CN106357628B - The defence method and device of attack - Google Patents
The defence method and device of attack Download PDFInfo
- Publication number
- CN106357628B CN106357628B CN201610783731.7A CN201610783731A CN106357628B CN 106357628 B CN106357628 B CN 106357628B CN 201610783731 A CN201610783731 A CN 201610783731A CN 106357628 B CN106357628 B CN 106357628B
- Authority
- CN
- China
- Prior art keywords
- address
- suspicious user
- attack
- preset
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of defence method of attack and devices, it is related to technical field of network security, for improving the accuracy rate of attack defending, main technical schemes of the invention are as follows: the suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes IP address in the session information;Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, obtains the first remaining suspicious user IP address;Attack IP address is filtered from the described first remaining suspicious user IP address by the service request information in the session information, obtains the second remaining suspicious user IP address;Attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program, the preset script program is for determining the attack IP address for including in the described second remaining suspicious user IP address;The service request that refusal is sent by the attack IP address.Present invention is mainly used for defensive attacks.
Description
Technical field
The present invention relates to technical field of network security more particularly to the defence methods and device of a kind of attack.
Background technique
The essential attribute of network security is mainly shown as confidentiality, integrality, legitimacy and availability, and attacker is exactly
These attributes are destroyed by every ways and means.Distributed denial of service attack (Distributed
Denial of Service, DDoS) purpose be exactly to destroy the availability of network.Wherein, HTTP Flood (attack by request flooding
Hit) it is when the common ddos attack mode of former, it is the WEB service for application layer and the attack initiated, attacker imitate
The internet behavior of normal users sends a large amount of service request to the WEB server of target of attack, and target WEB server is once
It is attacked, it will lead to the WEB front-end attacked response slowly, the operation layers such as Java of rear end logic and more back-end data base
Processing capacity pressure increase.
Currently, being asked by the HTTP (Hypertext transfer protocol, hypertext transfer protocol) that user issues
It asks number to be on the defensive HTTP Flood attack, that is, forbids issuing the user that HTTP request number is more than threshold value in the unit time
Access behavior, but there is some transmission HTTP request numbers to be more than the normal users of threshold value in real life, and use
This kind of mode equally can also mask the access behavior of normal users, thus this kind of mode defensive attack to manslaughter rate higher, it is existing
There is the defence accuracy rate of attack defense method lower.
Summary of the invention
In view of this, the present invention provides the defence method and device of a kind of attack, main purpose is to improve attack defending
Accuracy rate.
According to the present invention on one side, a kind of defence method of attack is provided, comprising:
The suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes in the session information
IP address;
Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, acquisition first is remaining can
Doubt IP address;
It is filtered from the described first remaining suspicious user IP address by the service request information in the session information
IP address is attacked, the second remaining suspicious user IP address is obtained;
Attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program, it is described pre-
Shell script is set for determining the attack IP address for including in the described second remaining suspicious user IP address;
The service request that refusal is sent by the attack IP address.
Specifically, described identify that the suspicious user IP address in session information includes: by preset threshold value
From being obtained in the session information in the unit time by the number of IP address transmission service request;
The IP address that the number that service request is sent in the unit time is greater than the first preset threshold value is determined as
The suspicious user IP address.
Further, the User IP that the number that service request is sent in the unit time is greater than to first preset threshold value
Location is determined as after the suspicious user IP address, the method also includes:
It obtains and sends the number of service request in the unit time and be less than or equal to the User IP of the first preset threshold value
Location;
The service request number of same subscriber IP address is counted from the IP address of the acquisition;
The service request number is greater than the IP address of the second preset threshold value with being determined as the suspicious user IP
Location.
Specifically, the service request information by the session information is from the described first remaining suspicious user IP
Filtering attack IP address in address, obtaining the second remaining suspicious user IP address includes:
The attack IP is filtered from the described first remaining suspicious user IP address according to preset request URL amount threshold
Address, and using the filtered first remaining suspicious user IP address as the first suspicious user IP address;
By the incorrect suspicious user IP of request URL in the first suspicious user IP address according to the preset path URL
Location filters out, and using filtered first suspicious user IP address as the second suspicious user IP address;
Jumping relationship according to preset URL, that request URL in the second suspicious user IP address jumped relationship is incorrect
Suspicious user IP address filters out, and using filtered second suspicious user IP address as third suspicious user IP address;
Host field will be requested incorrect in the third suspicious user IP address according to preset service device host field
Suspicious user IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;
According to preset URL length by the incorrect suspicious user of request URL length in the 4th suspicious user IP address
IP address filters out.
Specifically, described filter attack IP according to preset script program from the described second remaining suspicious user IP address
Address includes:
The preset script program is sent to the corresponding client of the described second remaining suspicious user IP address, so that
Obtain preset script program described in the client executing;
The client of the preset script program error is executed if it exists, then will execute the preset script program error
The corresponding suspicious user IP address of client is determined as the attack IP address.
