技术领域technical field
本发明实施例涉及数据流量识别技术领域,具体涉及一种识别异常加密流量的方法及装置。Embodiments of the present invention relate to the technical field of data traffic identification, and in particular to a method and device for identifying abnormal encrypted traffic.
背景技术Background technique
随着网络技术的飞速发展,互联网及相关应用出现在了我们日常生活中的每一个角落,相应的,互联网上的加密流量的种类越来越多,规模也越来越大。互联网使得人们的日常生活质量得以不断的改善和提高,但与此同时互联网也带来了越来越多的问题,例如,病毒木马大规模扩散并造成危害、大量P2P应用和流量造成的网络大规模堵塞与延迟、敌对势力利用互联网对我国重要机关单位与科研院所进行窃密与网络攻击,这些问题都急需处理。解决上述问题的一个关键是如何在复杂的真实网络环境中,准确、有效地识别各类型的加密流量,并检测出其中的异常流量。With the rapid development of network technology, the Internet and related applications appear in every corner of our daily life. Correspondingly, there are more and more types of encrypted traffic on the Internet, and the scale is also increasing. The Internet has continuously improved the quality of people's daily lives, but at the same time, the Internet has also brought more and more problems, such as the large-scale spread of viruses and Trojan horses and causing harm, and the large number of P2P applications and traffic. Large-scale congestion and delays, hostile forces using the Internet to steal secrets and network attacks on my country's important government agencies and scientific research institutes, these problems need to be dealt with urgently. One of the keys to solving the above problems is how to accurately and effectively identify various types of encrypted traffic and detect abnormal traffic in complex real network environments.
现有技术采用基于端口的流量识别技术对异常流量进行识别,该技术方法简单且计算开销小,并且针对传统的应用具有较高的准确率。但是随着端口伪装技术以及端口跳变技术、动态端口技术和隧道技术的提出与使用,该技术方法也正逐渐失去其优势,识别准确率也在逐渐降低。In the prior art, a port-based traffic identification technology is used to identify abnormal traffic. This technical method is simple, has low calculation overhead, and has high accuracy for traditional applications. However, with the introduction and use of port masquerading technology, port hopping technology, dynamic port technology and tunneling technology, this technology method is gradually losing its advantages, and the recognition accuracy is gradually decreasing.
因此,如何准确地对异常加密流量进行识别,成为亟须解决的问题。Therefore, how to accurately identify abnormal encrypted traffic has become an urgent problem to be solved.
发明内容Contents of the invention
针对现有技术存在的问题,本发明实施例提供一种识别异常加密流量的方法及装置。Aiming at the problems existing in the prior art, embodiments of the present invention provide a method and device for identifying abnormal encrypted traffic.
第一方面,本发明实施例提供一种识别异常加密流量的方法,所述方法包括:In the first aspect, an embodiment of the present invention provides a method for identifying abnormal encrypted traffic, the method comprising:
获取加密流量文件;Obtain encrypted traffic files;
对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;Preprocessing the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic;
根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;According to the type of the traffic protocol, select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic;
根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。Abnormal encrypted traffic is identified according to the identification result of behavior identification, the pre-acquired machine learning identification result of the encrypted traffic, and preset rules.
第二方面,本发明实施例提供一种识别异常加密流量的装置,所述装置包括:In the second aspect, an embodiment of the present invention provides an apparatus for identifying abnormally encrypted traffic, the apparatus comprising:
获取单元,用于获取加密流量文件;an acquisition unit, configured to acquire encrypted traffic files;
确定单元,用于对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;A determining unit, configured to preprocess the encrypted traffic file to determine a traffic protocol corresponding to the encrypted traffic;
选择单元,用于根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;A selection unit, configured to select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic according to the type of the traffic protocol;
识别单元,用于根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。The identification unit is configured to identify abnormal encrypted traffic according to the identification result of behavior identification, the pre-acquired machine learning identification result of the encrypted traffic and preset rules.
第三方面,本发明实施例提供另一种识别异常加密流量的装置,包括:处理器、存储器和总线,其中,In a third aspect, an embodiment of the present invention provides another device for identifying abnormally encrypted traffic, including: a processor, a memory, and a bus, wherein,
获取加密流量文件;Obtain encrypted traffic files;
对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;Preprocessing the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic;
根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;According to the type of the traffic protocol, select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic;
根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。Abnormal encrypted traffic is identified according to the identification result of behavior identification, the pre-acquired machine learning identification result of the encrypted traffic, and preset rules.
