CN114567481A - Data transmission method and device, electronic equipment and storage medium - Google Patents
Data transmission method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114567481A CN114567481A CN202210191805.3A CN202210191805A CN114567481A CN 114567481 A CN114567481 A CN 114567481A CN 202210191805 A CN202210191805 A CN 202210191805A CN 114567481 A CN114567481 A CN 114567481A
- Authority
- CN
- China
- Prior art keywords
- data packet
- micro
- virtual machine
- isolation
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000005540 biological transmission Effects 0.000 title claims abstract description 40
- 238000002955 isolation Methods 0.000 claims abstract description 202
- 238000011217 control strategy Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims description 53
- 230000002159 abnormal effect Effects 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 10
- 230000003542 behavioural effect Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 8
- 230000009471 action Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004880 explosion Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The invention discloses a data transmission method, a data transmission device, electronic equipment and a storage medium, wherein the method comprises the following steps: the virtual switch sends a received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, the micro-isolation virtual machine matches forwarding information of the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet; after receiving the data packet returned by the micro-isolation virtual machine, the virtual switch sends the data packet to the target service virtual machine according to the second flow table; the first flow table and the second flow table are sent by the micro-isolation policy server triggering the SDN controller, and the access control policy is sent by the micro-isolation policy server. The micro-isolation virtual machine can match the forwarding information carried in the received data packet with the access control strategy sent by the micro-isolation strategy server, and processes the data packet according to the matching result, so that the micro-isolation virtual machine does not need to be adapted to different cloud computing bottom-layer environments.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a data transmission method and apparatus, an electronic device, and a storage medium.
Background
In the field of information security, micro-isolation is a scheme for performing fine-grained network access control, a micro-isolation technology dynamically analyzes traffic in real time through a unified policy center, and performs session-level traffic anomaly access warning and blocking, and a conventional firewall mostly performs traffic blocking based on a statically configured access control protocol, so micro-isolation is also called Software Defined isolation (Software Defined isolation).
Micro-isolation is generally applied to a cloud computing environment, and a light proxy mode is generally adopted to solve the problems that a network firewall cannot acquire east-west flow and a host firewall occupies large system resources. However, the light proxy needs to install the proxy on the virtual machine, the proxy needs to adapt to a large number of operating systems, and the virtual machines of some users may refuse to install the proxy. Therefore, an agent-free technical solution is needed to solve the problem, and the agent-free solution requires a virtualization underlying hypervisor to provide Application Programming Interface (API) support, which is a problem in that different cloud computing underlying environments need to be adapted.
Disclosure of Invention
The invention provides a data transmission method, a data transmission device, electronic equipment and a storage medium, which are used for solving the problem that micro-isolation without an agent scheme in the prior art cannot be adapted to different cloud computing underlying environments.
In a first aspect, an embodiment of the present invention provides a data transmission method, where the method includes:
the virtual switch sends a received data packet sent by the source service virtual machine to a micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet;
after receiving the data packet returned by the micro-isolation virtual machine, the virtual switch sends the data packet to a target service virtual machine according to a second flow table;
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
In a possible implementation manner, the virtual switch sends a received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, including:
if the virtual switch determines that the port for receiving the data packet is matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and the virtual switch sends the data packet to the micro-isolation virtual machine through the target port.
In a possible implementation, the virtual switch sends the data packet to a target service virtual machine according to a second flow table, including:
if the virtual switch determines that the port for receiving the data packet is matched with a second receiving port in the second flow table, determining that the data packet is normal;
and the virtual switch sends the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
In a second aspect, an embodiment of the present invention provides a data transmission method, where the method includes:
the micro-isolation virtual machine receives a data packet sent by the virtual switch;
the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet;
wherein the access control policy is sent by the micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
In a possible implementation manner, the matching, by the micro-isolated virtual machine, forwarding information carried in the data packet with an access control policy, and sending the data packet to the virtual switch according to a matching result, or discarding the data packet, includes:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control policies, the micro-isolation virtual machine sends the data packet to the virtual switch;
otherwise, the data packet is discarded.
In one possible embodiment, the method further comprises:
the micro-isolation virtual machine matches forwarding information carried in the data packet with the access control strategy, and calculates a behavior baseline according to a matching result within a preset time length;
the micro-isolation virtual machine compares the behavior baseline with a preset behavior statistic abnormal baseline threshold value, and the micro-isolation virtual machine behavior abnormity is determined according to the comparison result;
wherein the behavioral statistic anomaly baseline threshold is sent by the micro-isolation policy server.
In a possible implementation manner, the matching, by the micro-isolated virtual machine, the forwarding information carried in the data packet with the access control policy, and calculating a behavior baseline according to a matching result within a preset time duration includes:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control strategies, determining the matching result as normal access;
the micro-isolation virtual machine calculates the behavioral baseline according to the number of received data packets and the determined number of normal accesses.