Further, the corresponding suspicious user IP address of client that will execute the preset script program error is true
It is set to after the attack IP address, the method also includes:
Execute the correct client of preset script program if it exists, then it is correct to the preset script program is executed
Client sends verification information, receives so that executing the correct client of the preset script program according to the verification information
The identifying code of input;
If the identifying code and the verification information be not corresponding, the correct client of preset script program will be executed
Corresponding suspicious user IP address is determined as attacking IP address;
If the identifying code is corresponding with the verification information, the correct client pair of preset script program will be executed
The suspicious user IP address answered is determined as trusted users IP.
Further, the method also includes:
The suspicious user IP address that will determine as attack IP address is stored into the preset attack IP address library.
According to the present invention on the other hand, a kind of defence installation of attack is provided, comprising:
Recognition unit, it is described for identifying the suspicious user Internet protocol IP address in session information by preset threshold value
It include IP address in session information;
First filter element, for filtering attack IP in suspicious user IP address according to preset attack IP address library
Location obtains the first remaining suspicious user IP address;
Second filter element, for remaining suspicious from described first by the service request information in the session information
Filtering attack IP address, obtains the second remaining suspicious user IP address in IP address;
Third filter element, for being filtered from the described second remaining suspicious user IP address according to preset script program
IP address is attacked, the preset script program is for determining the attack IP for including in the described second remaining suspicious user IP address
Address;
Refuse unit, the service request for refusing to send by the attack IP address.
Specifically, the recognition unit includes:
Module is obtained, for sending service by the IP address out of in the session information acquisition unit time
The number of request;
Determining module, for the number for sending service request in the unit time to be greater than to the user of the first preset threshold value
IP address is determined as the suspicious user IP address.
Further, the recognition unit further include:
The acquisition module is also used to obtain the number that service request is sent in the unit time less than or equal to first
The IP address of preset threshold value;
Statistical module, for counting the service request time of same subscriber IP address from the IP address of the acquisition
Number;
The determining module, the IP address for the service request number to be greater than the second preset threshold value are determined as
The suspicious user IP address.
Specifically, second filter element includes:
First filtering module is used for according to preset request URL amount threshold from the described first remaining suspicious user IP
The attack IP address is filtered in location, and using the filtered first remaining suspicious user IP address as the first suspicious user IP
Address;
Second filtering module, for according to the preset path URL by request URL in the first suspicious user IP address not just
True suspicious user IP address filters out, and as the second suspicious user IP using filtered first suspicious user IP address
Location;
Third filtering module, for jumping relationship for request URL in the second suspicious user IP address according to preset URL
It jumps the incorrect suspicious user IP address of relationship to filter out, and can as third using filtered second suspicious user IP address
Doubt IP address;
4th filtering module, for will be requested in the third suspicious user IP address according to preset service device host field
The incorrect suspicious user IP address of host field filters out, and can as the 4th using filtered third suspicious user IP address
Doubt IP address;
5th filtering module, for according to preset URL length by request URL length in the 4th suspicious user IP address
Incorrect suspicious user IP address filters out.
Specifically, the third filter element includes:
Sending module, it is corresponding for the preset script program to be sent to the described second remaining suspicious user IP address
Client so that preset script program described in the client executing;
Determining module will then execute described preset for executing the client of the preset script program error if it exists
The corresponding suspicious user IP address of the client of shell script mistake is determined as the attack IP address.
The sending module is also used to execute the correct client of preset script program if it exists, then to execution institute
It states the correct client of preset script program and sends verification information, so that executing the correct client of preset script program
Receive the identifying code inputted according to the verification information;
The determining module will execute described preset if being also used to the identifying code and the verification information is not corresponding
The corresponding suspicious user IP address of the correct client of shell script is determined as attacking IP address;
The determining module will execute the preset foot if it is corresponding with the verification information to be also used to the identifying code
The corresponding suspicious user IP address of the correct client of this program is determined as trusted users IP.
Further, described device further include:
Storage unit, for will determine as the suspicious user IP address storage of attack IP address to the preset attack IP
In the library of location.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
The defence method and device of a kind of attack provided in an embodiment of the present invention identify session letter by preset threshold value first
Suspicious user IP address in breath includes IP address in the session information, is then existed according to preset attack IP address library
Filtering attack IP address in suspicious user IP address, and the first remaining suspicious user IP address is obtained, then pass through the meeting
Service request information in words information filters attack IP address from the described first remaining suspicious user IP address, obtains second
Remaining suspicious user IP address, and filtered and attacked from the described second remaining suspicious user IP address according to preset script program
IP address is hit, the service request sent by the attack IP address is finally refused.With at present according to issuing in the unit time
Request number of times is on the defensive to HTTP Flood attack and compares, and the embodiment of the present invention is by the way of layering to HTTP
Flood attack is on the defensive, i.e., first by the suspicious user IP address in preset threshold value identification session information, then successively root
Attack is filtered out layer by layer from suspicious user IP address according to preset attack IP address library, service request information, preset script program
IP address, and attack defending is realized by the service request that refusal attack IP address is sent, to through the embodiment of the present invention may be used
Improve the accuracy rate of attack defending.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of defence method flow chart of attack provided in an embodiment of the present invention;
Fig. 2 shows a kind of defence installation structural block diagrams of attack provided in an embodiment of the present invention;
Fig. 3 shows the defence installation structural block diagram of another attack provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of defence methods of attack, as shown in Figure 1, this method comprises:
101, the suspicious user Internet protocol IP address in session information is identified by preset threshold value.