第四方面,本发明实施例提供一种非暂态计算机可读存储介质,包括:In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, including:
所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行如下方法:The non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to perform the following method:
获取加密流量文件;Obtain encrypted traffic files;
对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;Preprocessing the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic;
根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;According to the type of the traffic protocol, select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic;
根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。Abnormal encrypted traffic is identified according to the identification result of behavior identification, the pre-acquired machine learning identification result of the encrypted traffic, and preset rules.
本发明实施例提供的识别异常加密流量的方法及装置,能够准确地对异常加密流量进行识别。The method and device for identifying abnormally encrypted traffic provided in the embodiments of the present invention can accurately identify abnormally encrypted traffic.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.
图1为本发明实施例识别异常加密流量的方法流程示意图;FIG. 1 is a schematic flow diagram of a method for identifying abnormal encrypted traffic according to an embodiment of the present invention;
图2为本发明实施例识别异常加密流量的结构示意图;Fig. 2 is a schematic structural diagram of identifying abnormal encrypted traffic according to an embodiment of the present invention;
图3为本发明实施例提供的装置实体结构示意图。Fig. 3 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
图1为本发明实施例识别异常加密流量的方法流程示意图,如图1所示,本发明实施例提供的一种识别异常加密流量的方法,包括以下步骤:Figure 1 is a schematic flowchart of a method for identifying abnormally encrypted traffic according to an embodiment of the present invention. As shown in Figure 1 , a method for identifying abnormally encrypted traffic provided by an embodiment of the present invention includes the following steps:
S1:获取加密流量文件。S1: Obtain encrypted traffic files.
具体的,装置获取加密流量文件。加密流量文件可以是PCAP(过程特性分析软件包)格式标准,但不作具体限定。Specifically, the device acquires encrypted traffic files. The encrypted traffic file may be in the format standard of PCAP (Process Characteristic Analysis Software Package), but it is not specifically limited.
S2:对所述加密流量文件进行预处理,以确定加密流量对应的流量协议。S2: Perform preprocessing on the encrypted traffic file to determine a traffic protocol corresponding to the encrypted traffic.
具体的,装置对所述加密流量文件进行预处理,以确定加密流量对应的流量协议。预处理的过程可以包括:将加密流量文件的格式(可以是PCAP)转换为TCP/UDP流格式;再由人工分析以确定加密流量对应的流量协议,。需要说明的是:本发明实施例通过对众多加密流量进行深入调研与学习,选取了十种广泛使用的加密流量协议作为检测和后续分析的对象,可以包括:SSH、TLS、QQ、Skype、ICQ、IPMSG、Thunder、eDonkey、uTorrent、BitTorrent这十种协议。由于不同类型的流量协议行为间往往存在较大的差异性,可以将上述十种流量协议分为四大类,并按每类流量协议独特的行为模式,设计并实现了相应的行为识别方法,四类流量协议分别为:基础加密协议(可以包括SSH、TLS)、C/S即时通信协议(可以包括QQ)、P2P即时通信协议(可以包括Skype、ICQ、IPMSG)和P2P文件传输协议(可以包括Thunder、eDonkey、uTorrent、BitTorrent)。Specifically, the device preprocesses the encrypted traffic file to determine a traffic protocol corresponding to the encrypted traffic. The preprocessing process may include: converting the format of the encrypted traffic file (which may be PCAP) into a TCP/UDP stream format; and then manually analyzing to determine the traffic protocol corresponding to the encrypted traffic. It should be noted that: the embodiment of the present invention has selected ten widely used encrypted traffic protocols as objects of detection and subsequent analysis through in-depth investigation and study of many encrypted traffic, which may include: SSH, TLS, QQ, Skype, ICQ , IPMSG, Thunder, eDonkey, uTorrent, BitTorrent, these ten protocols. Because there are often large differences in the behaviors of different types of traffic protocols, the above ten traffic protocols can be divided into four categories, and according to the unique behavior patterns of each type of traffic protocol, the corresponding behavior recognition method is designed and implemented. The four types of traffic protocols are: basic encryption protocol (can include SSH, TLS), C/S instant messaging protocol (can include QQ), P2P instant messaging protocol (can include Skype, ICQ, IPMSG) and P2P file transfer protocol (can include including Thunder, eDonkey, uTorrent, BitTorrent).
S3:根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别。S3: According to the type of the traffic protocol, select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic.