In one possible embodiment, the method further comprises:
and if the micro-isolation virtual machine discards the data packet or determines that the micro-isolation virtual machine is abnormal in behavior, the micro-isolation policy server sends alarm information.
In a third aspect, an embodiment of the present invention provides a data transmission apparatus, where the apparatus includes:
the first sending module is used for sending a received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet.
The second sending module is used for sending the data packet to the target service virtual machine according to a second flow table after receiving the data packet returned by the micro-isolation virtual machine;
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
In a possible implementation, the first sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and sending the data packet to the micro-isolation virtual machine through the target port.
In a possible implementation manner, the second sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with a second receiving port in the second flow table, determining that the data packet is normal;
and sending the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
In a fourth aspect, an embodiment of the present invention provides a data transmission apparatus, where the apparatus includes:
the receiving module is used for receiving the data packet sent by the virtual switch;
the first matching module is used for matching forwarding information carried in the data packet with an access control strategy, and sending the data packet to the virtual switch according to a matching result or discarding the data packet;
wherein the access control policy is sent by the micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
In a possible implementation manner, the first matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, the data packet is sent to the virtual switch;
otherwise, the data packet is discarded.
In one possible embodiment, the apparatus further comprises:
the second matching module is used for matching the forwarding information carried in the data packet with the access control strategy and calculating a behavior baseline according to a matching result within a preset time length;
the determining module is used for comparing the behavior baseline with a preset behavior statistic abnormal baseline threshold value and determining the micro-isolation virtual machine behavior abnormity according to a comparison result;
wherein the behavioral statistic anomaly baseline threshold is sent by the micro-isolation policy server.
In a possible implementation manner, the second matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, determining the matching result as normal access;
calculating the behavior baseline according to the number of received data packets and the determined number of normal accesses.
In one possible embodiment, the apparatus further comprises:
and the warning module is used for sending warning information by the micro-isolation strategy server if the data packet is discarded or the micro-isolation virtual machine is determined to be abnormal in behavior.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including: at least one processor, and a memory communicatively coupled to the at least one processor, wherein:
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of any one of the first or second aspects.
In a sixth aspect, an embodiment of the present invention provides a storage medium, where when a computer program in the storage medium is executed by a processor of an electronic device, the electronic device is capable of executing the method according to any one of the first aspect or the second aspect.
The invention has the following beneficial effects:
the invention discloses a data transmission method, a data transmission device, electronic equipment and a storage medium, wherein the method comprises the following steps: the virtual switch sends the received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet; after receiving the data packet returned by the micro-isolation virtual machine, the virtual switch sends the data packet to the target service virtual machine according to the second flow table; the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, the access control policy is sent by the micro-isolation policy server, the forwarding information comprises an address of a source service virtual machine sending the data packet, an address of a target service virtual machine receiving the data packet and a target port of the target service virtual machine receiving the data packet, and the micro-isolation virtual machine can match the forwarding information carried in the received data packet with the access control policy sent by the micro-isolation policy server and process the data packet according to a matching result, so that the micro-isolation policy server does not need to adapt to different cloud computing bottom environments, and system performance is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic structural diagram of a data transmission system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a data transmission method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of another data transmission method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of another data transmission apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Micro-isolation is a scheme for performing fine-grained network access control, and a micro-isolation technology dynamically analyzes flow in real time through a uniform policy center, and performs session-level abnormal flow access warning and blocking, wherein a Software Defined Network (SDN) technology can perform dynamic and fine-grained control on east and west flows of a network, but flow table items supported by protocols commonly used by the SDN are limited, too many flow tables can reduce exchange efficiency, and complexity of flow table management is greatly improved. The micro-isolation usually adopts a light proxy mode to solve the problems that a network firewall cannot acquire east-west flow and a host firewall occupies large system resources.
Based on the above problems, embodiments of the present invention provide a data transmission method, an apparatus, an electronic device, and a storage medium, so as to solve the problem that micro-isolation without an agent scheme in the prior art cannot adapt to different cloud computing underlying environments.
The data transmission method provided by the exemplary embodiment of the present application is described below with reference to the accompanying drawings in conjunction with the application scenarios described above, and it should be noted that the application scenarios described above are only shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in this respect.
As shown in fig. 1, a system schematic diagram of a data transmission method provided for an embodiment of the present invention includes a virtual switch 10 and a micro-isolated virtual machine 20.
