for SIP message flooding attack |
| CN101459561B (en) * | 2009-01-09 | 2011-05-04 | 北京邮电大学 | Apparatus and method for detecting SIP message flooding attack based on CUSUM algorithm |
| CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN102148720A (en) * | 2010-11-22 | 2011-08-10 | 北京邮电大学 | Method and system for detecting distributed denial of service (DDoS) vulnerability of internet protocol (IP) multimedia subsystem |
| CN102075924B (en) * | 2010-11-22 | 2013-03-27 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN102148720B (en) * | 2010-11-22 | 2013-10-23 | 北京邮电大学 | Method and system for detecting distributed denial of service (DDoS) vulnerability of internet protocol (IP) multimedia subsystem |
| CN102075939B (en) * | 2010-12-31 | 2013-04-17 | 华为技术有限公司 | Method, equipment and system for preventing service embezzlement |
| CN102075939A (en) * | 2010-12-31 | 2011-05-25 | 华为技术有限公司 | Method, equipment and system for preventing service embezzlement |
| CN104094575A (en) * | 2012-02-14 | 2014-10-08 | 瑞典爱立信有限公司 | Method and apparatus for improved handling of ims node blacklisting |
| US10063495B2 (en) | 2012-02-14 | 2018-08-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for improved handling of IMS node blacklisting |
| CN103927481A (en) * | 2013-12-17 | 2014-07-16 | 哈尔滨安天科技股份有限公司 | Malicious code detecting method and system based on character string weight adjusting |
| CN105959250A (en) * | 2015-10-22 | 2016-09-21 | 杭州迪普科技有限公司 | Network attack black list management method and device |
| CN110535808A (en) * | 2018-05-24 | 2019-12-03 | 华为技术有限公司 | A kind of monitoring of tools, deregistering method and device |
| US11689565B2 (en) | 2018-05-24 | 2023-06-27 | Huawei Technologies Co., Ltd. | Device monitoring method and apparatus and deregistration method and apparatus |
| CN109040126A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of IMS network SIP flood attack |
| CN109040127A (en) * | 2018-09-18 | 2018-12-18 | 中国人民解放军战略支援部队信息工程大学 | The detection device and method of Diameter flood attack |
| CN109040126B (en) * | 2018-09-18 | 2020-10-30 | 中国人民解放军战略支援部队信息工程大学 | Detection device and method for SIP flooding attack of IMS network |
| CN109040127B (en) * | 2018-09-18 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Detection device and method for Diameter flooding attack |
| CN111917789A (en) * | 2020-08-08 | 2020-11-10 | 詹能勇 | Data processing method based on big data and Internet of things communication and cloud computing platform |
| CN111917789B (en) * | 2020-08-08 | 2021-05-18 | 湖南嘉杰信息技术有限公司 | Data processing method based on big data and Internet of things communication and cloud computing platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100550912C (en) | 2009-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1968280A (en) | System and method for detecting and filtering invalid header field | |
| EP2332311B1 (en) | Protection against unsolicited communication for ims | |
| JP4638839B2 (en) | System and method for mitigating denial of service attacks on communication devices | |
| CN101040497A (en) | Firewall system and firewall control method | |
| CN1750512A (en) | Single broadcast reverse path repeating method | |
| CN1941753A (en) | IP interconnected gateway in next-generation Internet and method for interconnecting IP domain | |
| EP1936892A1 (en) | A system for controlling the security of network and a method thereof | |
| US20090103524A1 (en) | System and method to precisely learn and abstract the positive flow behavior of a unified communication (uc) application and endpoints | |
| WO2007014507A1 (en) | System and method for controling ngn service-based firewall | |
| EP3804263A1 (en) | A method for message filtering in an edge node based on data analytics | |
| US9300685B2 (en) | Detecting altered applications using network traffic data | |
| CN101160876A (en) | Network security control method and system | |
| CN1905472A (en) | Method for implementing IMS network reliability | |
| CN1620034A (en) | Identification gateway and its data treatment method | |
| CN1893391A (en) | Method for supplying network layer to safety pass through network address conversion | |
| CN1856163A (en) | Communication system with dialog board controller and its command transmitting method | |
| CN1555170A (en) | Flow filtering fine wall | |
| CN1298141C (en) | Safety platform for network data exchange | |
| KR101443472B1 (en) | Method for detecting the hijacking of computer resources | |
| US20070150951A1 (en) | Methods, communication networks, and computer program products for managing application(s) on a vulnerable network element due to an untrustworthy network element by sending a command to an application to reduce the vulnerability of the network element | |
| CN101047509A (en) | Session attack detection system and method | |
| CN1665238A (en) | Networking system for next generation network | |
| EP2141885B1 (en) | Embedded firewall at a telecommunications endpoint | |
| CN101047991A (en) | Method and device for updating user signing data | |
| CN1523815A (en) | Customer access management system for wideband network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091014 Termination date: 20191123 |