It wherein, include IP address in the session information.Session information, that is, Session information, is user and WEB
Interactive information between (World Wide Web, WWW) server is the relevant information based on data stream connection, can
Doubtful IP address can be with the IP address for trusted users or attack user.
It should be noted that the number that normal users send service request within the unit time can all have a threshold value, if
The number that some user sends service request within the unit time does not meet this threshold value, illustrates that the user is possible to use for attack
Family, so needing the corresponding IP address of the user being determined as suspicious user IP address.Therefore the embodiment of the present invention passes through preset
Threshold value identifies the suspicious user IP address in session information, and the preset threshold value can be according to the characteristics of WEB server and just common
The internet behavior at family determines, can specifically be determined according to the request number of times sent in the normal users unit time to purpose IP address pre-
The size for setting threshold value then can will be preset if the request number of times sent in normal users 1 minute to purpose IP address is less than or equal to 5
Threshold value is set as 5, can be by the user couple if user was greater than 5 to the number that purpose IP address sends service request in 1 minute
The IP address answered is determined as suspicious user IP address.
102, attack IP address is filtered in suspicious user IP address according to preset attack IP address library, it is remaining to obtain first
Suspicious user IP address.
Wherein, the preset attack IP address library is pre-configured, in preset attack IP address library comprising it is all
Determining attack IP address.If suspicious user IP address occurs in preset attack IP address library, by suspicious user IP
Location is determined as attacking IP address, and the attack IP address in suspicious user IP address is filtered out, then will be filtered suspicious
IP address is determined as the first remaining suspicious user IP address;If suspicious user IP address is in preset attack IP address library
Do not occur, then further mistake is carried out to the first remaining suspicious user IP address by the service request information in step 103
Filter, to filter out the attack IP address determined by service request information.
103, through the service request information in the session information from the described first remaining suspicious user IP address
Filtering attack IP address, obtains the second remaining suspicious user IP address.
Wherein, the service request information is specifically as follows URL (the Uniform Resource of user's request
Locator, uniform resource locator), information, the embodiment of the present invention such as host field be not specifically limited.Implement in the present invention
In example, specifically relationship, preset service device host can be jumped according to preset request URL amount threshold, the preset path URL, preset URL
The information such as field, preset URL length filter attack IP address from the first remaining suspicious user IP address.I.e. by the first residue
Suspicious user IP address in URL request discrepancy of quantity closes preset request URL amount threshold, the URL of request is not preset URL
Path, request URL jump relationship do not meet preset URL jump relationship, request server host field do not meet it is preset
The suspicious user IP address that the length violation of server host field and request URL closes preset URL length is determined as attacking IP
Address, and the IP address that will determine as attack is filtered out from the first remaining suspicious user IP address, it finally will be filtered
First remaining suspicious user IP address is determined as the second remaining suspicious user IP address.
104, attack IP address is filtered from the described second remaining suspicious user IP address according to preset script program.
Wherein, the preset script program is for determining the attack for including in the described second remaining suspicious user IP address
IP address, preset script program are javascript step program, and client determines suspicious use by executing preset script program
Whether family IP address is that attack IP address will be corresponding with client suspicious if client executing preset script program error
IP address is attack IP address;If client executing preset script program is correct, further verified by human-computer interaction
Code mode judge suspicious user IP address be for attack IP address, if client input identifying code mistake, will be with client
Corresponding suspicious user IP address is determined as attacking IP address, will be with client pair if the identifying code of client input is correct
The suspicious user IP address answered is determined as trusted IP address.
105, refuse the service request sent by the attack IP address.
A kind of defence method of attack provided in an embodiment of the present invention, attacks HTTP Flood by the way of layering
It hits and is on the defensive, i.e., the suspicious user IP address in session information is identified by preset threshold value first, then successively according to preset
Attack IP address library, service request information, preset script program filter out attack IP address layer by layer from suspicious user IP address,
And attack defending is realized by the service request that refusal attack IP address is sent.Since meeting can be quickly recognized by preset threshold value
Talk about information in suspicious user IP address, and according to the speed of filtering sequence pass sequentially through preset attack IP address library, service is asked
It asks information, preset script program to be filtered the attack IP address in suspicious user IP address, can be improved and determine attack IP's
Efficiency, so that the accuracy rate and efficiency of attack defending can be improved through the embodiment of the present invention.
In order to preferably be illustrated to the defence method of attack provided in an embodiment of the present invention, following embodiment will be directed to
Above steps is refined and is extended.
Specifically, step 101 identifies that the suspicious user IP address in session information includes: from the meeting by preset threshold value
Talk about the number for obtaining in information and sending service request in the unit time by the IP address;It will be sent out in the unit time
The IP address for sending the number of service request to be greater than the first preset threshold value is determined as the suspicious user IP address.Wherein,
One preset threshold value determines that user sends out in 1 minute if normal according to the service request number sent in the normal users unit time
The service request number sent is 10, then 10 can be set by the first preset threshold value, if user sends service request in 1 minute
Number is greater than 10, then the corresponding IP address of the user can be determined as suspicious user IP address.