The virtual switch 10 is configured to send a received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control policy, and sends the data packet to the virtual switch according to a matching result, or discards the data packet; after receiving a data packet returned by the micro-isolation virtual machine, sending the data packet to the target service virtual machine according to the second flow table;
the micro-isolation virtual machine 20 is used for receiving a data packet sent by the virtual switch; and matching the forwarding information carried in the data packet with an access control strategy, and sending the data packet to the virtual switch according to a matching result or discarding the data packet.
The first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, the access control policy is sent by the micro-isolation policy server, and the forwarding information includes an address of a source service virtual machine sending the data packet, an address of a target service virtual machine receiving the data packet, and a target port of the target service virtual machine receiving the data packet.
The invention discloses a data transmission method.A virtual switch sends a received data packet sent by a source service virtual machine to a micro-isolation virtual machine according to a first flow table, the micro-isolation virtual machine matches forwarding information carried in the received data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet; after receiving the data packet returned by the micro-isolation virtual machine, the virtual switch sends the data packet to the target service virtual machine according to the second flow table; the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, the access control policy is sent by the micro-isolation policy server, the forwarding information comprises an address of a source service virtual machine sending the data packet, an address of a target service virtual machine receiving the data packet and a target port of the target service virtual machine receiving the data packet, and the micro-isolation virtual machine can match the forwarding information carried in the received data packet with the access control policy sent by the micro-isolation policy server and process the data packet according to a matching result, so that the micro-isolation policy server does not need to adapt to different cloud computing bottom environments, and system performance is improved.
In addition, the full-flow capture of east-west flow can be realized by using the SDN technology, the flow guiding function can be realized only by using a simple flow table, the problem of flow table explosion caused by frequent change of network topology or user service is avoided, and the method can be self-adaptive to the virtual machine drifting operation in the cloud computing environment.
As shown in fig. 2, a detailed flowchart of a data transmission method provided in an embodiment of the present invention is shown, where the method includes:
step 201, the micro-isolation policy server calls an SDN controller to add a first flow table and a second flow table in a virtual switch, and step 202 is executed;
in a specific implementation, the first flow table may be added to the virtual switch by invoking the SDN controller through the micro-isolation policy server: when the matching field is that the source port is a first interface, such as a virtual network card port of all the service virtual machines or an uplink port (Any) of the virtual switch, the processing acts as a target port for forwarding the data packet to the micro-isolation virtual machine, such as a virtual network card port, and the priority is set to be optimal.
Calling an SDN controller by a micro-isolation policy server to add a second flow table in the virtual switch: when the source port is a port corresponding to the virtual network card of the micro-isolation virtual machine, the matching field is used as a forwarding (Normal) based on a packet two-layer address, and the priority is set to be higher than that of the flow table set in the first flow table.
Through the mode, the flow guide function can be realized only by the simple flow table, the problem of flow table explosion caused by frequent change of network topology or user service is avoided, and the method and the device can adapt to the virtual machine drifting operation in the cloud computing environment.
Step 202, the micro-isolation policy server issues a micro-isolation policy and a behavior statistics abnormal baseline threshold to the micro-isolation virtual machine, and step 203 is executed.
Step 203, the source service virtual machine sends a data packet to the virtual switch.
Step 204, if the virtual switch determines that the port for receiving the data packet matches the first receiving port in the first flow table, the virtual switch acquires the target port of the virtual switch from the first flow table, and sends the data packet to the target port of the micro-isolation virtual machine.
In a specific implementation, when a data packet is sent by a source service virtual machine, the data packet hits a first flow table, and the data packet is forwarded to a target port of a micro-isolation virtual machine, wherein a port of the source service virtual machine outputting the data packet is set to be in a promiscuous mode, and the data packet of all layer two addresses can be received.
Step 205, the micro-isolation virtual machine receives a data packet sent by the virtual switch, matches forwarding information carried in the data packet with the access control policy, if the forwarding information is successfully matched with any one of the access control policies, then step 206 is executed, otherwise step 207 is executed.
In specific implementation, the micro-isolation virtual machine performs session-level filtering on the received data packet according to a micro-isolation access control policy, that is, the micro-isolation access control policy is matched according to the five-tuple information of the data packet, the data packet which can be released is released, and the data packet which needs to be blocked is blocked.
Step 206, the micro-isolation virtual machine determines the matching result as normal access, and sends a data packet to the virtual switch.
Step 207, the micro-isolation virtual machine determines the matching result as abnormal access, and discards the data packet.
It should be noted that the micro-isolation virtual machine may collect access relationship data in the system warm-up stage and send the data to the micro-isolation policy management module;
the access relation data comprises the normal access data and the abnormal access data.
And step 208, if the virtual switch determines that the port for receiving the data packet is matched with the second receiving port in the second flow table, determining that the data packet is normal, and sending the data packet to the target service virtual machine according to the target port of the target service virtual machine carried in the data packet.
Step 209, the micro-isolation virtual machine calculates a behavior baseline according to the number of the received data packets and the determined number of the normal accesses, determines a behavior anomaly according to the behavior baseline and a threshold of the behavior statistic anomaly baseline, and executes step 210.
It should be noted that the micro-isolated virtual machine may collect the access behavior statistics during the warm-up phase of the system.
And step 210, reporting the access relation data and the behavior baseline data to a micro-isolation policy server by the micro-isolation virtual machine.
And step 211, the micro-isolation virtual machine sends alarm information to the micro-isolation policy server according to the discarded data packet and the behavior abnormity.
In specific implementation, the micro-isolation virtual machine performs alarm format unified encapsulation on alarms generated in an access control process and a behavior statistics process, and reports the alarms to the micro-isolation policy server.
For the convenience of understanding, the present invention will be described below by taking specific examples as examples.
Taking an example that a source service virtual machine vm1(192.168.0.2) sends a data packet to a target service virtual machine vm2(192.168.0.3) and a non-target service virtual machine vm3(192.168.0.4), a port where the source service virtual machine vm1 is connected to a virtual switch is p1, a port where the target service virtual machine vm2 is connected to the virtual switch is p2, a port where the non-target service virtual machine vm3 is connected to the virtual switch is p3, a port where the micro-isolation virtual machine vm4 is connected to the virtual switch is p4, a micro-isolation rule vm1 is set to send data to an 80 port of vm2, and vm1 cannot send data to a 443 port of vm3, the specific implementation process is as follows:
the micro-isolation policy center calls an SDN controller to issue a flow table to the virtual switch:
a first flow chart: priority is 1, in _ port is Any, action is output p 4;
a second flow table: priority is 2, in _ port is p4, action is Normal.
Wherein, priority is priority, in _ port is the first receiving port, action is execution action;
the micro-isolation strategy server issues a micro-isolation strategy to the micro-isolation virtual machine, namely srcIP is 192.168.0.2, dstIP is 192.168.0.3, port is 80, and action is pass;
wherein, srcIP is the source address, and dstIP is the destination address.
At this time, if vm1 sends a packet to the port 80 of vm2, after the packet is sent to the virtual switch, the packet hits the flow table with priority 1, and then the packet is forwarded to the port p4 of the virtual switch, that is, the port to which the micro-isolation virtual machine is connected;
the micro-isolation access control engine of the micro-isolation virtual machine allows the data packet to pass through based on the micro-isolation strategy, and then the data packet is sent back to the virtual switch from the p4 port;
after the packet arrives at the virtual switch, the packet hits the flow table with priority 2, and then the packet is forwarded according to its two-layer address (MAC address) and sent to the port where vm2 is located.
If vm1 sends a data packet to the 443 port of vm3, after the data packet is sent to the virtual switch, a flow table entry with priority equal to 1 is hit, and then the data packet is forwarded to the p4 port of the virtual switch, that is, the port to which the micro-isolation virtual machine is connected;
and if the micro-isolation virtual machine does not allow the data packet to pass through based on the micro-isolation strategy, discarding the data packet, generating alarm information, and reporting the alarm information to the micro-isolation strategy server.
Based on the same inventive concept, the embodiment of the present invention further provides a data transmission method, and since the device corresponding to the method is the virtual switch in the data transmission system in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method can refer to the implementation of the system, and repeated details are not repeated.
As shown in fig. 3, which is a schematic flow chart of a data transmission method provided in an embodiment of the present invention, the method includes:
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
Optionally, the sending, by the virtual switch, the received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table includes:
if the virtual switch determines that the port for receiving the data packet is matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and the virtual switch sends the data packet to the micro-isolation virtual machine through the target port.
Optionally, the virtual switch sends the data packet to the target service virtual machine according to the second flow table, including:
if the virtual switch determines that the port for receiving the data packet is matched with a second receiving port in the second flow table, determining that the data packet is normal;
and the virtual switch sends the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
Based on the same inventive concept, the embodiment of the present invention further provides a data transmission method, and as the device corresponding to the method is the micro-isolated virtual machine in the data transmission system in the embodiment of the present invention, and the principle of the method for solving the problem is similar to that of the device, the implementation of the method may refer to the implementation of the system, and the repeated parts are not described again.
As shown in fig. 4, which is a schematic flow chart of a data transmission method provided in an embodiment of the present invention, the method includes:
wherein the access control policy is sent by the micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
Optionally, the matching, by the micro-isolation virtual machine, forwarding information carried in the data packet with an access control policy, and sending the data packet to the virtual switch according to a matching result, or discarding the data packet, includes:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control policies, the micro-isolation virtual machine sends the data packet to the virtual switch;
otherwise, the data packet is discarded.
Optionally, the method further includes:
the micro-isolation virtual machine matches forwarding information carried in the data packet with the access control strategy, and calculates a behavior baseline according to a matching result within a preset time length;
the micro-isolation virtual machine compares the behavior baseline with a preset behavior statistic abnormal baseline threshold value, and determines that the micro-isolation virtual machine is abnormal in behavior according to a comparison result;
wherein the behavioral statistic anomaly baseline threshold is sent by the micro-isolation policy server.
Optionally, the matching, by the micro-isolation virtual machine, the forwarding information carried in the data packet with the access control policy, and calculating a behavior baseline according to a matching result within a preset time duration includes:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control strategies, determining the matching result as normal access;
the micro-isolation virtual machine calculates the behavioral baseline according to the number of received data packets and the determined number of normal accesses.
Optionally, the method further includes:
and if the micro-isolation virtual machine discards the data packet or determines that the micro-isolation virtual machine is abnormal in behavior, sending alarm information to the micro-isolation policy server.
Based on the same inventive concept, the embodiment of the present invention further provides a data transmission apparatus, and the embodiment of the apparatus may refer to the implementation of the system, and repeated details are not described herein.
As shown in fig. 5, which is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention, the apparatus 501 includes:
the first sending module 5011 is configured to send a received data packet sent by the source service virtual machine to the micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control policy, and sends the data packet to the virtual switch according to a matching result, or discards the data packet.
The second sending module 5012 is configured to send the data packet to the target service virtual machine according to the second flow table after receiving the data packet returned by the micro-isolation virtual machine;
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
Optionally, the first sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and sending the data packet to the micro-isolation virtual machine through the target port.
Optionally, the second sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with a second receiving port in the second flow table, determining that the data packet is normal;
and sending the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
As shown in fig. 6, which is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention, the apparatus 601 includes:
a receiving module 6011, configured to receive a data packet sent by the virtual switch;
a first matching module 6012, configured to match forwarding information carried in the data packet with an access control policy, and send the data packet to a virtual switch according to a matching result, or discard the data packet;
wherein the access control policy is sent by a micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
Optionally, the first matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, the data packet is sent to the virtual switch;
otherwise, the data packet is discarded.
Optionally, the apparatus further comprises:
a second matching module 6013, configured to match forwarding information carried in the data packet with an access control policy, and calculate a behavior baseline according to a matching result within a preset duration;
a determining module 6014, configured to compare the behavior baseline with a preset behavior statistic anomaly baseline threshold, and determine that the micro-isolation virtual machine is abnormal in behavior according to a comparison result;
and the behavior statistic abnormal baseline threshold is sent by the micro-isolation strategy server.
Optionally, the second matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, determining the matching result as normal access;
the behavioral baseline is calculated based on the number of received data packets and the determined number of normal accesses.
Optionally, the apparatus further comprises:
and the alarm module 6015, if the data packet is discarded or the micro-isolation virtual machine behavior is determined to be abnormal, sends alarm information to the micro-isolation policy server.
Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, where implementation of the electronic device may refer to implementation of a method, and repeated parts are not repeated, as shown in fig. 7, which is a schematic structural diagram of the electronic device provided in the embodiment of the present invention, and the electronic device includes: at least one processor 701, and a memory 702 communicatively coupled to the at least one processor, wherein:
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the above-described data transmission method.
The invention discloses a data transmission method, a data transmission device, electronic equipment and a storage medium, wherein the method comprises the following steps: firstly, a micro-isolation policy server calls an SDN controller to add a first flow table and a second flow table in a virtual switch, and issues a micro-isolation policy and a behavior statistic abnormal baseline threshold to a micro-isolation virtual machine, and then, a source service virtual machine sends a data packet to the virtual switch. If the virtual switch determines that the port for receiving the data packet is matched with the first receiving port in the first flow table, the target port of the virtual switch is obtained from the first flow table, and the data packet is sent to the target port of the micro-isolation virtual machine. The micro-isolation virtual machine receives a data packet sent by the virtual switch, matches forwarding information carried in the data packet with an access control strategy, determines the data packet which can be released as normal access and release, and determines the data packet which needs to be blocked as abnormal access and blocking. And if the virtual switch determines that the port for receiving the data packet is matched with the second receiving port in the second flow table, determining that the data packet is normal, and sending the data packet to the target service virtual machine according to the target port of the target service virtual machine carried in the data packet. In addition, the micro-isolation virtual machine can also calculate a behavior baseline according to the number of the received data packets and the determined number of normal accesses, determine behavior abnormity according to the behavior baseline and a behavior statistic abnormity baseline threshold value, report access relation data and behavior baseline data to the micro-isolation strategy server and send alarm information according to discarded data packets and the behavior abnormity. The invention realizes the full-flow capture of east-west flow and sends the east-west flow to the micro-isolation virtual machine running out of band by using the SDN technology, and the flow guide function can be realized only by a simple flow table, so the problem of flow table explosion caused by frequent change of network topology or user service is avoided, meanwhile, the invention can adapt to the virtual machine drifting operation in the cloud computing environment, only the micro-isolation virtual machine is required to be changed, and the virtual switch and the SDN network controller provided by a computing service provider do not need to be additionally modified, thereby greatly reducing the agent end development and management difficulty of the agent micro-isolation technology. After a core flow of micro-isolation access control and behavior statistics judgment is realized in a micro-isolation virtual machine, the data packets which can be allowed to pass are forwarded back to the network, and finally flow correct purpose forwarding is realized through an SDN (software defined network), so that the problem that micro-isolation of a proxy-free scheme needs to depend on a cloud computing bottom environment is solved.
It should be noted that the virtual switch is a traffic data forwarding device supporting SDN and provided by a cloud computing service provider. The SDN controller is an SDN network controller provided by a cloud computing service provider. The invention does not need to install any software and application program on the service host of the user, greatly reduces the workload of the agent program adapting to the service operating system of the user, provides the user with the easily accepted micro-isolation capability without perception and invasion, simultaneously reduces the complexity of managing the terminal agent program on a plurality of user services, and greatly reduces the agent end development and management difficulty of the agent micro-isolation technology.
In addition, the micro-isolation policy server is a management center for realizing unified management, policy generation, policy issuing and visual display of the micro-isolation policy, and the micro-isolation policy center can issue an initialized basic flow table to the virtual switch by calling the SDN controller; the user service host does not need to carry out statistical data reporting and strategy issuing operation connected with the micro-isolation strategy center, thereby reducing the difficulty of network management, reducing the consumption of computing resources of the user service host and reducing the security risk.
The micro-isolation virtual machine in the invention is a core component for realizing agent-free micro-isolation, runs on each physical server and is connected with each virtual switch. The invention can conveniently use the bypass function to realize the operation of avoiding the fault through the micro-isolation virtual machine which is independently arranged, and has higher availability than the micro-isolation in the form of terminal software.
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the present application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (18)
1. A method of data transmission, the method comprising:
the virtual switch sends a received data packet sent by the source service virtual machine to a micro-isolation virtual machine according to the first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet;
after receiving the data packet returned by the micro-isolation virtual machine, the virtual switch sends the data packet to a target service virtual machine according to a second flow table;
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
2. The method of claim 1, wherein the virtual switch sending the received packets sent by the source service virtual machine to the micro-isolated virtual machine according to the first flow table comprises:
if the virtual switch determines that the port for receiving the data packet is matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and the virtual switch sends the data packet to the micro-isolation virtual machine through the target port.
3. The method of claim 1, wherein the virtual switch sends the data packet to a target service virtual machine according to a second flow table, comprising:
if the virtual switch determines that the port for receiving the data packet is matched with a second receiving port in the second flow table, determining that the data packet is normal;
and the virtual switch sends the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
4. A method of data transmission, the method comprising:
the micro-isolation virtual machine receives a data packet sent by the virtual switch;
the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet;
wherein the access control policy is sent by the micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
5. The method of claim 4, wherein the micro-isolation virtual machine matching forwarding information carried in the data packet with an access control policy, and sending the data packet to the virtual switch or discarding the data packet according to a matching result, comprises:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control policies, the micro-isolation virtual machine sends the data packet to the virtual switch;
otherwise, the data packet is discarded.
6. The method of claim 5, further comprising:
the micro-isolation virtual machine matches forwarding information carried in the data packet with the access control strategy, and calculates a behavior baseline according to a matching result within a preset time length;
the micro-isolation virtual machine compares the behavior baseline with a preset behavior statistic abnormal baseline threshold value, and determines that the micro-isolation virtual machine is abnormal in behavior according to a comparison result;
wherein the behavioral statistic anomaly baseline threshold is sent by the micro-isolation policy server.
7. The method of claim 6, wherein the micro-isolation virtual machine matches forwarding information carried in the data packet with the access control policy, and calculates a behavior baseline according to a matching result within a preset duration, comprising:
if the micro-isolation virtual machine successfully matches the forwarding information with any one of the access control strategies, determining the matching result as normal access;
the micro-isolation virtual machine calculates the behavioral baseline according to the number of received data packets and the determined number of normal accesses.
8. The method of claim 7, further comprising:
and if the micro-isolation virtual machine discards the data packet or determines that the micro-isolation virtual machine is abnormal in behavior, sending alarm information to the micro-isolation policy server.
9. A data transmission apparatus, characterized in that the apparatus comprises:
the first sending module is used for sending a received data packet sent by a source service virtual machine to a micro-isolation virtual machine according to a first flow table, so that the micro-isolation virtual machine matches forwarding information carried in the data packet with an access control strategy, and sends the data packet to the virtual switch according to a matching result or discards the data packet;
the second sending module is used for sending the data packet to the target service virtual machine according to a second flow table after receiving the data packet returned by the micro-isolation virtual machine;
the first flow table and the second flow table are sent by a micro-isolation policy server triggering an SDN controller, and the access control policy is sent by the micro-isolation policy server.
10. The apparatus of claim 9, wherein the first sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with the first receiving port in the first flow table, acquiring a target port of the virtual switch from the first flow table;
and sending the data packet to the micro-isolation virtual machine through the target port.
11. The apparatus of claim 9, wherein the second sending module is specifically configured to:
if the port for receiving the data packet is determined to be matched with a second receiving port in the second flow table, determining that the data packet is normal;
and sending the data packet to the target service virtual machine through a target port of the target service virtual machine carried in the data packet.
12. A data transmission apparatus, characterized in that the apparatus comprises:
the receiving module is used for receiving the data packet sent by the virtual switch;
the first matching module is used for matching forwarding information carried in the data packet with an access control strategy, and sending the data packet to the virtual switch according to a matching result or discarding the data packet;
wherein the access control policy is sent by the micro-isolation policy server; the forwarding information includes an address of a source service virtual machine that sends the data packet, an address of a target service virtual machine that receives the data packet, and a target port of the target service virtual machine that receives the data packet.
13. The apparatus of claim 12, wherein the first matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, the data packet is sent to the virtual switch;
otherwise, the data packet is discarded.
14. The apparatus of claim 12, further comprising:
the second matching module is used for matching the forwarding information carried in the data packet with the access control strategy and calculating a behavior baseline according to a matching result in a preset time length;
the determining module is used for comparing the behavior baseline with a preset behavior statistic abnormal baseline threshold value and determining the micro-isolation virtual machine behavior abnormity according to a comparison result;
wherein the behavioral statistic anomaly baseline threshold is sent by the micro-isolation policy server.
15. The apparatus of claim 14, wherein the second matching module is specifically configured to:
if the forwarding information is successfully matched with any one of the access control strategies, determining the matching result as normal access;
calculating the behavior baseline according to the number of received data packets and the determined number of normal accesses.
16. The apparatus of claim 15, further comprising:
and the warning module is used for sending warning information to the micro-isolation strategy server if the data packet is discarded or the micro-isolation virtual machine is determined to be abnormal in behavior.
17. An electronic device, comprising: at least one processor, and a memory communicatively coupled to the at least one processor, wherein:
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-8.
18. A storage medium, characterized in that the electronic device is capable of performing the method according to any of claims 1-8, when the computer program in the storage medium is executed by a processor of the electronic device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210191805.3A CN114567481B (en) | 2022-02-28 | 2022-02-28 | Data transmission method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210191805.3A CN114567481B (en) | 2022-02-28 | 2022-02-28 | Data transmission method and device, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114567481A true CN114567481A (en) | 2022-05-31 |
CN114567481B CN114567481B (en) | 2024-03-12 |
Family
ID=81716030
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210191805.3A Active CN114567481B (en) | 2022-02-28 | 2022-02-28 | Data transmission method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114567481B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115118466A (en) * | 2022-06-14 | 2022-09-27 | 深信服科技股份有限公司 | Strategy generation method and device, electronic equipment and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104601432A (en) * | 2014-12-31 | 2015-05-06 | 杭州华三通信技术有限公司 | Method and device for transmitting message |
CN105100026A (en) * | 2014-05-22 | 2015-11-25 | 杭州华三通信技术有限公司 | Safe message forwarding method and safe message forwarding device |
CN105262753A (en) * | 2015-10-28 | 2016-01-20 | 广州西麦科技股份有限公司 | System and method for achieving security policy based on SDN virtual switch |
CN105471662A (en) * | 2015-12-30 | 2016-04-06 | 中电长城网际***应用有限公司 | Cloud server and virtual network strategy centralized control system and method |
CN105681313A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Flow detection system and method for virtualization environment |
US20170206701A1 (en) * | 2016-01-15 | 2017-07-20 | Cisco Technology, Inc. | Approach to visualize current and historical access policy of a group based policy |
CN108123919A (en) * | 2016-11-29 | 2018-06-05 | 上海有云信息技术有限公司 | The monitoring guard system and method for network |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
CN110855651A (en) * | 2019-11-05 | 2020-02-28 | 中盈优创资讯科技有限公司 | Automatic generation method and system of access control strategy based on traffic driving |
CN110933043A (en) * | 2019-11-07 | 2020-03-27 | 广州市品高软件股份有限公司 | Virtual firewall optimization method and system based on software defined network |
CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
-
2022
- 2022-02-28 CN CN202210191805.3A patent/CN114567481B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105100026A (en) * | 2014-05-22 | 2015-11-25 | 杭州华三通信技术有限公司 | Safe message forwarding method and safe message forwarding device |
CN104601432A (en) * | 2014-12-31 | 2015-05-06 | 杭州华三通信技术有限公司 | Method and device for transmitting message |
CN105262753A (en) * | 2015-10-28 | 2016-01-20 | 广州西麦科技股份有限公司 | System and method for achieving security policy based on SDN virtual switch |
CN105471662A (en) * | 2015-12-30 | 2016-04-06 | 中电长城网际***应用有限公司 | Cloud server and virtual network strategy centralized control system and method |
US20170206701A1 (en) * | 2016-01-15 | 2017-07-20 | Cisco Technology, Inc. | Approach to visualize current and historical access policy of a group based policy |
CN105681313A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Flow detection system and method for virtualization environment |
CN108123919A (en) * | 2016-11-29 | 2018-06-05 | 上海有云信息技术有限公司 | The monitoring guard system and method for network |
CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
CN110855651A (en) * | 2019-11-05 | 2020-02-28 | 中盈优创资讯科技有限公司 | Automatic generation method and system of access control strategy based on traffic driving |
CN110933043A (en) * | 2019-11-07 | 2020-03-27 | 广州市品高软件股份有限公司 | Virtual firewall optimization method and system based on software defined network |
CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
Non-Patent Citations (3)
Title |
---|
张征;: "基于云平台的虚拟机安全隔离和防护", 信息与电脑(理论版), no. 23 * |
王刚;: "一种基于SDN技术的多区域安全云计算架构研究", 信息网络安全, no. 09 * |
魏伟;秦华;刘文懋;: "面向云环境的软件定义访问控制框架", 计算机工程与设计, no. 12, 16 December 2018 (2018-12-16) * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115118466A (en) * | 2022-06-14 | 2022-09-27 | 深信服科技股份有限公司 | Strategy generation method and device, electronic equipment and storage medium |
CN115118466B (en) * | 2022-06-14 | 2024-04-12 | 深信服科技股份有限公司 | Policy generation method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114567481B (en) | 2024-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9882776B2 (en) | Methods and apparatus for configuring a virtual network switch | |
US9596159B2 (en) | Finding latency through a physical network in a virtualized network | |
WO2016107152A1 (en) | Virtual machine instance deployment method and apparatus and device | |
WO2019055101A1 (en) | Network traffic rate limiting in computing systems | |
US9559968B2 (en) | Technique for achieving low latency in data center network environments | |
CN111181850B (en) | Data packet flooding suppression method, device and equipment and computer storage medium | |
US11055159B2 (en) | System and method for self-healing of application centric infrastructure fabric memory | |
Hong et al. | Design and implementation of eBPF-based virtual TAP for inter-VM traffic monitoring | |
Lee et al. | High-performance software load balancer for cloud-native architecture | |
WO2024021495A1 (en) | Method and apparatus for identifying flooding attack in cloud platform, and device and storage medium | |
CN114567481B (en) | Data transmission method and device, electronic equipment and storage medium | |
Park et al. | Dpx: Data-plane extensions for sdn security service instantiation | |
Deri et al. | Wire-speed hardware-assisted traffic filtering with mainstream network adapters | |
US20190205776A1 (en) | Techniques for policy-controlled analytic data collection in large-scale systems | |
CN112968879B (en) | Method and equipment for realizing firewall management | |
WO2022204676A1 (en) | Systems and methods for low latency stateful threat detection and mitigation | |
Ahmad et al. | Protection of centralized SDN control plane from high-rate Packet-In messages | |
CN115550200B (en) | Method and device for associating server IP (Internet protocol) with service identifier | |
CN109450794A (en) | A kind of communication means and equipment based on SDN network | |
CN115190077B (en) | Control method, control device and computing equipment | |
US11283823B1 (en) | Systems and methods for dynamic zone protection of networks | |
CN114944996B (en) | Data acquisition method and device and computer readable medium | |
Huang et al. | An Improved Light Weight Countermeasure Scheme to Efficiently Mitigate TCP Attacks in SDN | |
Fan et al. | Software-Defined Networking Integrated with Cloud Native and Proxy Mechanism: Detection and Mitigation System for TCP SYN Flooding Attack | |
CN117632535A (en) | Application program interface interception method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |