WO2017028789A1 - 网络攻击检测方法和设备 - Google Patents
网络攻击检测方法和设备 Download PDFInfo
- Publication number
- WO2017028789A1 WO2017028789A1 PCT/CN2016/095714 CN2016095714W WO2017028789A1 WO 2017028789 A1 WO2017028789 A1 WO 2017028789A1 CN 2016095714 W CN2016095714 W CN 2016095714W WO 2017028789 A1 WO2017028789 A1 WO 2017028789A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- model
- attack
- probability
- tuple
- word
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B1/00—Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
- H04B1/38—Transceivers, i.e. devices in which transmitter and receiver form a structural unit and in which at least one part is used for functions of transmitting and receiving
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Definitions
- the present application relates to the field of network security, and in particular, to a network attack detection method and device.
- Network attacks are an important hidden danger affecting network security.
- In order to ensure the safe operation of the network it is necessary to detect the attack behaviors in the network in time.
- Existing cyber attack detection techniques use regular expressions in the feature library to match network transmission data such as HTTP (HyperText Transfer Protocol) requests to determine whether there is an attack in the transmitted data.
- HTTP HyperText Transfer Protocol
- This method needs to be based on a large number of regular expression feature libraries, but blind spots often appear in the feature library, and the features in the feature library often appear before and after the association, resulting in higher cost of adding new features, and may even appear new
- the feature affects the old features, causing the old features to fail, thus failing to ensure the accuracy and reliability of the network attack detection.
- the present application provides a network attack detection method and device for improving the accuracy of network attack detection.
- each of the attack model databases stores Model tuples and the probability of occurrence of each model tuple, the probability of occurrence of each model word and each model word;
- the method provided by the embodiment of the present application for determining whether the network to be detected, that is, the network transmission data, firstly performs word segmentation and tuple composition processing to obtain corresponding tuples; Pre-acquired storage model with each model tuple and its corresponding appearance probability and each model word and its corresponding probability of occurrence In the type database, matching the model tuple corresponding to each obtained tuple and the first word, thereby determining the attack probability of the to-be-detected string according to the occurrence probability of the corresponding model tuple and the corresponding model word, if the attack probability is greater than A certain threshold determines the string as a string with aggressive behavior.
- the determining, according to the probability of occurrence of each corresponding model tuple and the probability of occurrence of each corresponding model word, determining an attack probability corresponding to the to-be-detected character string including:
- the probability of occurrence of the corresponding attack model tuple and the probability of occurrence of the corresponding model word are summed to obtain an attack probability corresponding to the to-be-detected character string.
- the obtaining the to-be-detected character string and performing word segmentation on the to-be-detected character string to obtain each word included in the to-be-detected character string further includes:
- the probability of occurrence of each model word and model tuple stored in the attack model database is obtained based on statistical analysis of a large number of attack samples, the statistical characteristics of the attack sample can be reflected, and thus, based on the statistical feature, the detected feature can be detected.
- the attack behavior detection result of the string is more accurate.
- the determining the probability of occurrence of each model word included in the attack sample set includes:
- Determining the probability of occurrence of each model word included in the attack sample set according to a ratio of the number of occurrences of each model word included in the attack sample set to the total number of all model words included in the attack sample set.
- the determining the probability of occurrence of each model tuple included in the attack sample set includes:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- the above method is based on the analysis of the occurrence probability of each word and each tuple in a large number of attack sample strings, and the attack model database is obtained.
- the specific form of the attack string is continuously updated, the characteristics of the attack behavior do not occur.
- the nature changes that is, it tends to have a large number of attack sample strings with similar probability and statistical characteristics. Therefore, based on the attack model database, it is possible to accurately determine whether the string to be detected has an attack behavior.
- the embodiment of the present application provides a network attack detection device, including:
- a first acquiring module configured to acquire a character string to be detected, and perform word segmentation processing on the to-be-detected character string to obtain each word included in the to-be-detected character string;
- a first determining module configured to perform a tuple generation process on the words according to a preset tuple composition rule to determine each tuple corresponding to the to-be-detected character string;
- a second determining module configured to determine whether there is a model tuple corresponding to each tuple in the attack model database obtained in advance, whether there is a model word corresponding to the first word in each word,
- the attack model database stores the appearance probability of each model tuple and each model tuple, the probability of occurrence of each model word and each model word;
- a third determining module configured to acquire an occurrence probability of each corresponding model tuple and a corresponding model word when the second determining module determines that each corresponding model tuple and the corresponding model word exist, and according to the corresponding model tuple
- the probability of occurrence and the probability of occurrence of each corresponding model word determine the attack probability corresponding to the character string to be detected;
- a fourth determining module configured to determine, when the attack probability is greater than or equal to a preset probability threshold, that the to-be-detected character string is a character string having an aggressive behavior.
- the third determining module is specifically configured to: add an occurrence probability of the corresponding attack model tuple and an appearance probability of the corresponding model word to obtain an attack probability corresponding to the to-be-detected character string.
- it also includes:
- a second acquiring module configured to acquire an attack sample set, where the attack sample set includes each attack sample string
- a third acquiring module configured to separately perform word segmentation processing on each attack sample string to obtain the model words included in the attack sample set
- a fifth determining module configured to perform a tuple generation process on the model words included in each attack sample string according to the preset tuple composition rule to determine the model elements included in the attack sample set Group
- a sixth determining module configured to respectively determine an occurrence probability of the model words included in the attack sample set and an appearance probability of the model tuples included in the attack sample set;
- a storage module configured to associate, in the attack model database, the model words included in the attack sample set with an appearance probability of each model word, and to include the models included in the attack sample set
- the tuple is stored in the attack model database in association with the probability of occurrence of the model tuples.
- the sixth determining module is specifically configured to:
- Determining the probability of occurrence of each model word included in the attack sample set according to a ratio of the number of occurrences of each model word included in the attack sample set to the total number of all model words included in the attack sample set.
- the sixth determining module is further configured to:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- the embodiment of the present application provides a network attack detection device, including: a transceiver and a processor;
- the transceiver is configured to acquire a character string to be detected
- the processor is configured to perform word segmentation processing on the to-be-detected character string to obtain each word included in the to-be-detected character string; perform tuple generation processing on each word according to a preset tuple composition rule, Determining each tuple corresponding to the to-be-detected character string;
- the processor is further configured to determine whether there is a model tuple corresponding to each tuple in the attack model database obtained in advance, whether there is a model word corresponding to the first word in each word,
- the attack model database stores the appearance probability of each model tuple and each model tuple, the occurrence probability of each model word and each model word; if present, the probability of occurrence of each corresponding model tuple and the corresponding model word And determining an attack probability corresponding to the to-be-detected character string according to an occurrence probability of each corresponding model tuple and an appearance probability of each corresponding model word; if the attack probability is greater than or equal to a preset probability threshold, determining the The detected string is a string with aggressive behavior.
- the processor is specifically configured to:
- the processor is further configured to:
- the transceiver is further configured to: acquire an attack sample set, where the attack sample set includes each attack sample string;
- the processor is further configured to perform word segmentation processing on each attack sample string to obtain the model words included in the attack sample set, and respectively perform the attacks according to the preset tuple composition rules.
- the model words included in the sample string are subjected to a tuple generation process to determine the model tuples included in the attack sample set; respectively determining an occurrence probability of the model words included in the attack sample set and the The probability of occurrence of each of the model tuples included in the attack sample set;
- the device further includes:
- a memory configured to store, in the attack sample database, the model words included in the attack sample set and the appearance probability of each model word, and the model elements included in the attack sample set
- the group is stored in the attack model database in association with the probability of occurrence of the model tuples.
- the processor is specifically configured to:
- Determining the probability of occurrence of each model word included in the attack sample set according to a ratio of the number of occurrences of each model word included in the attack sample set to the total number of all model words included in the attack sample set.
- the processor is specifically configured to:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- Embodiment 1 is a flowchart of Embodiment 1 of a network attack detection method according to the present invention
- Embodiment 2 is a flowchart of Embodiment 2 of a network attack detection method according to the present invention
- Embodiment 3 is a schematic structural diagram of Embodiment 1 of a network attack detecting device according to the present invention.
- Embodiment 4 is a schematic structural diagram of Embodiment 2 of a network attack detecting device according to the present invention.
- FIG. 5 is a schematic structural diagram of Embodiment 3 of a network attack detecting device according to the present invention.
- FIG. 1 is a flowchart of Embodiment 1 of a network attack detection method according to the present invention. As shown in FIG. 1 , the method includes the following steps:
- Step 101 Obtain a character string to be detected, and perform word segmentation processing on the to-be-detected character string to obtain each word included in the to-be-detected character string.
- the to-be-detected character string refers to network transmission data such as an HTTP request message. Based on semantics and character recognition, the character string to be detected is subjected to word segmentation to obtain each word contained therein.
- a character string to be detected it is not completely composed of English words, and also includes components such as numbers and symbols. In this embodiment, these components are collectively referred to as words.
- Step 102 Perform tuple generation processing on each word according to a preset tuple composition rule to determine each tuple corresponding to the to-be-detected character string.
- the above-mentioned preset tuple composition rules for example, specify the tuple size, that is, the number of words contained in each tuple, and the positional relationship of each word in each tuple.
- the word segmentation result of the character string S to be detected includes three words: A, B, and C in order.
- the tuple composition rule stipulates that the size of the tuple is 2, that is, each tuple contains 2 words, and for each word, the corresponding tuple is composed of itself and a word adjacent thereto. Then, the tuple corresponding to the to-be-detected character string S includes two tuples (A, B) and (B, C).
- Step 103 Determine whether there is a model tuple corresponding to each tuple in the attack model database obtained in advance, whether there is a model word corresponding to the first word in each word, and if yes, perform steps 104, otherwise, the end.
- the attack model database stores the appearance probability of each model tuple and each model tuple, the probability of occurrence of each model word and each model word.
- Step 104 Obtain an occurrence probability of each corresponding model tuple and a corresponding model word, and according to the corresponding modes The probability of occurrence of the type of tuple and the probability of occurrence of each corresponding model word determine the attack probability corresponding to the character string to be detected.
- Step 105 If the attack probability is greater than or equal to a preset probability threshold, determine that the to-be-detected character string is a character string having an aggressive behavior.
- the attack model database is pre-established, and is obtained by performing statistical analysis on a large number of attack sample strings obtained in advance, specifically, each model tuple stored in the attack model database and each model.
- the probability of occurrence of tuples, the probability of occurrence of each model word and each model word is obtained by statistical analysis of a large number of attack sample strings.
- Each model word includes each word obtained by separately segmenting a plurality of attack sample strings; each model tuple includes each tuple obtained by forming a tuple for each model word included in each attack sample string.
- the attack model database After obtaining each word and each tuple included in the to-be-detected character string, querying the attack model database to determine whether there is a model tuple corresponding to each tuple in the attack model database, and whether there is a character to be detected.
- the model word corresponding to the first word obtained after the word segmentation process. If so, the corresponding probability of occurrence is obtained separately.
- the reason for determining whether there is a model word corresponding to the first word obtained after the word segmentation process to be detected is determined by the attack probability calculation formula of the character string to be detected, which will be described below.
- the attack probability corresponding to the character string to be detected can be obtained as follows:
- the first word obtained after the processing of the character string S to be detected is A.
- the above-mentioned word A exists in the attack model database, as well as the tuple (A, B) and the tuple (B, C), and the probability of occurrence P of A (P) is p1, and the probability of occurrence of the tuple (A, B) is P.
- B) p2
- C) p3.
- attack probability P(S) of the character string S to be detected is P(A)+P(A
- C) p1+p2+p3.
- (p1+p2+p3) is greater than the preset probability threshold p0, it indicates that the to-be-detected character string S has many tuples and words with attack characteristics. At this time, it is determined that the to-be-detected character string S has an aggressive behavior. String.
- the network to be detected for determining whether the network to be detected, that is, the network transmission data, has a network attack behavior, first performing word segmentation and tuple composition processing to obtain corresponding tuples; and further, obtaining in advance Storing a model tuple corresponding to each model tuple and its corresponding appearance probability and each model word and its corresponding appearance probability, matching the obtained model tuple and the first word, thereby corresponding to the corresponding model tuple And an occurrence probability of the corresponding model word determines an attack probability of the to-be-detected character string, and if the attack probability is greater than a certain threshold, the word is determined
- a string is a string with aggressive behavior.
- Embodiment 2 is a flowchart of Embodiment 2 of the network attack detection method of the present invention. As shown in FIG. 2, before the step 101, the embodiment further includes the following steps:
- Step 201 Acquire an attack sample set, where the attack sample set includes each attack sample string.
- Each of the above attack sample strings is a pre-acquired string having a network attack behavior.
- Step 202 Perform word segmentation processing on each attack sample string to obtain the model words included in the attack sample set.
- each attack sample string is subjected to word segmentation processing to obtain a model word included in each attack sample string, and then, the model words included in each attack sample string are combined, and each of the attack sample sets is obtained. Model word.
- Step 203 Perform tuple generation processing on the model words included in each attack sample string according to the preset tuple composition rule to determine the model tuples included in the attack sample set.
- model words included in each attack sample string are subjected to tuple generation processing, and the model tuples included in each attack sample string are obtained, and then the model elements included in each attack sample string are combined. Group, get the model tuples contained in the attack sample set.
- Step 204 Determine an occurrence probability of each model word included in the attack sample set and an appearance probability of each model tuple included in the attack sample set.
- the attack sample set contains two attack sample strings S1 and S2
- the S1 word segmentation result includes three model words A, B, and C in turn, and obtains two elements (A, B) and (B, C).
- Group; S2 word segmentation results include three model words A, C, and D in turn, and two tuples (A, C) and (C, D) are obtained.
- the probability of occurrence of each model word included in the attack sample set is determined as follows:
- the probability of occurrence of each model word contained in the attack sample set is determined based on the ratio of the number of occurrences of each model word contained in the attack sample set to the total number of all model words contained in the attack sample set.
- the number of occurrences is 2, and the total number of all model words contained in the attack sample set is 6, so that the probability of occurrence is 2/6.
- the probability of occurrence of each model tuple contained in the attack sample set is determined according to the following formula:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- Step 205 Associate the model words included in the attack sample set with the appearance probability of each model word in the attack model database, and include the model tuples included in the attack sample set. And stored in the attack model database in association with the appearance probability of each model tuple.
- an attack model database is obtained.
- the specific form of the attack string is constantly updated, the characteristics of its attack behavior do not change substantially, that is, it often has a large number of attack sample strings with similar probability and statistical characteristics. Therefore, based on the attack model database, it is possible to accurately determine whether the string to be detected has an attack behavior.
- the terminal device includes: a first obtaining module 11, a first determining module 12, a second determining module 13, and a third determining module 14.
- the fourth determining module 15 is provided.
- the first obtaining module 11 is configured to obtain a character string to be detected, and perform word segmentation processing on the to-be-detected character string to obtain each word included in the to-be-detected character string.
- the first determining module 12 is configured to perform a tuple generation process on the words according to a preset tuple composition rule to determine each tuple corresponding to the to-be-detected character string.
- the second determining module 13 is configured to determine whether there is a model tuple corresponding to each tuple in the attack model database obtained in advance, whether there is a model word corresponding to the first word in each word,
- the attack model database stores the occurrence probability of each model tuple and each model tuple, the probability of occurrence of each model word and each model word.
- the third determining module 14 is configured to: when the second determining module determines that each corresponding model tuple and the corresponding model word exist, acquire an occurrence probability of each corresponding model tuple and the corresponding model word, and according to the corresponding model element The probability of occurrence of the group and the probability of occurrence of each corresponding model word determine the attack probability corresponding to the character string to be detected.
- the fourth determining module 15 is configured to determine that the to-be-detected character string is a character string having an aggressive behavior when the attack probability is greater than or equal to a preset probability threshold.
- the third determining module 14 has a
- the probability of occurrence of each of the corresponding attack model tuples and the probability of occurrence of the corresponding model words are summed to obtain an attack probability corresponding to the to-be-detected character string.
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 1 , and the implementation principle and technical effects are similar, and details are not described herein again.
- Embodiment 2 is a schematic structural diagram of Embodiment 2 of the network attack detection device of the present invention. As shown in FIG. 4, on the basis of the embodiment shown in FIG. 3, the method further includes: a second obtaining module 21, a third obtaining module 22, and a fifth The determination module 23, the sixth determination module 24, and the storage module 25 are determined.
- the second obtaining module 21 is configured to acquire an attack sample set, where the attack sample set includes each attack sample string.
- the third obtaining module 22 is configured to perform word segmentation processing on each attack sample string to obtain the model words included in the attack sample set.
- the fifth determining module 23 is configured to perform a tuple generation process on the model words included in each attack sample string according to the preset tuple composition rule to determine the models included in the attack sample set. Tuple.
- the sixth determining module 24 is configured to respectively determine an occurrence probability of the model words included in the attack sample set and an appearance probability of the model tuples included in the attack sample set.
- a storage module 25 configured to store, in the attack model database, the model words included in the attack sample set and the appearance probability of each model word, and the respective included in the attack sample set
- the model tuple is stored in the attack model database in association with the probability of occurrence of the model tuples.
- the sixth determining module 24 is specifically configured to:
- Determining the probability of occurrence of each model word included in the attack sample set according to a ratio of the number of occurrences of each model word included in the attack sample set to the total number of all model words included in the attack sample set.
- the sixth determining module 24 is further configured to:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- the device in this embodiment may be used to implement the technical solution of the method embodiment shown in FIG. 2, and the implementation principle and the technical effect are similar, and details are not described herein again.
- the embodiment of the present application provides another network attack detecting device.
- 5 is a schematic structural diagram of Embodiment 3 of a network attack detection device according to the present invention.
- the network attack detection device 400 includes a transceiver 401, a processor 402, a memory 403, and a bus system 404.
- the memory 403 is used to store a program.
- the program can include program code, the program code including computer operating instructions.
- the memory 403 may be a random access memory (RAM) or a non-volatile memory, such as at least one disk storage. Only one memory is shown in the figure, of course, the memory can also be set to a plurality as needed. Memory 403 can also be a memory in processor 402.
- the memory 403 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
- Operation instructions include various operation instructions for implementing various operations.
- Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
- the processor 402 controls the operation of the network attack detecting device 400, and the processor 402 may also be referred to as a CPU (Central Processing Unit).
- the components of the network attack detecting device 400 are coupled together by a bus system 404.
- the bus system 404 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus.
- various buses are labeled as bus system 404 in the figure. For ease of representation, only the schematic drawing is shown in FIG.
- Processor 402 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 402 or an instruction in a form of software.
- the processor 402 described above may be a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, or discrete hardware. Component.
- DSP digital signal processor
- ASIC application specific integrated circuit
- FPGA field programmable gate array
- the methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the steps of the method disclosed in the embodiments of the present application may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 403, and the processor 402 reads the information in the memory 403 and performs the following steps in conjunction with its hardware:
- the transceiver 401 is configured to acquire a character string to be detected.
- the processor 402 is configured to perform word segmentation processing on the to-be-detected character string to obtain each word included in the to-be-detected character string; and perform tuple generation processing on each word according to a preset tuple composition rule. Determine and treat Detecting each tuple corresponding to the string;
- the processor 402 is further configured to determine whether there is a model tuple corresponding to each tuple in the attack model database obtained in advance, whether there is a model word corresponding to the first word in each word,
- the attack model database stores the appearance probability of each model tuple and each model tuple, the occurrence probability of each model word and each model word; if present, acquires the appearance of each corresponding model tuple and the corresponding model word And determining, according to the probability of occurrence of each corresponding model tuple and the probability of occurrence of each corresponding model word, an attack probability corresponding to the to-be-detected character string; if the attack probability is greater than or equal to a preset probability threshold, determining The character string to be detected is a character string having an aggressive behavior.
- the processor 402 is specifically configured to:
- the probability of occurrence of the corresponding attack model tuple and the probability of occurrence of the corresponding model word are summed to obtain an attack probability corresponding to the to-be-detected character string.
- the transceiver 401 is further configured to: acquire an attack sample set, where the attack sample set includes each attack sample string;
- the processor 402 is further configured to:
- a memory 403 configured to store, in association with each occurrence of the model words included in the attack sample set, an occurrence probability of each model word into the attack model database, and the models included in the attack sample set
- the tuple is stored in the attack model database in association with the appearance probability of each model tuple
- the processor 402 is specifically configured to:
- the processor 402 is specifically configured to:
- w 1 ,...,w n-1 ,w n are n model words contained in any model tuple
- w 1 ,...,w n-1 ) is the The probability of occurrence of a model tuple, n is an integer greater than or equal to 2
- w n is the first model word in the model tuple
- w 1 ,..., w n-1 is located after the first model word N-1 model words
- #(w 1 ,...,w n-1 ,w n ) are the number of occurrences of any of the model tuples in all model tuples included in the attack sample set
- # (w 1 , . . . , w n-1 ) is the number of times the model words w 1 , . . . , w n-1 co-occur in all of the sample strings contained in the attack sample set.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Machine Translation (AREA)
Abstract
Description
Claims (15)
- 一种网络攻击检测方法,其特征在于,包括:获取待检测字符串,并对所述待检测字符串进行分词处理,得到所述待检测字符串中包含的各单词;根据预设元组构成规则对所述各单词进行元组生成处理,以确定与所述待检测字符串对应的各元组;确定预先获得的攻击模型数据库中,是否存在与所述各元组对应的模型元组,是否存在与所述各单词中的第一个单词对应的模型单词,所述攻击模型数据库中存储有各模型元组以及每个模型元组的出现概率,各模型单词以及每个模型单词的出现概率;若存在,则获取各对应模型元组以及对应模型单词的出现概率,并根据所述各对应模型元组的出现概率以及各对应模型单词的出现概率,确定所述待检测字符串对应的攻击概率;若所述攻击概率大于或等于预设概率阈值,则确定所述待检测字符串是具有攻击行为的字符串。
- 根据权利要求1所述的方法,其特征在于,所述根据所述各对应模型元组的出现概率以及各对应模型单词的出现概率,确定所述待检测字符串对应的攻击概率,包括:将所述各对应攻击模型元组的出现概率和所述对应模型单词的出现概率加和,得到所述待检测字符串对应的攻击概率。
- 根据权利要求1所述的方法,其特征在于,所述获取待检测字符串,并对所述待检测字符串进行分词处理,得到所述待检测字符串中包含的各单词之前,还包括:获取攻击样本集,所述攻击样本集中包括各攻击样本字符串;分别对所述各攻击样本字符串进行分词处理,得到所述攻击样本集中包含的所述各模型单词;根据所述预设元组构成规则分别对所述各攻击样本字符串中包含的模型单词进行元组生成处理,以确定所述攻击样本集中包含的所述各模型元组;分别确定所述攻击样本集中包含的所述各模型单词的出现概率以及所述攻击样本集中包含的所述各模型元组的出现概率;将所述攻击样本集中包含的所述各模型单词与所述各模型单词的出现概率关联存储到所述攻击模型数据库中,以及将所述攻击样本集中包含的所述各模型元组与所述各模型元组的出现概率关联存储到所述攻击模型数据库中。
- 根据权利要求3所述的方法,其特征在于,所述确定所述攻击样本集中包含的所述各模型单词的出现概率,包括:根据所述攻击样本集中包含的每个各模型单词的出现次数,与所述攻击样本集中包含的全部模型单词的总数的比值,确定所述攻击样本集中包含的每个模型单词的出现概率。
- 根据权利要求3所述的方法,其特征在于,所述确定所述攻击样本集中包含的所述各模型元组的出现概率,包括:根据如下公式确定所述攻击样本集中包含的所述各模型元组的出现概率:P(wn|w1,...,wn-1)=#(w1,...,wn-1,wn)/#(w1,...,wn-1)其中,w1,...,wn-1,wn为任一模型元组中包含的n个模型单词,P(wn|w1,...,wn-1)为该任一模型元组的出现概率,n为大于或等于2的整数,wn为模型元组中的第一个模型单词,w1,...,wn-1为位于第一个模型单词之后的n-1个模型单词;#(w1,...,wn-1,wn)为该任一模型元组在所述攻击样本集中包含的全部模型元组中出现的次数,#(w1,...,wn-1)为模型单词w1,...,wn-1在所述攻击样本集中包含的全部样本字符串中共同出现的次数。
- 一种网络攻击检测设备,其特征在于,包括:第一获取模块,用于获取待检测字符串,并对所述待检测字符串进行分词处理,得到所述待检测字符串中包含的各单词;第一确定模块,用于根据预设元组构成规则对所述各单词进行元组生成处理,以确定与所述待检测字符串对应的各元组;第二确定模块,用于确定预先获得的攻击模型数据库中,是否存在与所述各元组对应的模型元组,是否存在与所述各单词中的第一个单词对应的模型单词,所述攻击模型数据库中存储有各模型元组以及每个模型元组的出现概率,各模型单词以及每个模型单词的出现概率;第三确定模块,用于在所述第二确定模块确定存在各对应模型元组和对应模型单词时,获取各对应模型元组以及对应模型单词的出现概率,并根据所述各对应模型元组的出现概率以及各对应模型单词的出现概率,确定所述待检测字符串对应的攻击概率;第四确定模块,用于在所述攻击概率大于或等于预设概率阈值时,确定所述待检测字符串是具有攻击行为的字符串。
- 根据权利要求6所述的设备,其特征在于,所述第三确定模块具体用于:将所述各对应攻击模型元组的出现概率和所述对应模型单词的出现概率加和,得到所述待检测字符串对应的攻击概率。
- 根据权利要求6所述的设备,其特征在于,还包括:第二获取模块,用于获取攻击样本集,所述攻击样本集中包括各攻击样本字符串;第三获取模块,用于分别对所述各攻击样本字符串进行分词处理,得到所述攻击样本集中包含的所述各模型单词;第五确定模块,用于根据所述预设元组构成规则分别对所述各攻击样本字符串中包含的模型单词进行元组生成处理,以确定所述攻击样本集中包含的所述各模型元组;第六确定模块,用于分别确定所述攻击样本集中包含的所述各模型单词的出现概率以及所述攻击样本集中包含的所述各模型元组的出现概率;存储模块,用于将所述攻击样本集中包含的所述各模型单词与所述各模型单词的出现概率关联存储到所述攻击模型数据库中,以及将所述攻击样本集中包含的所述各模型元组与所述各模型元组的出现概率关联存储到所述攻击模型数据库中。
- 根据权利要求8所述的设备,其特征在于,所述第六确定模块具体用于:根据所述攻击样本集中包含的每个各模型单词的出现次数,与所述攻击样本集中包含的全部模型单词的总数的比值,确定所述攻击样本集中包含的每个模型单词的出现概率。
- 根据权利要求8所述的设备,其特征在于,所述第六确定模块还用于:根据如下公式确定所述攻击样本集中包含的所述各模型元组的出现概率:P(wn|w1,...,wn-1)=#(w1,...,wn-1,wn)/#(w1,...,wn-1)其中,w1,...,wn-1,wn为任一模型元组中包含的n个模型单词,P(wn|w1,...,wn-1)为该任一模型元组的出现概率,n为大于或等于2的整数,wn为模型元组中的第一个模型单词,w1,...,wn-1为位于第一个模型单词之后的n-1个模型单词;#(w1,...,wn-1,wn)为该任一模型元组在所述攻击样本集中包含的全部模型元组中出现的次数,#(w1,...,wn-1)为模型单词w1,...,wn-1在所述攻击样本集中包含的全部样本字符串中共同出现的次数。
- 一种网络攻击检测设备,其特征在于,包括:收发器、处理器;所述收发器,用于获取待检测字符串;所述处理器,用于对所述待检测字符串进行分词处理,得到所述待检测字符串中包含的各单词;根据预设元组构成规则对所述各单词进行元组生成处理,以确定与所述待检测字符串对应的各元组;所述处理器,还用于确定预先获得的攻击模型数据库中,是否存在与所述各元组对应的模型元组,是否存在与所述各单词中的第一个单词对应的模型单词,所述攻击模型数据库中存储有各模型元组以及每个模型元组的出现概率,各模型单词以及每个模型单词的出 现概率;若存在,则获取各对应模型元组以及对应模型单词的出现概率,并根据所述各对应模型元组的出现概率以及各对应模型单词的出现概率,确定所述待检测字符串对应的攻击概率;若所述攻击概率大于或等于预设概率阈值,则确定所述待检测字符串是具有攻击行为的字符串。
- 根据权利要求11所述的设备,其特征在于,所述处理器具体用于:将所述各对应攻击模型元组的出现概率和所述对应模型单词的出现概率加和,得到所述待检测字符串对应的攻击概率。
- 根据权利要求11所述的设备,其特征在于,所述收发器还用于:获取攻击样本集,所述攻击样本集中包括各攻击样本字符串;所述处理器还用于:分别对所述各攻击样本字符串进行分词处理,得到所述攻击样本集中包含的所述各模型单词;根据所述预设元组构成规则分别对所述各攻击样本字符串中包含的模型单词进行元组生成处理,以确定所述攻击样本集中包含的所述各模型元组;分别确定所述攻击样本集中包含的所述各模型单词的出现概率以及所述攻击样本集中包含的所述各模型元组的出现概率;所述设备还包括:存储器,用于将所述攻击样本集中包含的所述各模型单词与所述各模型单词的出现概率关联存储到所述攻击模型数据库中,以及将所述攻击样本集中包含的所述各模型元组与所述各模型元组的出现概率关联存储到所述攻击模型数据库中。
- 根据权利要求13所述的设备,其特征在于,所述处理器具体用于:根据所述攻击样本集中包含的每个各模型单词的出现次数,与所述攻击样本集中包含的全部模型单词的总数的比值,确定所述攻击样本集中包含的每个模型单词的出现概率。
- 根据权利要求13所述的设备,其特征在于,所述处理器具体用于:根据如下公式确定所述攻击样本集中包含的所述各模型元组的出现概率:P(wn|w1,...,wn-1)=#(w1,...,wn-1,wn)/#(w1,...,wn-1)其中,w1,...,wn-1,wn为任一模型元组中包含的n个模型单词,P(wn|w1,...,wn-1)为该任一模型元组的出现概率,n为大于或等于2的整数,wn为模型元组中的第一个模型单词,w1,...,wn-1为位于第一个模型单词之后的n-1个模型单词;#(w1,...,wn-1,wn)为该任一模型元组在所述攻击样本集中包含的全部模型元组中出现的次数,#(w1,...,wn-1)为模型单词w1,...,wn-1在所述攻击样本集中包含的全部样本字符串中共同出现的次数。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/745,057 US10645105B2 (en) | 2015-08-17 | 2016-08-17 | Network attack detection method and device |
JP2018508155A JP6567169B2 (ja) | 2015-08-17 | 2016-08-17 | サイバー攻撃の検出方法および検出装置 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510505895.9A CN105187408A (zh) | 2015-08-17 | 2015-08-17 | 网络攻击检测方法和设备 |
CN201510505895.9 | 2015-08-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017028789A1 true WO2017028789A1 (zh) | 2017-02-23 |
Family
ID=54909252
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/095714 WO2017028789A1 (zh) | 2015-08-17 | 2016-08-17 | 网络攻击检测方法和设备 |
Country Status (4)
Country | Link |
---|---|
US (1) | US10645105B2 (zh) |
JP (1) | JP6567169B2 (zh) |
CN (1) | CN105187408A (zh) |
WO (1) | WO2017028789A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111984970A (zh) * | 2019-05-22 | 2020-11-24 | 深信服科技股份有限公司 | 一种sql注入检测方法、系统及电子设备和存储介质 |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105187408A (zh) | 2015-08-17 | 2015-12-23 | 北京神州绿盟信息安全科技股份有限公司 | 网络攻击检测方法和设备 |
CN107797982B (zh) * | 2016-08-31 | 2021-05-07 | 百度在线网络技术(北京)有限公司 | 用于识别文本类型的方法、装置和设备 |
CN109150886B (zh) * | 2018-08-31 | 2021-07-27 | 腾讯科技(深圳)有限公司 | 结构化查询语言注入攻击检测方法及相关设备 |
CN112232076A (zh) * | 2019-06-26 | 2021-01-15 | 腾讯科技(深圳)有限公司 | 脚本处理方法、装置及电子设备 |
CN111885000B (zh) * | 2020-06-22 | 2022-06-21 | 网宿科技股份有限公司 | 一种基于图神经网络的网络攻击检测方法、系统及装置 |
CN112437084B (zh) * | 2020-11-23 | 2023-02-28 | 上海工业自动化仪表研究院有限公司 | 一种攻击特征提取的方法 |
CN113890756B (zh) * | 2021-09-26 | 2024-01-02 | 网易(杭州)网络有限公司 | 用户账号的混乱度检测方法、装置、介质和计算设备 |
CN114091568B (zh) * | 2021-10-20 | 2023-10-03 | 华北电力大学 | 一种面向文本分类模型的字词双粒度对抗防御系统及方法 |
US20240061937A1 (en) * | 2022-08-16 | 2024-02-22 | Upsight Security Inc. | Anti-malware behavioral graph engines, systems and methods |
CN117527354A (zh) * | 2023-11-08 | 2024-02-06 | 北京微步在线科技有限公司 | 一种攻击检测方法、装置、电子设备及存储介质 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101155182A (zh) * | 2006-09-30 | 2008-04-02 | 阿里巴巴公司 | 一种基于网络的垃圾信息过滤方法和装置 |
CN102663093A (zh) * | 2012-04-10 | 2012-09-12 | 中国科学院计算机网络信息中心 | 不良网站检测方法及设备 |
US20130086636A1 (en) * | 2011-10-03 | 2013-04-04 | Sergey Y. Golovanov | System and method for restricting pathways to harmful hosts in computer networks |
CN103678656A (zh) * | 2013-12-23 | 2014-03-26 | 合肥工业大学 | 一种基于重复字串的微博新词非监督自动抽取方法 |
CN103813279A (zh) * | 2012-11-14 | 2014-05-21 | 中国移动通信集团设计院有限公司 | 一种垃圾短信检测方法及装置 |
CN105187408A (zh) * | 2015-08-17 | 2015-12-23 | 北京神州绿盟信息安全科技股份有限公司 | 网络攻击检测方法和设备 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2501771B2 (ja) * | 1993-01-19 | 1996-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | 不所望のソフトウェア・エンティティの複数の有効なシグネチャを得る方法及び装置 |
JP2001356939A (ja) * | 2000-06-13 | 2001-12-26 | Tokyo Electric Power Co Inc:The | ログ情報解析装置、方法および記録媒体 |
US7478033B2 (en) * | 2004-03-16 | 2009-01-13 | Google Inc. | Systems and methods for translating Chinese pinyin to Chinese characters |
CA2606998C (en) * | 2005-05-05 | 2014-09-09 | Ironport Systems, Inc. | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources |
CN1889108B (zh) * | 2005-06-29 | 2010-12-15 | 腾讯科技(深圳)有限公司 | 一种识别垃圾邮件的方法 |
JP5070124B2 (ja) * | 2008-05-16 | 2012-11-07 | ヤフー株式会社 | フィルタリング装置、およびフィルタリング方法 |
US8381290B2 (en) * | 2009-07-17 | 2013-02-19 | Exelis Inc. | Intrusion detection systems and methods |
CN103313248B (zh) * | 2013-04-28 | 2017-04-12 | 小米科技有限责任公司 | 一种识别垃圾信息的方法和装置 |
-
2015
- 2015-08-17 CN CN201510505895.9A patent/CN105187408A/zh active Pending
-
2016
- 2016-08-17 JP JP2018508155A patent/JP6567169B2/ja active Active
- 2016-08-17 US US15/745,057 patent/US10645105B2/en active Active
- 2016-08-17 WO PCT/CN2016/095714 patent/WO2017028789A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101155182A (zh) * | 2006-09-30 | 2008-04-02 | 阿里巴巴公司 | 一种基于网络的垃圾信息过滤方法和装置 |
US20130086636A1 (en) * | 2011-10-03 | 2013-04-04 | Sergey Y. Golovanov | System and method for restricting pathways to harmful hosts in computer networks |
CN102663093A (zh) * | 2012-04-10 | 2012-09-12 | 中国科学院计算机网络信息中心 | 不良网站检测方法及设备 |
CN103813279A (zh) * | 2012-11-14 | 2014-05-21 | 中国移动通信集团设计院有限公司 | 一种垃圾短信检测方法及装置 |
CN103678656A (zh) * | 2013-12-23 | 2014-03-26 | 合肥工业大学 | 一种基于重复字串的微博新词非监督自动抽取方法 |
CN105187408A (zh) * | 2015-08-17 | 2015-12-23 | 北京神州绿盟信息安全科技股份有限公司 | 网络攻击检测方法和设备 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111984970A (zh) * | 2019-05-22 | 2020-11-24 | 深信服科技股份有限公司 | 一种sql注入检测方法、系统及电子设备和存储介质 |
CN111984970B (zh) * | 2019-05-22 | 2023-11-07 | 深信服科技股份有限公司 | 一种sql注入检测方法、系统及电子设备和存储介质 |
Also Published As
Publication number | Publication date |
---|---|
JP2018530046A (ja) | 2018-10-11 |
US10645105B2 (en) | 2020-05-05 |
CN105187408A (zh) | 2015-12-23 |
JP6567169B2 (ja) | 2019-08-28 |
US20180212986A1 (en) | 2018-07-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017028789A1 (zh) | 网络攻击检测方法和设备 | |
US9990583B2 (en) | Match engine for detection of multi-pattern rules | |
TWI486810B (zh) | 在狀態機晶格中之計數器操作 | |
US20180322200A1 (en) | Analytics based on pipes programming model | |
WO2016180268A1 (zh) | 一种文本聚合方法及装置 | |
AU2017200892A1 (en) | API version testing based on query schema | |
US10452421B2 (en) | Identifying kernel data structures | |
US9384236B2 (en) | Method and system for operating on database queries | |
US11556812B2 (en) | Method and device for acquiring data model in knowledge graph, and medium | |
US10395033B2 (en) | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks | |
US20160171104A1 (en) | Detecting multistep operations when interacting with web applications | |
CN111159413A (zh) | 日志聚类方法、装置、设备及存储介质 | |
CN110222790B (zh) | 用户身份识别方法、装置及服务器 | |
WO2019091018A1 (zh) | 知识图谱建立方法、装置、计算机设备及计算机存储介质 | |
US9026612B2 (en) | Generating a custom parameter rule based on a comparison of a run-time value to a request URL | |
CN116415564B (zh) | 基于知识图谱的功能点扩增方法和系统 | |
WO2019161618A1 (zh) | 字符串解析方法、装置、设备及计算机可读存储介质 | |
CN114201756A (zh) | 一种智能合约代码片段的漏洞检测方法和相关装置 | |
US9361579B2 (en) | Large scale probabilistic ontology reasoning | |
CN116383412B (zh) | 基于知识图谱的功能点扩增方法和系统 | |
US20160063394A1 (en) | Computing Device Classifier Improvement Through N-Dimensional Stratified Input Sampling | |
EP1710718A2 (en) | Systems and methods for performing streaming checks on data format for UDTs | |
US20180046712A1 (en) | Artificial intelligence content detection system | |
WO2023092719A1 (zh) | 病历数据的信息抽取方法、终端设备及可读存储介质 | |
US20180091404A1 (en) | Identifying problematic messages |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16836653 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15745057 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2018508155 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16836653 Country of ref document: EP Kind code of ref document: A1 |