Further, the IP address for the number that service request is sent in the unit time being greater than the first preset threshold value is true
It is set to after the suspicious user IP address, the method also includes: obtain time that service request is sent in the unit time
Number is less than or equal to the IP address of the first preset threshold value;Same subscriber IP is counted from the IP address of the acquisition
The service request number of location;The IP address that the service request number is greater than the second preset threshold value is determined as described suspicious
IP address.
It should be noted that since the corresponding IP address of user in same local area network is identical, and corresponding session information
Difference, therefore attacker is launched a offensive by more terminal devices in local area network to WEB server in order to prevent, needs to count
Then service request number is greater than the second preset threshold value by the service request number of same subscriber IP address in IP address
IP address is determined as suspicious user IP address.Wherein, the second preset threshold value is normally sent out according in the unit time in local area network
The service request number that send and determine.For example, with getting three identical User IPs within the unit time by session information
Location, they to WEB server send service request number be respectively 10,15,20, the IP address send service request
Number adds up to 45, if the second preset threshold value is 30, IP address can be determined as to suspicious user IP address.
Specifically, step 103 is by the service request information in the session information from the described first remaining suspicious use
Filtering attack IP address in the IP address of family, obtaining the second remaining suspicious user IP address includes: according to preset request URL quantity
Threshold value filters the attack IP address from the described first remaining suspicious user IP address, and remaining by filtered first
Suspicious user IP address is as the first suspicious user IP address;According to the preset path URL by the first suspicious user IP address
The middle incorrect suspicious user IP address of request URL filters out, and using filtered first suspicious user IP address as second
Suspicious user IP address;Relationship is jumped according to preset URL, and request URL in the second suspicious user IP address is jumped into relationship not
Correct suspicious user IP address filters out, and as third suspicious user IP using filtered second suspicious user IP address
Location;The incorrect suspicious use of host field will be requested in the third suspicious user IP address according to preset service device host field
Family IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;According to preset
URL length filters out the incorrect suspicious user IP address of request URL length in the 4th suspicious user IP address.
Wherein, request URL amount threshold is determined according to the quantity of same URL is requested in the normal users unit time, if
The quantity of the same URL of request is more than preset request URL amount threshold in user's A unit time, then by the corresponding IP address of user A
It is determined as attacking IP address, and determining attack IP address is filtered out from the first remaining suspicious user IP address;It is preset
The path URL is pre-set in WEB server, if the URL of user's request is not the road URL set in WEB server
The corresponding IP address of the user is then determined as attacking IP address by diameter, and by determining attack IP address from the first suspicious user
It is filtered out in IP address;Preset URL jumps what relationship was also pre-set in WEB server, can specifically pass through
Reference indicates that URL's jumps relationship, if user passes through the webpage B of webpage A jump request, and be arranged in WEB server
Jump relationship only pass through webpage C could requested webpage B, illustrate the request URL of the user to jump relationship incorrect, therefore will
The corresponding IP address of the user is determined as attacking IP address, and by determining attack IP address from the second suspicious user IP address
It filters out;Preset service device host field is the host field in WEB server, if it is service that user, which requests host field not,
The corresponding IP address of the user is then determined as attacking IP address by the host field of device, and by determining attack IP address from the
It is filtered out in three suspicious user IP address;Preset URL length is configured according to actual needs, and URL length specifically can be with
It is 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the URL length of user's request is more than preset URL length,
The corresponding IP address of the user will be determined as attacking IP address, and from the 4th suspicious user IP by determining attack IP address
It is filtered out in location.
It should be noted that due to according to the speed of filtering sequence successively according to preset request URL, the preset path URL, pre-
It sets URL and jumps the attack of relationship, preset service device host field, preset URL length to the first remaining suspicious user IP address
IP address is filtered, and the efficiency for determining attack IP can be improved, so that the effect of attack defending can be improved through the embodiment of the present invention
Rate.
It is attacked specifically, step 104 is filtered from the described second remaining suspicious user IP address according to preset script program
Hitting IP address includes: that the preset script program is sent to the corresponding client of the described second remaining suspicious user IP address
End, so that preset script program described in the client executing;The client of the preset script program error is executed if it exists
End, then with being determined as the attack IP by the corresponding suspicious user IP address of the client for executing the preset script program error
Location.Wherein, preset script program is javascript step program, and client determines suspicious use by executing preset script program
Whether family IP address is attack IP address.
Further, the corresponding suspicious user IP address of client that will execute the preset script program error is true
It is set to after the attack IP address, the method also includes: the correct client of preset script program is executed if it exists,
Then to the correct client transmission verification information of the preset script program is executed, so that executing the preset script program just
True client receives the identifying code inputted according to the verification information;If the identifying code and the verification information be not corresponding,
The corresponding suspicious user IP address of the correct client of preset script program will be then executed to be determined as attacking IP address;If institute
It is corresponding with the verification information to state identifying code, then will execute the corresponding suspicious user of the correct client of preset script program
IP address is determined as trusted users IP.
Further, the method also includes: will determine as the suspicious user IP address storage of attack IP address to described
In preset attack IP address library.To realize the attack IP address updated in preset attack IP address library.It should be noted that when pre-
Set attack IP address library in attack IP address be reassigned to normal users in use, user in order to realize send service ask
It asks, needs to send subscriber authentication request to WEB server, after WEB server is verified, by preset attack IP address library
In corresponding attack IP address delete, the normal service request of user is realized with this.
Further, the embodiment of the present invention provides a kind of defence installation of attack, as shown in Fig. 2, described device includes: to know
Other unit 21, the first filter element 22, the second filter element 23, third filter element 24, refusal unit 25.
Recognition unit 21, for identifying the suspicious user Internet protocol IP address in session information, institute by preset threshold value
It states in session information comprising IP address;
Session information, that is, Session information is the interactive information between user and WEB server, is based on a data
The relevant information of connection is flowed, suspicious user IP address can be with the IP address for trusted users or attack user.
It should be noted that the number that normal users send service request within the unit time can all have a threshold value, if
The number that some user sends service request within the unit time does not meet this threshold value, illustrates that the user is possible to use for attack
Family, so needing the corresponding IP address of the user being determined as suspicious user IP address.Therefore the embodiment of the present invention passes through preset
Threshold value identifies the suspicious user IP address in session information, and the preset threshold value can be according to the characteristics of WEB server and just common
The internet behavior at family determines, can specifically be determined according to the request number of times sent in the normal users unit time to purpose IP address pre-
The size for setting threshold value then can will be preset if the request number of times sent in normal users 1 minute to purpose IP address is less than or equal to 5
Threshold value is set as 5, can be by the user couple if user was greater than 5 to the number that purpose IP address sends service request in 1 minute
The IP address answered is determined as suspicious user IP address.
First filter element 22, for filtering attack IP in suspicious user IP address according to preset attack IP address library
Location obtains the first remaining suspicious user IP address;
Wherein, the preset attack IP address library is pre-configured, in preset attack IP address library comprising it is all
Determining attack IP address.If suspicious user IP address occurs in preset attack IP address library, by suspicious user IP
Location is determined as attacking IP address, and the attack IP address in suspicious user IP address is filtered out, then will be filtered suspicious
IP address is determined as the first remaining suspicious user IP address;If suspicious user IP address is in preset attack IP address library
Do not occur, then further mistake is carried out to the first remaining suspicious user IP address by the service request information in step 103
Filter, to filter out the attack IP address determined by service request information.
Second filter element 23, for by the service request information in the session information from described first it is remaining can
Filtering attack IP address in IP address is doubted, the second remaining suspicious user IP address is obtained;
Wherein, the service request information is specifically as follows URL (the Uniform Resource of user's request
Locator, uniform resource locator), information, the embodiment of the present invention such as host field be not specifically limited.Implement in the present invention
In example, specifically relationship, preset service device host can be jumped according to preset request URL amount threshold, the preset path URL, preset URL
The information such as field, preset URL length filter attack IP address from the first remaining suspicious user IP address.I.e. by the first residue
Suspicious user IP address in URL request discrepancy of quantity closes preset request URL amount threshold, the URL of request is not preset URL
Path, request URL jump relationship do not meet preset URL jump relationship, request server host field do not meet it is preset
The suspicious user IP address that the length violation of server host field and request URL closes preset URL length is determined as attacking IP
Address, and the IP address that will determine as attack is filtered out from the first remaining suspicious user IP address, it finally will be filtered
First remaining suspicious user IP address is determined as the second remaining suspicious user IP address.
Third filter element 24, for according to preset script program from the described second remaining suspicious user IP address mistake
Filter attack IP address, the preset script program is for determining the attack for including in the described second remaining suspicious user IP address
IP address;
Wherein, preset script program is javascript step program, and client is determined by executing preset script program
Whether suspicious user IP address is that attack IP address will be corresponding with client if client executing preset script program error
Suspicious user IP address be attack IP address;If client executing preset script program is correct, further pass through man-machine friendship
Mutual identifying code mode judge suspicious user IP address be to attack IP address, will be with if the identifying code mistake of client input
The corresponding suspicious user IP address of client is determined as attacking IP address, will be with visitor if the identifying code of client input is correct
The corresponding suspicious user IP address in family end is determined as trusted IP address.
Refuse unit 25, the service request for refusing to send by the attack IP address.
Further, as shown in figure 3, the recognition unit 21 includes.
Module 211 is obtained, for sending out of in the session information acquisition unit time by the IP address
The number of service request;
Determining module 212, for the number for sending service request in the unit time to be greater than the first preset threshold value
IP address is determined as the suspicious user IP address.Wherein, the first preset threshold value in the normal users unit time according to sending out
The service request number that send and determine, the service request number that user sends in 1 minute if normal is 10, then can be preset by first
Threshold value is set as 10, can be by the corresponding IP address of the user if the number that user sends service request in 1 minute is greater than 10
It is determined as suspicious user IP address.
Further, the recognition unit 21 further include:
The acquisition module 211, the number for being also used to obtain transmission service request in the unit time are less than or equal to
The IP address of first preset threshold value;
Statistical module 213, for counting the service request of same subscriber IP address from the IP address of the acquisition
Number;
The determining module 212, the IP address for the service request number to be greater than the second preset threshold value are true
It is set to the suspicious user IP address.
It should be noted that since the corresponding IP address of user in same local area network is identical, and corresponding session information
Difference, therefore attacker is launched a offensive by more terminal devices in local area network to WEB server in order to prevent, needs to count
Then service request number is greater than the second preset threshold value by the service request number of same subscriber IP address in IP address
IP address is determined as suspicious user IP address.Wherein, the second preset threshold value is normally sent out according in the unit time in local area network
The service request number that send and determine.For example, with getting three identical User IPs within the unit time by session information
Location, they to WEB server send service request number be respectively 10,15,20, the IP address send service request
Number adds up to 45, if the second preset threshold value is 30, IP address can be determined as to suspicious user IP address.
Specifically, second filter element 23 includes:
First filtering module 231, for according to preset request URL amount threshold from the described first remaining suspicious user IP
The attack IP address is filtered in address, and using the filtered first remaining suspicious user IP address as the first suspicious user
IP address;
Second filtering module 232, for according to the preset path URL by request URL in the first suspicious user IP address
Incorrect suspicious user IP address filters out, and using filtered first suspicious user IP address as the second suspicious user IP
Address;
Third filtering module 233 will be requested for jumping relationship according to preset URL in the second suspicious user IP address
URL jumps the incorrect suspicious user IP address of relationship and filters out, and using filtered second suspicious user IP address as
Three suspicious user IP address;
4th filtering module 234, being used for will be in the third suspicious user IP address according to preset service device host field
The request incorrect suspicious user IP address of host field filters out, and using filtered third suspicious user IP address as the
Four suspicious user IP address;
5th filtering module 235, for according to preset URL length by request URL in the 4th suspicious user IP address
The incorrect suspicious user IP address of length filters out.
Wherein, request URL amount threshold is determined according to the quantity of same URL is requested in the normal users unit time, if
The quantity of the same URL of request is more than preset request URL amount threshold in user's A unit time, then by the corresponding IP address of user A
It is determined as attacking IP address, and determining attack IP address is filtered out from the first remaining suspicious user IP address;It is preset
The path URL is pre-set in WEB server, if the URL of user's request is not the road URL set in WEB server
The corresponding IP address of the user is then determined as attacking IP address by diameter, and by determining attack IP address from the first suspicious user
It is filtered out in IP address;Preset URL jumps what relationship was also pre-set in WEB server, can specifically pass through
Reference indicates that URL's jumps relationship, if user passes through the webpage B of webpage A jump request, and be arranged in WEB server
Jump relationship only pass through webpage C could requested webpage B, illustrate the request URL of the user to jump relationship incorrect, therefore will
The corresponding IP address of the user is determined as attacking IP address, and by determining attack IP address from the second suspicious user IP address
It filters out;Preset service device host field is the host field in WEB server, if it is service that user, which requests host field not,
The corresponding IP address of the user is then determined as attacking IP address by the host field of device, and by determining attack IP address from the
It is filtered out in three suspicious user IP address;Preset URL length is configured according to actual needs, and URL length specifically can be with
It is 20,30,40 etc., the embodiment of the present invention is not specifically limited, if the URL length of user's request is more than preset URL length,
The corresponding IP address of the user will be determined as attacking IP address, and from the 4th suspicious user IP by determining attack IP address
It is filtered out in location.
It should be noted that due to according to the speed of filtering sequence successively according to preset request URL, the preset path URL, pre-
It sets URL and jumps the attack of relationship, preset service device host field, preset URL length to the first remaining suspicious user IP address
IP address is filtered, and the efficiency for determining attack IP can be improved, so that the effect of attack defending can be improved through the embodiment of the present invention
Rate.
Specifically, the third filter element 24 includes:
Sending module 241, for the preset script program to be sent to the described second remaining suspicious user IP address
Corresponding client, so that preset script program described in the client executing;
Determining module 242 will then execute described pre- for executing the client of the preset script program error if it exists
The corresponding suspicious user IP address of client for setting shell script mistake is determined as the attack IP address.
The sending module 241 is also used to execute the correct client of preset script program if it exists, then Xiang Zhihang
The correct client of preset script program sends verification information, so that executing the correct client of preset script program
End receives the identifying code inputted according to the verification information;
The determining module 242 will execute described pre- if being also used to the identifying code and the verification information is not corresponding
The corresponding suspicious user IP address of the correct client of shell script is set to be determined as attacking IP address;
The determining module 242 will execute described preset if it is corresponding with the verification information to be also used to the identifying code
The corresponding suspicious user IP address of the correct client of shell script is determined as trusted users IP.
Further, described device further include:
Storage unit 26, the suspicious user IP address for will determine as attack IP address are stored to the preset attack IP
In address base.
It should be noted that when the attack IP address in preset attack IP address library is reassigned to normal users use
When, user needs to send subscriber authentication request, WEB server verifying to WEB server to realize transmission service request
By rear, attack IP address corresponding in preset attack IP address library is deleted, the normal service request of user is realized with this.
The defence installation of another attack provided in an embodiment of the present invention, to HTTP Flood by the way of layering
Attack is on the defensive, i.e., the suspicious user IP address in session information is identified by preset threshold value first, then successively according to pre-
Set attack IP address library, service request information, preset script program with filtering out attack IP layer by layer from suspicious user IP address
Location, and attack defending is realized by the service request that refusal attack IP address is sent.Due to can quickly be identified by preset threshold value
Suspicious user IP address in session information out, and preset attack IP address library, clothes are passed sequentially through according to the speed of filtering sequence
Business solicited message, preset script program are filtered the attack IP address in suspicious user IP address, and determining attack can be improved
The efficiency of IP, so that the accuracy rate and efficiency of attack defending can be improved through the embodiment of the present invention.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
In the defence method and device of microprocessor or digital signal processor (DSP) to realize attack according to an embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
Claims (10)
1. a kind of defence method of attack characterized by comprising
The suspicious user Internet protocol IP address in session information is identified by preset threshold value, includes user in the session information
IP address, the preset threshold value are determined according to the request number of times sent in the normal users unit time to purpose IP address;
Attack IP address is filtered in suspicious user IP address according to preset attack IP address library, obtains the first remaining suspicious use
Family IP address;
Attack is filtered from the described first remaining suspicious user IP address by the service request information in the session information
IP address obtains the second remaining suspicious user IP address;
Attack IP address, the preset foot are filtered from the described second remaining suspicious user IP address according to preset script program
This program is for determining the attack IP address for including in the described second remaining suspicious user IP address;
The service request that refusal is sent by the attack IP address.
2. the method according to claim 1, wherein described by suspicious in preset threshold value identification session information
IP address includes:
From being obtained in the session information in the unit time by the number of IP address transmission service request;
The IP address that the number that service request is sent in the unit time is greater than the first preset threshold value is determined as described
Suspicious user IP address.
3. according to the method described in claim 2, it is characterized in that, the number that will send service request in the unit time is big
After the IP address of the first preset threshold value is determined as the suspicious user IP address, the method also includes:
Obtain IP address of the number less than or equal to the first preset threshold value that service request is sent in the unit time;
The service request number of same subscriber IP address is counted from the IP address of the acquisition;
The IP address that the service request number is greater than the second preset threshold value is determined as the suspicious user IP address.
4. the method according to claim 1, wherein the service request information by the session information
Filtering attack IP address, obtains the second remaining suspicious user IP address packet from the described first remaining suspicious user IP address
It includes:
The attack IP is filtered from the described first remaining suspicious user IP address according to preset request URL amount threshold
Location, and using the filtered first remaining suspicious user IP address as the first suspicious user IP address;
According to the preset path URL by the incorrect suspicious user IP address mistake of request URL in the first suspicious user IP address
It filters, and using filtered first suspicious user IP address as the second suspicious user IP address;
Jumping relationship according to preset URL, that request URL in the second suspicious user IP address jumped relationship is incorrect suspicious
IP address filters out, and using filtered second suspicious user IP address as third suspicious user IP address;
Host field will be requested incorrect suspicious in the third suspicious user IP address according to preset service device host field
IP address filters out, and using filtered third suspicious user IP address as the 4th suspicious user IP address;
By the incorrect suspicious user IP of request URL length in the 4th suspicious user IP address according to preset URL length
Location filters out.
5. the method according to claim 1, wherein described remaining from described second according to preset script program
Filtering attack IP address includes: in suspicious user IP address
The preset script program is sent to the corresponding client of the described second remaining suspicious user IP address, so that institute
State preset script program described in client executing;
The client of the preset script program error is executed if it exists, then will execute the client of the preset script program error
Corresponding suspicious user IP address is held to be determined as the attack IP address.
6. according to the method described in claim 5, it is characterized in that, the client that the preset script program error will be executed
Corresponding suspicious user IP address is held to be determined as after the attack IP address, the method also includes:
The correct client of preset script program is executed if it exists, then to the execution correct client of preset script program
End sends verification information, is inputted so that executing the correct client of the preset script program and receiving according to the verification information
Identifying code;
If the identifying code and the verification information be not corresponding, it is corresponding that the correct client of the preset script program will be executed
Suspicious user IP address be determined as attack IP address;
If the identifying code is corresponding with the verification information, it is corresponding that the correct client of preset script program will be executed
Suspicious user IP address is determined as trusted users IP.
7. method according to claim 1 to 6, which is characterized in that the method also includes:
The suspicious user IP address that will determine as attack IP address is stored into the preset attack IP address library.
8. a kind of defence installation of attack characterized by comprising
Recognition unit, for identifying the suspicious user Internet protocol IP address in session information, the session by preset threshold value
It include IP address in information, the preset threshold value is to ask according in the normal users unit time to what purpose IP address was sent
Number is asked to determine;
First filter element is obtained for filtering attack IP address in suspicious user IP address according to preset attack IP address library
Obtain the first remaining suspicious user IP address;
Second filter element, for passing through the service request information in the session information from the described first remaining suspicious user
Filtering attack IP address, obtains the second remaining suspicious user IP address in IP address;
Third filter element, for filtering attack from the described second remaining suspicious user IP address according to preset script program
IP address, the preset script program is for determining the attack IP for including in the described second remaining suspicious user IP address
Location;
Refuse unit, the service request for refusing to send by the attack IP address.
9. device according to claim 8, which is characterized in that the recognition unit includes:
Module is obtained, for sending service request by the IP address out of in the session information acquisition unit time
Number;
Determining module, for the number for sending service request in the unit time to be greater than to the User IP of the first preset threshold value
Location is determined as the suspicious user IP address.
10. device according to claim 9, which is characterized in that the recognition unit further include:
The acquisition module, the number for being also used to obtain transmission service request in the unit time are preset less than or equal to first
The IP address of threshold value;
Statistical module, for counting the service request number of same subscriber IP address from the IP address of the acquisition;
The determining module, the IP address for the service request number to be greater than the second preset threshold value are determined as described
Suspicious user IP address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610783731.7A CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610783731.7A CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106357628A CN106357628A (en) | 2017-01-25 |
CN106357628B true CN106357628B (en) | 2019-09-06 |
Family
ID=57858274
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610783731.7A Active CN106357628B (en) | 2016-08-31 | 2016-08-31 | The defence method and device of attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357628B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110166408B (en) * | 2018-02-13 | 2022-09-06 | 北京京东尚科信息技术有限公司 | Method, device and system for defending flood attack |
CN108833450B (en) * | 2018-08-22 | 2020-07-10 | 网宿科技股份有限公司 | Method and device for preventing server from being attacked |
CN110532753A (en) * | 2019-07-01 | 2019-12-03 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | The safety protecting method and equipment of train operation monitoring and recording device business data flow |
CN111241543B (en) * | 2020-01-07 | 2021-03-02 | 中国搜索信息科技股份有限公司 | Method and system for intelligently resisting DDoS attack by application layer |
CN113452647B (en) * | 2020-03-24 | 2022-11-29 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113810486B (en) * | 2021-09-13 | 2022-12-20 | 珠海格力电器股份有限公司 | Internet of things platform docking method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
US9392019B2 (en) * | 2014-07-28 | 2016-07-12 | Lenovo Enterprise (Singapore) Pte. Ltd. | Managing cyber attacks through change of network address |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8533821B2 (en) * | 2007-05-25 | 2013-09-10 | International Business Machines Corporation | Detecting and defending against man-in-the-middle attacks |
-
2016
- 2016-08-31 CN CN201610783731.7A patent/CN106357628B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
CN103856470A (en) * | 2012-12-06 | 2014-06-11 | 腾讯科技(深圳)有限公司 | Distributed denial of service attack detection method and device |
CN103685294A (en) * | 2013-12-20 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for identifying attack sources of denial of service attack |
US9392019B2 (en) * | 2014-07-28 | 2016-07-12 | Lenovo Enterprise (Singapore) Pte. Ltd. | Managing cyber attacks through change of network address |
CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
Non-Patent Citations (1)
Title |
---|
一种高效抵御SIP洪泛攻击的防御模型;李鸿彬等;《计算机工程》;20130215;全文 |
Also Published As
Publication number | Publication date |
---|---|
CN106357628A (en) | 2017-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106357628B (en) | The defence method and device of attack | |
US9773109B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
CN106161451B (en) | Defend the method, apparatus and system of CC attack | |
CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
CN109951500A (en) | Network attack detecting method and device | |
CN104333529B (en) | The detection method and system of HTTP dos attacks under a kind of cloud computing environment | |
CN107888546A (en) | network attack defence method, device and system | |
CN107645478B (en) | Network attack defense system, method and device | |
CN107743118B (en) | Hierarchical network security protection method and device | |
CN103973635B (en) | Page access control method and relevant apparatus and system | |
US20140157415A1 (en) | Information security analysis using game theory and simulation | |
CN106603555A (en) | Method and device for preventing library-hit attacks | |
AU2010258278A1 (en) | Identifying bots | |
CN106549980A (en) | A kind of malice C&C server determines method and device | |
CN110365712A (en) | A kind of defence method and system of distributed denial of service attack | |
CN107426243A (en) | A kind of network safety protection method and device | |
CN108632634A (en) | A kind of providing method and device of direct broadcast service | |
CN110166420A (en) | Rebound shell blocking-up method and device | |
CN108512805B (en) | Network security defense method and network security defense device | |
CN108282443B (en) | Crawler behavior identification method and device | |
Ismail et al. | New framework to detect and prevent denial of service attack in cloud computing environment | |
CN106888192A (en) | The method and device that a kind of resistance DNS is attacked | |
CN109413022A (en) | A kind of method and apparatus based on user behavior detection HTTP FLOOD attack | |
KR101042226B1 (en) | The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |