EP1749255A1 - Classement par priorite d'alertes detectees - Google Patents

Classement par priorite d'alertes detectees

Info

Publication number
EP1749255A1
EP1749255A1 EP04822017A EP04822017A EP1749255A1 EP 1749255 A1 EP1749255 A1 EP 1749255A1 EP 04822017 A EP04822017 A EP 04822017A EP 04822017 A EP04822017 A EP 04822017A EP 1749255 A1 EP1749255 A1 EP 1749255A1
Authority
EP
European Patent Office
Prior art keywords
importance
alerts
risk assessment
assessment value
malicious program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP04822017A
Other languages
German (de)
English (en)
Inventor
Paul A. Gassoway
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CA Inc
Original Assignee
Computer Associates Think Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Computer Associates Think Inc filed Critical Computer Associates Think Inc
Publication of EP1749255A1 publication Critical patent/EP1749255A1/fr
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present disclosure relates to intrusion detection and, more specifically, to prioritizing intrusion detection logs.
  • worms may be able to propagate by themselves without having to be executed by users.
  • Worms can be a particularly catastrophic form of malicious programs. Worms can infect a computer network and quickly commandeer network resources to aid in the worm's further propagation.
  • malicious code for example worms
  • a destructive payload can be delivered.
  • Destructive payloads can have many harmful consequences. For example, valuable hardware and/or data can be destroyed, sensitive infonnation can be compromised and network security measures can be circumvented.
  • businesses may often employ antivirus programs, intrusion detection systems and/or intrusion protection systems.
  • Antivirus programs are generally computer programs that can be used to scan computer systems to detect malicious computer code embedded within infected computer files. Malicious code can then be removed from infected files, the infected files may be quarantined or the infected file may be deleted from the computer system.
  • Intrusion detection systems and intrusion protection systems are generally systems that can be implemented on a computer network that monitor the computer network to detect anomalous traffic that can be indicative of a potential problem, for example a worm infection. IDSs may be either active or passive. Active IDSs may take affirmative measures to remedy a potential infection when found while passive IDSs may be used to alert a network administrator of the potential problem. The network administrator is a person with responsibilities for the maintenance of computer systems and/or networks.
  • IDSs often attempt to identify the presence of network infection by analyzing packets of data that are communicated over the network.
  • Antivirus programs often attempt to identify the presence of infection by analyzing files and memory locations of a specific computer. Packets, files and memory locations are generally examined and compared with signatures of known malicious programs. When a signature matches a packet, file or memory location, a malicious program infection may have been detected.
  • IDSs and antivirus programs that rely on signatures for the detection of malicious programs will generally keep a database of signatures for known malicious programs. IDSs and antivirus programs should be regularly updated to incorporate new signatures corresponding newly discovered malicious programs into the signature database. If no signature has been received and installed for a particular malicious program, the IDS or antivirus program might not be able to identify the malicious program.
  • signature detection is generally a highly accurate method for detecting malicious programs
  • signature detection may be prone to detecting multiple instances of malicious programs that are not necessarily a threat to the computer system or network.
  • IDSs and antivirus programs may also rely on heuristics recognition for detecting malicious programs. Heuristic virus scans and IDSs may be able to intelligently estimate whether computer code is a malicious program by examining the behavior and characteristics of the computer code. This technique relies on programmed logic called heuristics to make its determinations. Heuristic recognition of malicious programs may not require the use of signatures to detect a malicious program. Heuristic recognition therefore has the advantage of being effective even against new and unknown malicious programs.
  • heuristic recognition can be prone to misjudgment such as generating false negatives and false positives.
  • a scanned malicious program is not recognized as such, the heuristic recognition has generated a false negative.
  • the heuristic recognition has incorrectly categorized a program as malicious, a false positive has been generated.
  • signature detection may lead to multiple instances of malicious programs that are not necessarily a threat to the computer system or network and heuristic recognition may lead to false positives, important alerts in the alert log can often be hard to notice when surrounded by a great number of alerts of less significance.
  • a method for detecting malicious programs including scanning data to be scanned to detect a malicious program infection, generating an alert when a malicious program infection has been detected and adding the alert to an alert log along with information pertaining to an importance of the detected malicious program infection.
  • a method for displaying an alert log including one or more alerts the method including prioritizing the one or more alerts according to an importance of each of the one or more alerts and displaying the one or more alerts according to the priority.
  • a system for detecting malicious programs including a scanning unit for scanning data to be scanned to delect a malicious program infection, a generating unit for generating an alert when a malicious program infection has been detected and an adding unit for adding the alert to an alert log along with information pertaining to an importance of the detected malicious program infection.
  • a system for displaying an alert log including one or more alerts, the system including a prioritizing unit for prioritizing the one or more alerts according to an importance of each of the one or more alerts and a displaying unit for displaying the one or more alerts according to the priority.
  • a computer system including a processor and a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform method steps for detecting malicious programs, the method including scanning data to be scanned to detect a malicious program infection, generating an alert when a malicious program infection has been detected and adding the alert to an alert log along with information pertaining to an importance of the detected malicious program infection.
  • a computer system including a processor and a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform method steps for displaying an alert log including one or more alerts, the method including prioritizing the one or more alerts according to an importance of each of the one or more alerts and displaying the one or more alerts according to the priority.
  • FIG. 1 shows an example of the scanning of data according to embodiments of the present disclosure
  • FIG. 2 shows a procedure for displaying an alert log according to embodiments of the present disclosure
  • FIG. 3A shows an example of the displaying of an alert log that has been over crowded
  • FIG. 3B shows an example of the displaying of an alert log according to an embodiment of the present disclosure
  • FIG. 4 shows an example of a computer system capable of implementing the method and apparatus according to embodiments of the present disclosure.
  • FIG. 1 shows an example of how data can be scanned according to embodiments • of the present disclosure.
  • Data to be scanned may be files located on a computer or server, data stored in memory on a computer or server or packets of data that are communicated across a computer network.
  • Data may be periodically scanned as part of a periodic system scan or data can be scanned as files are executed or packets are communicated.
  • Data to be scanned may first be sent to a data stack 11.
  • the data stack stores data to be scanned so that data can continue to be collected even as the scanner 12 may be engaged in the scanning of other data.
  • Data stack 1 1 stores units of data.
  • a unit of data may be a part of a file, an entire file, data packets, etc.
  • This data stack 11 can be particularly effective when the data to be scanned is comprised of packets that have been communicated over the network. This is because packets can often arrive much more quickly than data can be scanned by the scanner 12. When data to be scanned is comprised of packets, communication of packets should not be disrupted.
  • data to be scanned is comprised of files or memory data collected as part of a system scan
  • the system scan can be delayed to collect additional data at the same rate that data is scanned by the scanner 12.
  • the scanner 12 compares collected data with signatures stored in the signature database 13.
  • a signature is a representation of a malicious program that allows the scanner 12 to identify when data is potentially infected with the malicious program for which the signature has been created.
  • a common technique for producing a signature is to compute the hash value of a malicious program.
  • a bash value is a very large number that can be used to identify a file.
  • the hash value can be determined by performing a mathematical algorithm on the data that makes up the file in question.
  • the hash value of a file is not generally affected by changing the file's attributes such as renaming the file, changing the file's creation date and/or changing the file's size. For these reasons, the use of hash values can be well suited for the identification of potentially malicious programs. These and other techniques may be used to generate signatures according to the present disclosure.
  • the signature may also include a risk assessment value.
  • the risk assessment value need not be used to identify a malicious program. Instead, the risk assessment value can be used to gauge the nature of the threat posed by data that matches a particular signature.
  • the risk assessment value may be included with the signature by the signature developer, the person or program that has created the signature.
  • the risk assessment value may be based on such factors as the potential for damage to computer systems and network caused by the malicious program upon which the signature has been developed and/or the likelihood that the potential dama ⁇ e will occur.
  • Risk assessment values may be created or modified by the network administrator, for example, where no risk assessment value has been included in the signature by the signature developer or the network administrator otherwise believes modification of the risk assessment values would be appropriate.
  • the scanner 12 computes the hash value of the data being scanned and compares it to the hash values within the signature database 13. If using alternative forms of signatures other than hash values, the scanner 12 computes an appropriate signature for the data being scanned and compares it with the signatures in the signature database 13. It can then be determined 14 if the data being scanned corresponds to a signature in the signature database 13. If there is no corresponding signature found, the data stack 1 1 can supply the scanner 12 with the next unit of data to be scanned. When a match is made, an alert can be generated 35.
  • the signature database 13 can include or be replaced by a database of heuristics.
  • Heuristics are the logical definitions used by the heuristic scanner to judge whether the data being scanned has been infected by a malicious program. Risk assessment heuristics may be incorporated into the heuristic scanner to gauge the risks posed by an observed infection. If the heuristic scanner determines that a unit of data is not infected with a malicious program, the data stack 11 supplies the scanner 12 with the next unit of data so the next unit of data can be scanned. When the heuristic scanner has determined that the data could be infected by a malicious program, an alert can be generated by the alert generator 15. The alert can then be stored in an alert log 16.
  • the heuristic scanner can also pass to the alert generator 15 infonnation pertaining to the confidence level in the match and/or a risk assessment value, for example, calculated by risk assessment heuristics, which can also be stored along with alerts in the alert log 16.
  • An alert can be a notification that notifies the network administrator of the detection of a potential malicious program.
  • alerts can be automatically sent to the network administrator, for example by email or by pager.
  • An alert can report the key attributes that gave rise to the match.
  • the alert can contain information pertaining to the time the match was made, the source of the data that was matched, the name of the signature that made the match, etc.
  • Alerts according to the present disclosure can also include the risk assessment value supplied by a signature scanner or a heuristic scanner and/or information pertaining to the confidence level in the match, for example, as obtained by a heuristic scanner.
  • the alert log 16 can be one or more databases of generated alerts. By storing alerts in the alert log 16, the administrator may periodically review generated alerts when convenient to do so.
  • the data stack 11 may supply the scanner 12 with the next unit of data to be scanned so that data may continue to be scanned. The scanning of data may end when there is no data left to scan, as would be the case, for example, upon the completion of a periodic system scan.
  • the scanning of data may be a continuing process.
  • the displaying of the alert log 16 can be problematic because the alert log 16 has the potential to include significantly more infonnation than can easily be parsed by the network administrator.
  • Signature scanning and heuristic scanning techniques can contribute to the overcrowding of the alert log 16.
  • not all malicious programs represent the same risks to the computer system or network that the malicious program has been detected on.
  • instances of Nmap probes may be detected by signature scanners.
  • Nmap is a publicly available utility for probing a network device, for example an application server, to detennine what network services may have been made available by the application server.
  • Nmap probes While Nmap has practical uses for maintaining a computer network, instances of Nmap probes can also be warning signs of potential malicious attack by a malicious program or a user with malicious intent. For this reason, signature scanners will often scan for the presence of an Nmap probe signature. However, the presence of an Nmap probe may most likely be hannless. Nmap probes are one example of a signature match that might not always be of importance to the network administrator. There may be many other signatures that detect the presence of malicious programs with a low potential for causing damage. However, such signatures may still be added to the signature database 13 because under certain conditions they may indicate a potential threat. The developer can add an indication to the database 13 for each of these signatures showing that they are low importance. Code red is an example of a particularly harmful malicious program.
  • Code red is a computer virus that can force a web server to attempt to contact other web servers, change the appearance of web pages on the web server and send out floods of packets tying up network resources.
  • signature or signatures corresponding to code red are added to the signature database 13 by the developer, an indication is also provided that this is a high importance signature.
  • an alert identifying a match with a code red signature would indicate it is of high importance.
  • Heuristic scanners can contribute to alert log 16 overcrowding. Because heuristic scanners use logic to make judgments on whether data is infected with a malicious program, there may be an opportunity for false positives.
  • a false positive is an alert that has been generated indicating a malicious program has been detected even when no such malicious program infection actually exists. It may be possible for the sensitivity of the heuristic scanner to be adjusted to produce fewer false positives, but to do so might increase the probability of a false negative. False negatives are malicious program infections that have been missed by the heuristic scanner. While false positives can contribute to alert log 16 overcrowding, false negatives can allow a malicious program to go undetected and potentially inflict significant damage on computer systems and networks. Therefore adjusting the sensitivity of the heuristic scanner might not always be the best solution for overcrowding of the alert log 16 caused by false positives.
  • heuristic scanners use logic to make judgments on whether data is infected with a malicious program, it is often possible for the heuristic scanner to pass along infonnation pertaining to the heuristic scanner's confidence in the match. According to embodiments of the present disclosure confidence infonnation can then be incorporated into the alert for the particular match.
  • high importance alerts such as, for example, a code red match
  • Fig. 3A shows an example of the displaying of an alert log that has been over crowded. Alerts 31 -40 and 41 -48 depict Nmap probe matches of low importance. Alert 41 depicts a code red match of high importance.
  • Fig. 2 shows a procedure for displaying an alert log 16 according to embodiments of the present disclosure.
  • Alerts within the alert log 16 can be prioritized (Step S21) according to. for example, such values as the potential damage that can be caused by the malicious program detected, the probability that the damage will occur, the confidence infonnation signifying how confident the scanner was in making its determination that a malicious program has been detected, statistical information, risk assessment values associated with signatures and/or supplied by the developer of the signatures, etc.
  • Statistical infonnation includes, for example, statistics concerning the frequency of a particular matching wherein commonly matched malicious programs, for example Nmap probes, may be perceived as less of a threat.
  • a category can be assigned to each alert within the alert log 16.
  • Alert categories may be, for example, high importance and low importance.
  • Nmap probe matches would be categorized as low importance and code red matches categorized as high importance.
  • Fig. 3B shows an example of an alert display according to an embodiment of the present disclosure. Prioritized alerts can then be displayed (Step S22) according to the determined importance in such a way that greater attention is given to alerts of higher priority. For example, only high importance alerts may be initially displayed along with an option to expand the display to show low importance alerts.
  • the alerts may be re-prioritized (Step S21) so that all alerts can be displayed (Step S22).
  • the network administrator is given the option of clicking on the Expand button 50 in order to provide the more comprehensive display as shown in Fig. 3A.
  • Other methods for potentially displaying alerts can be provided according to the present disclosure.
  • the complete list of alerts may be displayed in priority order.
  • high importance alerts may be displayed with particular prominence, for example, highlighted, bolded, underlined, set aside, etc. Fig.
  • FIG. 4 shows an example of a computer system which may implement the method and system of the present disclosure.
  • the system and method of the present disclosure may be implemented in the form of a software application running on a computer system, for example, a mainframe, personal computer (PC), handheld computer, server, etc.
  • the software application may be stored on a recording media locally accessible by the computer system and accessible via a hard wired or wireless connection to a network, for example, a local area network, or the Internet.
  • system 100 may include, for example, a central processing unit (CPU) 102, random access memory (RAM) 104, a printer interface 106, a display unit 108, a local area network (LAN) data transmission controller 1 10, a LAN interface 112, a network controller 1 14, an internal buss 1 16, and one or more input devices 1 18, for example, a keyboard, mouse etc.
  • the system 100 may be connected to a data storage device, for example, a hard disk, 120 via a link 122.
  • a data storage device for example, a hard disk, 120 via a link 122.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Cette invention concerne un procédé d'affichage d'un registre d'alertes comprenant une ou plusieurs alertes, consistant à classer par ordre de priorité une ou plusieurs alertes en fonction de leur degré de gravité respectif et à afficher la ou les alertes en fonction de leur ordre de priorité.
EP04822017A 2004-04-22 2004-04-22 Classement par priorite d'alertes detectees Ceased EP1749255A1 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2004/012628 WO2005114354A1 (fr) 2004-04-22 2004-04-22 Classement par priorite d'alertes detectees

Publications (1)

Publication Number Publication Date
EP1749255A1 true EP1749255A1 (fr) 2007-02-07

Family

ID=34957701

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04822017A Ceased EP1749255A1 (fr) 2004-04-22 2004-04-22 Classement par priorite d'alertes detectees

Country Status (2)

Country Link
EP (1) EP1749255A1 (fr)
WO (1) WO2005114354A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9392003B2 (en) 2012-08-23 2016-07-12 Raytheon Foreground Security, Inc. Internet security cyber threat reporting system and method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574740B1 (en) 2000-04-28 2009-08-11 International Business Machines Corporation Method and system for intrusion detection in a computer network
US9124621B2 (en) * 2012-09-27 2015-09-01 Hewlett-Packard Development Company, L.P. Security alert prioritization

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228565B2 (en) * 2001-05-15 2007-06-05 Mcafee, Inc. Event reporting between a reporting computer and a receiving computer
ATE374493T1 (de) * 2002-03-29 2007-10-15 Global Dataguard Inc Adaptive verhaltensbezogene eindringdetektion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2005114354A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9392003B2 (en) 2012-08-23 2016-07-12 Raytheon Foreground Security, Inc. Internet security cyber threat reporting system and method

Also Published As

Publication number Publication date
WO2005114354A1 (fr) 2005-12-01

Similar Documents

Publication Publication Date Title
US20050240781A1 (en) Prioritizing intrusion detection logs
Beaman et al. Ransomware: Recent advances, analysis, challenges and future research directions
US7779468B1 (en) Intrusion detection and vulnerability assessment system, method and computer program product
US8141132B2 (en) Determining an invalid request
US9888024B2 (en) Detection of security incidents with low confidence security events
US8341745B1 (en) Inferring file and website reputations by belief propagation leveraging machine reputation
JP5510937B2 (ja) エンティティのレピュテーションスコアの簡易化された伝達
CA2545916C (fr) Dispositif, procede et support de detection d'anomalies de la charge utile a l'aide de la distribution n-gramme de donnees normales
US7945787B2 (en) Method and system for detecting malware using a remote server
US8239944B1 (en) Reducing malware signature set size through server-side processing
US9262638B2 (en) Hygiene based computer security
JP6104149B2 (ja) ログ分析装置及びログ分析方法及びログ分析プログラム
US7448084B1 (en) System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses
EP1708114B1 (fr) Regroupement de la base de connaissances de systèmes informatiques pour protéger de manière proactive un ordinateur contre les programmes malveillants
KR101377014B1 (ko) 면역 데이터베이스 기반의 악성코드 진단 방법 및 시스템
US7231637B1 (en) Security and software testing of pre-release anti-virus updates on client and transmitting the results to the server
US8365283B1 (en) Detecting mutating malware using fingerprints
US20080134333A1 (en) Detecting exploits in electronic objects
CN113282928B (zh) 恶意文件的处理方法、装置、系统、电子装置和存储介质
US11258811B2 (en) Email attack detection and forensics
US11372971B2 (en) Threat control
Mohata et al. Mobile malware detection techniques
WO2005114354A1 (fr) Classement par priorite d'alertes detectees
AU2006203522A1 (en) Determining an Invalid Request

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20061122

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/00 20060101ALI20090625BHEP

Ipc: H04L 29/06 20060101AFI20090625BHEP

17Q First examination report despatched

Effective date: 20090717

APBK Appeal reference recorded

Free format text: ORIGINAL CODE: EPIDOSNREFNE

APBN Date of receipt of notice of appeal recorded

Free format text: ORIGINAL CODE: EPIDOSNNOA2E

APBR Date of receipt of statement of grounds of appeal recorded

Free format text: ORIGINAL CODE: EPIDOSNNOA3E

APBD Information on interlocutory revision deleted

Free format text: ORIGINAL CODE: EPIDOSDIRAPE

APBV Interlocutory revision of appeal recorded

Free format text: ORIGINAL CODE: EPIDOSNIRAPE

APBV Interlocutory revision of appeal recorded

Free format text: ORIGINAL CODE: EPIDOSNIRAPE

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20110528