EP1698144A1 - Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licites - Google Patents
Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licitesInfo
- Publication number
- EP1698144A1 EP1698144A1 EP04805415A EP04805415A EP1698144A1 EP 1698144 A1 EP1698144 A1 EP 1698144A1 EP 04805415 A EP04805415 A EP 04805415A EP 04805415 A EP04805415 A EP 04805415A EP 1698144 A1 EP1698144 A1 EP 1698144A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- flow
- counter
- protocol
- authentication
- delay
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to a method for detecting and preventing illicit uses of certain network protocols without altering their lawful uses. It finds application in particular in the security of I P networks. It provides an effective response to different types of attacks which are characterized by a sudden increase in the throughput of the corrupted protocol, denial of service attacks and hidden channels in particular. It finds a particularly effective use on public wireless networks with paid access (hot spot).
- the invention has in particular two aspects. The throughput of the protocols concerned is a criterion for detection and a means of eradicating the attack.
- the invention is based on the use of a delay function which causes any packet received by the system to be retransmitted with a delay. This is negligible when there is no attack and becomes significant when an attack is detected, to the point of rendering the network unusable for the attacker.
- the method of the invention is independent of the technique on which the IP network is built: Ethernet, I EEE 802. 1 1, GPRS, etc.
- the method of the invention provides, among other things, an effective solution to fraud known as firewall piercing (or hidden channels). These fraud techniques allow information flows normally prohibited to be passed through filtering equipment by encapsulating them in authorized flows.
- the invention makes it possible to solve this problem in difficult cases which hitherto were without solution.
- the method of the invention has the advantage of preventing fraud without having any significant negative influence on lawful uses of the network. More generally, any attack or fraud based on an unusual exchange of data with the outside of a local network is easily treatable by the present invention, provided that it causes a significant increase in the throughput normally consumed by the corrupted protocol. Thus, certain denial of service attacks (attacks consisting in rendering a service unusable for other users by pure intention to harm) can also be treated. This applies particularly well to networks, called networks
- hot spot being a radio frequency coverage area on which a suitably equipped terminal can connect and obtain access to the Internet network, subject to the payment of a sum paid in advance or deducted from the subscription invoice to a provider of access to a communication network such as the customer's GSM network.
- the invention preferably applies to "signaling" protocols such as DNS, ICMP or EAP (which transports an authentication method to it), that is, protocols that are used only to operate other Internet protocols, but do not directly transport useful data belonging to users.
- These “signaling” protocols are very different from data transport protocols in that they operate at normally low and known rates. If these signaling protocols were to be used during an attack as transport protocols, this would result in an abnormally high number of requests and responses.
- the invention also applies to transport protocols. It applies in particular to the protection of low speed transport protocols, totally or partially. In particular, the invention makes it possible to treat protocols like DNS (so-called signaling protocol).
- the "http" protocol is a protocol which presents a highly asymmetrical speed: a low speed from the terminal to the server which corresponds to requests and a high speed in the other direction which corresponds to html pages served in response. If a hidden channel fraud on http breaks this characteristic of the speed of an http connection, that is to say if the upstream speed suddenly became abnormally high so the invention would be able to block this traffic.
- the present invention relates to a method of protecting network protocols without altering their lawful uses which consists, for an input data packet flow, in applying a delay function for each packet, insufficient to hinder lawful use, but sufficient to hinder illicit use.
- FIG. 1 represents a sequence according to a protocol to be protected
- the second represents a time graph of the flows on flows monitored according to another protocol to be protected in the event of an unblocked attack and in the event of an attack blocked by the method of the invention;
- - Figure 3 is a block diagram of a flow processing equipment to be monitored in the method of the invention;
- - Figure 4 is a flow diagram of a particular embodiment of the method of the invention;
- - Figure 5 is a diagram explaining the various scenarios in a first example of application of the invention;
- - Figure 6 is a time graph explaining a scenario in a second example of application of the invention.
- the first attack technique can be used on type I P networks. Such networks can be networks companies, the Internet or "hot spots".
- the second attack technique is specific to "hot spot” networks, and particularly targets the GSM authentication server interconnected to a "hot spot” network.
- terminals connected to an IP network operated by a company, by a telecommunications operator or by an Internet service provider are not free to make any type of connection. There are three main reasons for this. A first reason is that the network is a production network and we do not want users to make indirect use of it for entertainment, personal enrichment or nuisance to others. A second reason is that the network is paid for and it is advisable to authorize only the flows for which the user has paid a fee. A third reason is that authorizing more connections than is necessary for the proper functioning of the organization owning the network can only be an occasion for illicit use.
- a filtering operation for flows entering and leaving the network is generally reused on equipment at the network border such as filtering routers or firewalls (in the following, this type of equipment is collectively referred to as “ firewalls “or” firewalls ").
- this equipment must allow unrestricted passage of other essential protocols such as the ICMP protocol (RFC 792) or the DNS protocol (RFC 1034).
- Hot spot type networks which use the S I M card authentication method are based on a communication protocol called "EAP-S I M" which is defined in published standards.
- This protocol allows GSM authentication between a customer of a hot spot service, and a GSM mobile operator.
- GSM authentication requires some resources (system load). Large number of authentication requests can cause loss of quality of service, both for customers of conventional GSM services, and for customers of services on Wi-Fi networks.
- Figure 1 shows an authentication scheme using the EAP-SI method M.
- a requester 1 on the communications network sends an authentication request 2 according to an 802.1 protocol 1 to an authentication resource 3.
- the authentication resource performs an authentication operation and produces an authentication response 4 according to an AAA protocol to an authentication server 5.
- the authentication server 5 produces in response an authentication message 6 which is transmitted according to the SS7 protocol to an authentication center 7,.
- the operating mode is as follows: The attacker signals to the access point that he is ready to authenticate (EAPOL_Start); The access point then asks the attacker to give him his identity (EAP-Request / ldentity); The attacker therefore responds with an identity (Network Access Identifier (REC 2486) or NAI contained in EAP-Response / ldentity; The access point relays the attacker's response to the Proxy- RADI US; The proxy-RADI US analyzes the content of the NAI identity and relays the response to the operator's RADI US server using the content of the NAI (after the @ symbol); The operator's RADIUS server analyzes the request containing the NAI identity (in particular the code I MS I); The operator's RADI US server then requests the attacker to authenticate with GSM authentication (EAP- Request
- Firewalls are the systems usually used to control flows on a network. They are generally placed between two subnets and analyze the packets which pass through them.
- - I P / ICMP the system analyzes the content of the header fields (source / destination IP address, type and ICMP code);
- - IP / TCP U DP the system analyzes the content of the header fields (source / destination IP address, TCP UDP port)
- - Session the system performs a complete analysis of a session initialization to establish a communication on a particular protocol and thus ensures that the incoming packets actually correspond to outgoing packets.
- the method of the invention offers "self-adaptive filtering of suspicious traffic which allows: - to quickly block suspicious flows; - to automatically release the blocking once the situation has returned to normal; - to offer each type of attack a suitable response in terms of blocking speed, rate limit, speed of blocking release as will be described below for the function f (), - to avoid completely blocking a legitimate flow, and yet too abundant, by only slowing down as will be described later on the "su b-normal" operating mode. Traffic therefore continues to pass, even if the service is slightly degraded A conventional firewall would completely block it.
- the flow control systems make it possible to allocate part of the total bandwidth available to a type of flow, in particular to avoid situations of congestion. e quality of service management.
- FIG. 2 shows the response in terms of throughput to a hidden channel attack on DNS.
- the same time graph is shown: the throughput 12 characteristic of a protocol protected by the method of the invention when an attack occurs; the flow 8 characteristic of a protocol protected by a flow control system during the same attack; - the throughput 9 characteristic of a protocol without any protection during the same attack as that provided for the throughputs 8 and 12.
- the throughput increases relatively rapidly along a slope 10, then the traffic remains substantially constant with random oscillations around a flow rate value of established speed.
- a flow control a flow control system of the state of the art
- the attacker's flow rises more slowly than in the previous case and then remains constant, blocked at a threshold value which corresponds at least to the flow 8 of a signaling protocol most demanding in terms of speed.
- the attacker's throughput passes through a maximum 13 then decreases until it is canceled out more or less quickly as will be described later. It can be seen in FIG. 2 that the rate control system cannot do better than limit the bandwidth available for attack.
- the method of the invention makes it possible to make the flow rate tend towards zero with a configurable convergence speed. From this point of view, the invention is much more effective than flow control systems in preventing hidden channel attacks.
- the intrusion detection systems operate by analyzing the flows circulating on the arteries by means of a probe. This sends the collected data to an "intelligent" system which interprets it and possibly sends an alarm if something suspicious occurs. These systems can also possibly order a firewall to cut traffic.
- I PS intrusion prevention system
- the I DS system is directly coupled with a firewall, the analyzed flow passing through this equipment.
- I DS systems are known to have serious drawbacks: - they are very expensive because of the technology of the probe which must be able to analyze a large amount of traffic; - they are not very reliable because, like any automatic recognition system, they issue unjustified alarms (false positive) and vice versa allow attacks to pass (false negative); - they only try to detect known attacks. The response they provide to an attack is not satisfactory. In the case of an IDS system, an alarm is sent to a human operator who must react accordingly.
- the permanent presence of an operator is also unthinkable on a small network.
- the response is no better than that of a firewall and we will refer above for the analysis.
- the method of the invention can be implemented either in specific equipment, or as an additional function in flow processing equipment already present - such as for example a router, a firewall or a DNS server. In all cases, it is essential that all of the traffic to be controlled passes through this equipment.
- Such flow processing equipment shown diagrammatically in FIG. 3 comprises an input interface 15 and an output interface 17 and that the traffic arriving on the input interface is re-emitted on the output interface according to a logic defined by the method of the invention.
- the flow Fie is retransmitted on the output interface as flow Fjs with a more or less long delay, or too much not to be noticeable by "honest" users, or too little to not allow a dishonest user to circulate unauthorized data. From a physical point of view; both interfaces can be realized on the same network card. The distinction between entry and exit is valid for traffic going in one direction. If the invention also treats traffic in the other direction, the roles of the interfaces are reversed.
- the designation of the classes of flows to be monitored is first carried out. The designation of the stream classes to be monitored can be based on the value of certain fields of the I P packet such as this.
- I Psec gateways RRC 2401
- firewalls For example, we can retain a designation of the stream classes by a combination of the following values: a source IP address or range, a destination IP address or range, a higher level protocol (UDP , TCP, ICMP ...), a port number, a value of a field in the higher level protocol part.
- UDP source IP address or range
- TCP destination IP address or range
- a higher level protocol UDP , TCP, ICMP
- port number a value of a field in the higher level protocol part.
- any protocol field readable and interpretable by the equipment can be retained as a selection criterion, whatever its level in the protocol stack.
- the implementation of a complete stream class designation system is not necessarily necessary.
- an arming of the clamping mechanism of the flows to be awakened is carried out.
- a flow Fj is detected on the input interface 15 of the flow processing equipment e
- a counter associated with this flux is dynamically created.
- CPT NOT the associated counter.
- the processor r 16 for processing the flows implements a mechanism for clamping on the unauthorized flows.
- a surveillance test is executed, if it does not belong to a flow under surveillance, then it is immediately retransmitted on the output interface 17 during a step 23.
- a test 24 it is checked whether the arriving packet belongs to a stream under surveillance.
- the function f () is called the delay function.
- the counter CPTN is decremented by one step, like the unit 1, during a step 26.
- the method of l The invention then includes a mechanism for relaxing the monitoring of a flow.
- the CPTN counter reaches a sufficiently low value, this means that there is no more attempt to transmit illegal traffic.
- the CPTN counter can then be deleted and traffic is no longer under surveillance. This property is not essential, however, traffic can remain under surveillance indefinitely.
- a new counter C PTN is assigned to its stream and step 25 is performed.
- the delay function f is not necessarily unique for all stream classes. Thus we can delay a DNS stream with a function f1 and an I CM P stream with a function f2. The delay function f must be at least increasing so that the more traffic the attacker sends, the more his traffic is delayed.
- a delay function f with a positive second derivative will quickly block the attacker's flow.
- f (CPT NOT ) exp (* CPT NOT + ⁇ ) with ⁇ > _0.
- CPTMAX counter NOT can also be used, if the number of packets awaiting transmission exceeds the value CPTMAXN configured by the administrator, then the pending packets are destroyed according to an algorithm to be chosen. The purpose of this functionality is to avoid saturation of the resources of the invention.
- a DNS server local to the network to be protected. We will now describe the attack developing without the intervention of the method of the invention.
- a local network 30 with flow control is often built according to a plan presented in the diagram of FIG. 5.
- the local network contains terminals, a copy of which is represented at 34, a DNS server, called local DNS 31 and a router / firewall 32 which interconnects the local network 30 with another network 33 such as the Internet.
- the router / firewall 32 is configured to prohibit certain flows, for example “ftp” flows.
- the terminal 34 will encapsulate the “ip” packets which transport the “ftp” stream in DNS packets on DNS stream paths 37, for example, by coding information in specific fields of the package.
- the DNS request can only be processed by the pirate DNS server 38 under the control of the pirate outside the local network, by judiciously choosing the domain names of the request.
- the pirate DNS machine 38 can then transfer the packets to the “ftp” server 39 requested by the terminal. Traffic in the opposite direction takes exactly the opposite direction.
- hidden channel attacks on DNS will be completely blocked. 1) In this specific case described in FIG. 5, there is no need to implement management of the stream classes and of the streams under surveillance. In fact, only DNS flows pass through this machine. 2) Furthermore, we can monitor all DNS flows by associating a flow to be monitored, that is to say create a counter CP ⁇ for each terminal and never erase it.
- the fields used for the control mechanism will be contained in the data of the EAP-SI M authentication mechanism. Indeed, it is possible to know to which operator EAP-SIM authentication is requested (in the form user (S) operator GSM ' ). I t is therefore possible to implement the invention at the hot spot, to protect all GSM operators from this type of attack by denial of service. Then, the control mechanism is executed within the normal framework of the invention (see FIG. 3), which makes it possible to limit the number of authentication requests thanks to a behavioral analysis on the transport of the authentication. It is noted that the present invention also includes a use for detecting illicit uses. In fact, the protocol in one embodiment of the invention also includes a step for detecting a change in the bit rate associated with a monitored stream characteristic of illicit use.
- the method of the invention makes it possible to produce an alarm of such illicit use.
- Such an alarm signal is transmitted to a network administrator who can take any measure, in particular by keeping an incident history, by seeking the identity of the authors of such illicit uses and by applying any subsequent measure to reduce access to such authors.
- GSM Global System for Mobile Communications
- I CMP I nternet Control Message Protocol
- I P Internet Protocol
- NAI Network Access Identifier
- TCP Transport Control Protocol
- U DP User Datagram Protocol
- I DS I ntrusion Detection System
- HTTP Hyper Text Transfer Protocol (hypertext file transfer protocol)
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0350929A FR2863128A1 (fr) | 2003-11-28 | 2003-11-28 | Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licites |
PCT/FR2004/002872 WO2005064886A1 (fr) | 2003-11-28 | 2004-11-08 | Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licites |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1698144A1 true EP1698144A1 (fr) | 2006-09-06 |
Family
ID=34566377
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04805415A Withdrawn EP1698144A1 (fr) | 2003-11-28 | 2004-11-08 | Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licites |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1698144A1 (fr) |
JP (1) | JP2007512745A (fr) |
CN (1) | CN1906911A (fr) |
FR (1) | FR2863128A1 (fr) |
WO (1) | WO2005064886A1 (fr) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FI20065179A0 (fi) | 2006-03-20 | 2006-03-20 | Nixu Sofware Oy | Kokonaisuudeksi koottu nimipalvelin |
US8826437B2 (en) * | 2010-12-14 | 2014-09-02 | General Electric Company | Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network |
CN106534209B (zh) * | 2016-12-29 | 2017-12-19 | 广东睿江云计算股份有限公司 | 一种分流反射型ddos流量的方法及系统 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10200581A (ja) * | 1997-01-16 | 1998-07-31 | Nippon Telegr & Teleph Corp <Ntt> | Ipパケット遅延転送制御通信方法および装置 |
US6789203B1 (en) * | 2000-06-26 | 2004-09-07 | Sun Microsystems, Inc. | Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests |
US7707305B2 (en) * | 2000-10-17 | 2010-04-27 | Cisco Technology, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
JP3566700B2 (ja) * | 2002-01-30 | 2004-09-15 | 株式会社東芝 | サーバ計算機保護装置および同装置のデータ転送制御方法 |
JP3652661B2 (ja) * | 2002-03-20 | 2005-05-25 | 日本電信電話株式会社 | サービス不能攻撃の防御方法および装置ならびにそのコンピュータプログラム |
US7313092B2 (en) * | 2002-09-30 | 2007-12-25 | Lucent Technologies Inc. | Apparatus and method for an overload control procedure against denial of service attack |
US20040236966A1 (en) * | 2003-05-19 | 2004-11-25 | Alcatel | Queuing methods for mitigation of packet spoofing |
-
2003
- 2003-11-28 FR FR0350929A patent/FR2863128A1/fr active Pending
-
2004
- 2004-11-08 CN CNA2004800404993A patent/CN1906911A/zh active Pending
- 2004-11-08 WO PCT/FR2004/002872 patent/WO2005064886A1/fr active Application Filing
- 2004-11-08 EP EP04805415A patent/EP1698144A1/fr not_active Withdrawn
- 2004-11-08 JP JP2006540506A patent/JP2007512745A/ja active Pending
Non-Patent Citations (1)
Title |
---|
See references of WO2005064886A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2005064886A1 (fr) | 2005-07-14 |
JP2007512745A (ja) | 2007-05-17 |
CN1906911A (zh) | 2007-01-31 |
FR2863128A1 (fr) | 2005-06-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4955107B2 (ja) | Ipネットワーク内のトラフィックを分類するための方法およびユニット | |
US7644151B2 (en) | Network service zone locking | |
CA2470294C (fr) | Blocage de zones d'un service de reseau | |
KR101111433B1 (ko) | 능동 네트워크 방어 시스템 및 방법 | |
EP1733539B1 (fr) | Dispositif et procédé de détection et de prévention d'intrusions dans un réseau informatique | |
Anderson et al. | Preventing Internet denial-of-service with capabilities | |
US7895326B2 (en) | Network service zone locking | |
US7930740B2 (en) | System and method for detection and mitigation of distributed denial of service attacks | |
KR101424490B1 (ko) | 지연시간 기반 역 접속 탐지 시스템 및 그 탐지 방법 | |
US20140075539A1 (en) | Packet classification in a network security device | |
US7475420B1 (en) | Detecting network proxies through observation of symmetric relationships | |
US20090094691A1 (en) | Intranet client protection service | |
Gont | Security assessment of the internet protocol version 4 | |
US7970886B1 (en) | Detecting and preventing undesirable network traffic from being sourced out of a network domain | |
Gont et al. | Recommendations on filtering of ipv4 packets containing ipv4 options | |
EP1698144A1 (fr) | Procede de detection et de prevention des usages illicites de certains protocoles de reseaux sans alteration de leurs usages licites | |
US7873731B1 (en) | Use of per-flow monotonically decreasing TTLs to prevent IDS circumvention | |
JP4322179B2 (ja) | サービス拒絶攻撃防御方法およびシステム | |
WO2019035488A1 (fr) | Dispositif de commande, système de communication, procédé de commande et programme informatique | |
Cisco | Configuring Context-Based Access Control | |
US20070113290A1 (en) | Method of detecting and preventing illicit use of certain network protocols without degrading legitimate use thereof | |
Townsley et al. | Encapsulation of MPLS over Layer 2 Tunneling Protocol Version 3 | |
KR101028101B1 (ko) | 분산 서비스 거부 공격 방어 보안장치 및 그 방법 | |
CN108377365B (zh) | 基于视频安全接入路径的视频监控系统 | |
Kabila | Network Based Intrusion Detection and Prevention Systems in IP-Level Security Protocols |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20060626 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LU MC NL PL PT RO SE SI SK TR |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: CHARLES, OLIVIER Inventor name: VEYSSET, FRANCK Inventor name: BUTTI, LAURENT |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: CHARLES, OLIVIER Inventor name: VEYSSET, FRANCK Inventor name: BUTTI, LAURENT |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: FRANCE TELECOM |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20100601 |