具体的,装置根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别。如果流量协议为基础加密协议(SSH、TLS),对基础流量协议对应的加密流量进行端口识别;由于SSH及TLS协议均是在TCP协议上层实现的公用协议,其端口号固定,故可通过判定TCP流目的端口号是否为默认的22或443(SSH:22,TLS:443)来初步判定该TCP流属性。若目的端口为22(第一识别结果),则对其执行SSH行为模式识别;若目的端口为443(第二识别结果),则对其执行TLS行为模式识别。由于SSH和TLS是端到端加密协议,可以利用的信息有流量数据包头的信息,网络中的一对节点在使用SSH通信时,首先双方会互发握手包,包中均包含SSH-2.0(包头信息中指定字符串)或SSH-1.99(包头信息中指定字符串)开头的明文字符串。随后,双方会互发秘钥及加密算法协议包,其中包含了多种加密方法套件,套件名称以明文形式存放于包负载中。依据RFC文件,SSH客户和服务程序支持ssh-dss(后续信息中指定字符串)或ssh-rsa(后续信息中指定字符串)方法,因此,具体执行SSH行为模式识别包括:如果在包头信息中包括SSH-2.0字符串或SSH-1.99字符串,并且在后续信息中包括ssh-dss字符串或ssh-rsa字符串,若上述两条件均满足,则该行为模式符合SSH协议(即:该加密流量文件的行为识别结果为正常的SSH协议),若上述两条件中,任一个不满足则该行为模式不符合SSH协议(即:该加密流量文件的行为识别结果为不正常的SSH协议)。Specifically, the device selects a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic according to the type of the traffic protocol. If the traffic protocol is a basic encryption protocol (SSH, TLS), port identification is performed on the encrypted traffic corresponding to the basic traffic protocol; since both the SSH and TLS protocols are public protocols implemented on the upper layer of the TCP protocol, and their port numbers are fixed, they can pass the judgment Whether the destination port number of the TCP flow is the default 22 or 443 (SSH: 22, TLS: 443) is used to preliminarily determine the attributes of the TCP flow. If the destination port is 22 (first identification result), SSH behavior pattern recognition is performed on it; if the destination port is 443 (second recognition result), TLS behavior pattern recognition is performed on it. Since SSH and TLS are end-to-end encryption protocols, the information that can be used includes the information of the traffic data packet header. When a pair of nodes in the network use SSH to communicate, the two parties will first send each other a handshake packet, which contains SSH-2.0 ( A plain text string beginning with SSH-1.99 (a string specified in the header information). Subsequently, the two parties will exchange secret keys and encryption algorithm protocol packages, which contain a variety of encryption method suites, and the package names are stored in the package payload in plain text. According to the RFC document, SSH clients and service programs support the ssh-dss (specified string in subsequent information) or ssh-rsa (specified string in subsequent information) method. Therefore, the specific implementation of SSH behavior pattern recognition includes: if in the packet header information Include SSH-2.0 character string or SSH-1.99 character string, and include ssh-dss character string or ssh-rsa character string in the follow-up information, if the above two conditions are met, then this behavior mode complies with the SSH protocol (ie: the encryption The behavior identification result of traffic file is normal SSH agreement), if in above-mentioned two conditions, any one does not satisfy then this behavior mode does not conform to SSH agreement (that is: the behavior identification result of this encrypted traffic file is abnormal SSH protocol).
由于,TLS协议的行为模式与SSH协议存在一定的相似性,使用TLS协议通信的一对节点中,存在SERVER(服务器节点)和CLIENT(客户端节点)之分。在CLIENT发送的首个握手包(发送给SERVER的首个请求握手包)中,该首个握手包携带有以明文形式包含其支持的多个加密方法套件名称,SERVER可以在其中选择一个,并反馈给CLIENT方,以作为后续两者加密通信的方式。因此,具体执行TLS行为模式识别包括:获取CLIENT HELLO类型的握手包(发送给SERVER的首个请求握手包),CLIENT HELLO类型的握手包可以提供有多个加密方法套件名称。随后,在后续包中寻找是否存在类型为SERVER HELLO(针对首个请求握手包反馈的服务器节点请求握手包),且SERVER HELLO的指定字段对应有上述多个加密方法套件名称中的其中之一。若上述条件都满足,则该行为模式符合TLS协议(即:该加密流量文件的行为识别结果为正常的TLS协议),若上述条件中,任一个不满足则该行为模式不符合TLS协议(即:该加密流量文件的行为识别结果为不正常的TLS协议)。Since the behavior mode of the TLS protocol is somewhat similar to the SSH protocol, there are SERVER (server node) and CLIENT (client node) in a pair of nodes communicating using the TLS protocol. In the first handshake packet sent by CLIENT (the first request handshake packet sent to SERVER), the first handshake packet carries the names of multiple encryption method suites supported by it in plain text, and SERVER can choose one of them, and Feedback to the CLIENT side as a means of encrypted communication between the two. Therefore, the specific implementation of TLS behavior pattern recognition includes: obtaining the handshake packet of type CLIENT HELLO (the first request handshake packet sent to the server), and the handshake packet of type CLIENT HELLO can provide multiple encryption method suite names. Subsequently, look for whether there is a type of SERVER HELLO (a handshake packet requested for the first server node requesting handshake packet feedback) in the subsequent packet, and the specified field of SERVER HELLO corresponds to one of the above-mentioned multiple encryption method suite names. If the above conditions are all satisfied, then the behavior pattern conforms to the TLS protocol (that is, the behavior recognition result of the encrypted traffic file is a normal TLS protocol), if any of the above conditions is not satisfied, the behavior pattern does not conform to the TLS protocol (that is, : The behavior identification result of the encrypted traffic file is an abnormal TLS protocol).
如果流量协议为C/S即时通信协议,对C/S即时通信协议对应的加密流量进行端口识别;若识别结果为端口号8000(第三识别结果),进一步对加密流量进行行为识别。在QQ流量中,客户端会定期向服务器端请求更新当前用户的朋友列表。该类型请求包中有标识该包类型的明文字段(类型标识字段),且同样以明文形式包含了当前用户所使用的QQ账号(身份标识字段)。上述两字段(包类型的明文字段、当前用户所使用的QQ账号)在QQ的正常通信过程中所发送的所有该类请求包中保持不变,且所有该类请求包的发送的时间间隔相同,因此,具体执行C/S即时通信协议行为模式识别包括:获取标识由客户端向服务器端发送的请求包类型的类型标识字段、以及标识客户端用户身份的身份标识字段;并确定候选请求包,该候选请求包表示同一用户发送的同一类型请求包;获取发送候选请求包的时间间隔,并将时间间隔小于等于预设时间间隔阈值的候选请求包作为目标请求包;计算目标请求包的数量与同一用户发送的所有请求包总数的比值;该比值是否大于比值阈值,预设时间间隔和比值阈值可根据实际情况自主设置,若上述条件都满足,则该行为模式符合C/S即时通信加密协议(即:该加密流量的行为识别结果为正常的C/S即时通信加密协议),若上述条件中,任一个不满足则该行为模式不符合C/S即时通信加密协议(即:该加密流量文件的行为识别结果为不正常的C/S即时通信加密协议)。If the traffic protocol is the C/S instant messaging protocol, port identification is performed on the encrypted traffic corresponding to the C/S instant messaging protocol; if the identification result is port number 8000 (the third identification result), further behavior identification is performed on the encrypted traffic. In QQ traffic, the client will periodically request the server to update the current user's friend list. This type of request packet has a plain text field (type identification field) identifying the type of the packet, and also contains the QQ account (identity identification field) used by the current user in plain text. The above two fields (the plaintext field of the packet type, the QQ account number used by the current user) remain unchanged in all such request packets sent during the normal communication process of QQ, and the sending time interval of all such request packets is the same , therefore, the specific implementation of the C/S Instant Messaging Protocol behavior pattern recognition includes: obtaining the type identification field identifying the request packet type sent by the client to the server end, and the identity identification field identifying the identity of the client user; and determining the candidate request packet , the candidate request packets represent the same type of request packets sent by the same user; obtain the time interval for sending candidate request packets, and use the candidate request packets whose time interval is less than or equal to the preset time interval threshold as target request packets; calculate the number of target request packets The ratio to the total number of all request packets sent by the same user; whether the ratio is greater than the ratio threshold, the preset time interval and the ratio threshold can be set independently according to the actual situation. If the above conditions are met, the behavior mode conforms to C/S instant messaging encryption protocol (that is: the behavior recognition result of the encrypted traffic is a normal C/S instant messaging encryption protocol), if any of the above conditions is not satisfied, then the behavior pattern does not conform to the C/S instant messaging encryption protocol (that is: the encrypted The behavior identification result of the traffic file is an abnormal C/S instant messaging encryption protocol).
若流量协议为P2P即时通信协议,对P2P即时通信协议对应的加密流量进行端口识别,若端口识别的识别结果为目标端口号2425(第四识别结果),则初步认定为该P2P即时通信协议为IPMSQ协议,获取加密流量的源地址和目的地址,并根据当前网络掩码的配置,计算源地址对应的源广播地址、目的地址对应的目的广播地址;需要说明的是:根据当前网络掩码的配置,计算对应的广播地址的方法为本领域成熟的技术,不再赘述。如果加密流量存在从源地址发送至源广播地址、且端口为2425的广播包,若上述条件都满足,则该行为模式符合P2P即时通信协议中的IPMSQ协议(即:该加密流量文件的行为识别结果为正常的P2P即时通信协议中的IPMSQ协议),若上述条件中,任一个不满足,则该行为模式不符合P2P即时通信协议中的IPMSQ协议(即:该加密流量文件的行为识别结果为不正常的P2P即时通信协议中的IPMSQ协议),同理可以确定:如果加密流量存在从目的地址发送至目的广播地址、且端口为2425的广播包,若上述条件都满足,则该行为模式符合P2P即时通信协议中的IPMSQ协议(即:该加密流量文件的行为识别结果为正常的P2P即时通信协议中的IPMSQ协议),若上述条件中,任一个不满足,则该行为模式不符合P2P即时通信协议中的IPMSQ协议(即:该加密流量文件的行为识别结果为不正常的P2P即时通信协议中的IPMSQ协议)。If the traffic protocol is a P2P instant messaging protocol, carry out port identification on the encrypted traffic corresponding to the P2P instant messaging protocol, if the identification result of the port identification is the target port number 2425 (the fourth identification result), then it is preliminarily determined that the P2P instant communication protocol is The IPMSQ protocol obtains the source address and destination address of encrypted traffic, and calculates the source broadcast address corresponding to the source address and the destination broadcast address corresponding to the destination address according to the configuration of the current network mask; it should be noted that: according to the configuration of the current network mask The method of configuring and calculating the corresponding broadcast address is a mature technology in the field, and will not be repeated here. If there is a broadcast packet sent from the source address to the source broadcast address in the encrypted traffic, and the port is 2425, if the above conditions are all satisfied, then the behavior pattern conforms to the IPMSQ protocol in the P2P instant messaging protocol (that is, the behavior identification of the encrypted traffic file The result is the IPMSQ protocol in the normal P2P instant messaging protocol), if in the above-mentioned conditions, any one does not meet, then this behavior pattern does not meet the IPMSQ protocol in the P2P instant messaging protocol (that is: the behavior recognition result of this encrypted traffic file is The IPMSQ protocol in the abnormal P2P instant messaging protocol), it can be determined in the same way: if there is a broadcast packet sent from the destination address to the destination broadcast address in the encrypted traffic, and the port is 2425, if the above conditions are all met, the behavior pattern conforms to The IPMSQ protocol in the P2P instant messaging protocol (that is, the behavior recognition result of the encrypted traffic file is the IPMSQ protocol in the normal P2P instant messaging protocol), if any of the above conditions is not satisfied, then the behavior pattern does not conform to the P2P instant messaging protocol. The IPMSQ protocol in the communication protocol (ie: the IPMSQ protocol in the P2P instant messaging protocol whose behavior identification result of the encrypted traffic file is abnormal).
若端口识别的识别结果不为目标端口号2425(第五识别结果),则获取加密流量的源地址;在加密流量中获取源地址发出的Skype DNS请求包(第一类型请求包)或ICQ DNS请求包(第二类型请求包);根据Skype DNS请求包是否包括有以下字段:“skype.com”、“skype.net”、“skypeassets.com”和“skype-cr.akadns.net”(对应的第一预设数量的第一指定字段,第一预设数量可选为4个、第一指定字段为上述4个),或ICQ DNS请求包是否包括有以下字段:“icq.net”、“icq.com”和“mail.ru”(对应的第二预设数量的第二指定字段,第二预设数量可选为3个、第二指定字段为上述3个),上述的第一预设数量、第二预设数量、第一指定字段和第二指定字段不作具体限定,将满足上述条件的Skype DNS请求包或ICQ DNS请求包作为目标Skype DNS请求包(目标第一类型请求包)或目标ICQ DNS请求包(目标第二类型请求包);根据目标Skype DNS请求包或目标ICQ DNS请求包的发送数量是否大于数量阈值(数量阈值可自主设置,可选为2个),且每个目标Skype DNS请求包或每个目标ICQ DNS请求包所包括的字节数是否小于字节数阈值(字节数阈值可自主设置,可选为170字节),若上述条件都满足(包括确定目标Skype DNS请求包或目标ICQ DNS请求包),则该行为模式符合P2P即时通信协议中的Skype或ICQ协议(即:该加密流量文件的行为识别结果为正常的P2P即时通信协议中的Skype或ICQ协议),若上述条件中,任一个不满足,则该行为模式不符合P2P即时通信协议中的Skype或ICQ协议(即:该加密流量文件的行为识别结果为不正常的P2P即时通信协议中的Skype或ICQ协议)。If the identification result of port identification is not target port number 2425 (the fifth identification result), then obtain the source address of the encrypted traffic; obtain the Skype DNS request packet (first type request packet) or ICQ DNS sent by the source address in the encrypted traffic Request packet (second type request packet); according to whether the Skype DNS request packet includes the following fields: "skype.com", "skype.net", "skypeassets.com" and "skype-cr.akadns.net" (corresponding to The first preset number of the first specified field, the first preset number can be 4, the first specified field is the above 4), or whether the ICQ DNS request packet includes the following fields: "icq.net", "icq.com" and "mail.ru" (corresponding to the second preset number of second specified fields, the second preset number can be 3, and the second specified field is the above 3), the above-mentioned first The preset quantity, the second preset quantity, the first designated field and the second designated field are not specifically limited, and the Skype DNS request packet or the ICQ DNS request packet meeting the above conditions is used as the target Skype DNS request packet (target first type request packet ) or target ICQ DNS request packet (target second type request packet); according to whether the number of target Skype DNS request packets or target ICQ DNS request packets sent is greater than the quantity threshold (the quantity threshold can be set independently, optionally 2), and Whether the number of bytes included in each target Skype DNS request packet or each target ICQ DNS request packet is less than the byte count threshold (the byte count threshold can be set independently, and can be selected as 170 bytes), if the above conditions are met ( Including determining the target Skype DNS request packet or target ICQ DNS request packet), then the behavior pattern conforms to the Skype or ICQ protocol in the P2P instant messaging protocol (that is: the behavior identification result of the encrypted traffic file is the normal P2P instant messaging protocol Skype or ICQ protocol), if any of the above conditions is not satisfied, then the behavior pattern does not conform to the Skype or ICQ protocol in the P2P instant messaging protocol (that is, the behavior identification result of the encrypted traffic file is an abnormal P2P instant messaging Skype or ICQ protocol in the protocol).
若流量协议为P2P文件传输协议,获取P2P文件传输协议对应的加密流量中的每两个IP地址间的所有通信报文;根据所有通信报文是否包括TCP和UDP报文,且UDP报文长度是否都在82个字节(第一预设字节数)到85个字节(第二预设字节数)之间、UDP报文是否都是沿从传送方到接收方的同一方向发送、每个UDP报文的到达时间间隔是否为预设值是否为预设值(预设值可选为6秒,不作具体限定),若上述条件都满足,则该行为模式符合P2P文件传输协议中的Thunder协议(即:该加密流量文件的行为识别结果为正常的P2P文件传输协议中的Thunder协议),若上述条件中,任一个不满足,则该行为模式不符合P2P文件传输协议中的Thunder协议(即:该加密流量文件的行为识别结果为不正常的P2P文件传输协议中的Thunder协议)。If the traffic protocol is a P2P file transfer protocol, obtain all communication packets between every two IP addresses in the encrypted traffic corresponding to the P2P file transfer protocol; according to whether all communication packets include TCP and UDP packets, and the UDP packet length Whether they are all between 82 bytes (the first preset number of bytes) and 85 bytes (the second preset number of bytes), and whether the UDP packets are all sent in the same direction from the sender to the receiver , Whether the arrival time interval of each UDP packet is a preset value (the default value can be 6 seconds, not specifically limited), if the above conditions are met, then the behavior mode conforms to the P2P file transfer protocol Thunder protocol in (that is: the behavior recognition result of the encrypted traffic file is the Thunder protocol in the normal P2P file transfer protocol), if any of the above conditions is not satisfied, then the behavior pattern does not meet the P2P file transfer protocol. Thunder protocol (ie: the behavior recognition result of the encrypted traffic file is the Thunder protocol in the abnormal P2P file transfer protocol).
或,or,
若满足所有通信报文都包括TCP、UDP和eDonkey报文,则该行为模式符合P2P文件传输协议中的eDonkey协议(即:该加密流量文件的行为识别结果为正常的P2P文件传输协议中的eDonkey协议),若不满足,则该行为模式不符合P2P文件传输协议中的eDonkey协议(即:该加密流量文件的行为识别结果为不正常的P2P文件传输协议中的eDonkey协议)。If it is satisfied that all communication messages include TCP, UDP and eDonkey messages, then the behavior mode conforms to the eDonkey protocol in the P2P file transfer protocol (that is, the behavior recognition result of the encrypted traffic file is the eDonkey in the normal P2P file transfer protocol). protocol), if not satisfied, the behavior pattern does not conform to the eDonkey protocol in the P2P file transfer protocol (that is, the behavior recognition result of the encrypted traffic file is the abnormal eDonkey protocol in the P2P file transfer protocol).
或,or,
若满足所有通信报文都包括TCP、UDP和BitTorrent报文,且TCP报文数量多于UDP报文数量,则该行为模式符合P2P文件传输协议中的BitTorrent协议(即:该加密流量文件的行为识别结果为正常的P2P文件传输协议中的BitTorrent协议);若满足所有通信报文都包括TCP、UDP和BitTorrent报文,且TCP报文数量少于UDP报文数量,则该行为模式符合P2P文件传输协议中的uTorrent协议(即:该加密流量文件的行为识别结果为正常的P2P文件传输协议中的uTorrent协议),若不满足上述条件,则确定加密流量文件的行为识别结果为不正常的P2P文件传输协议。If it is satisfied that all communication messages include TCP, UDP and BitTorrent messages, and the number of TCP messages is more than the number of UDP messages, then this behavior mode conforms to the BitTorrent protocol in the P2P file transfer protocol (that is, the behavior of the encrypted traffic file The identification result is the BitTorrent protocol in the normal P2P file transfer protocol); if it is satisfied that all communication messages include TCP, UDP and BitTorrent messages, and the number of TCP messages is less than the number of UDP messages, then this behavior pattern conforms to the P2P file If the uTorrent protocol in the transmission protocol (that is: the behavior recognition result of the encrypted traffic file is the normal uTorrent protocol in the P2P file transfer protocol), if the above conditions are not met, then the behavior recognition result of the encrypted traffic file is determined to be abnormal P2P File Transfer Protocol.
S4:根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。S4: Identify abnormal encrypted traffic according to the recognition result of behavior recognition, the pre-acquired machine learning recognition result of the encrypted traffic, and preset rules.
具体的,装置根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。加密流量的机器学习识别是通过提取加密流量的特定特征集,并基于训练好的分类模型,来判断加密流量的具体类型。本发明实施例精选出了部分不易受外界环境影响的特征,作为加密流量的特征库,如表1所示:Specifically, the device identifies abnormal encrypted traffic according to the recognition result of behavior recognition, the pre-acquired machine learning recognition result of the encrypted traffic, and preset rules. The machine learning identification of encrypted traffic is to determine the specific type of encrypted traffic by extracting a specific feature set of encrypted traffic and based on the trained classification model. The embodiment of the present invention selects some features that are not easily affected by the external environment as a feature library for encrypted traffic, as shown in Table 1:
表1Table 1
针对根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量具体说明如下:Regarding the recognition results based on behavior recognition, the machine learning recognition results of the encrypted traffic obtained in advance, and the preset rules, the specific instructions for identifying abnormal encrypted traffic are as follows:
若行为识别的识别结果与机器学习的识别结果不一致,则确定加密流量为异常加密流量。若行为识别的识别结果与机器学习的识别结果相一致,则确定加密流量为正常加密流量。该识别异常加密流量的方法还可以包括以下步骤、以获取加密流量文件中的正常加密流量:If the recognition result of behavior recognition is inconsistent with the recognition result of machine learning, it is determined that the encrypted traffic is abnormal encrypted traffic. If the recognition result of behavior recognition is consistent with the recognition result of machine learning, it is determined that the encrypted traffic is normal encrypted traffic. The method for identifying abnormal encrypted traffic may also include the following steps to obtain normal encrypted traffic in the encrypted traffic file:
获取加密流量文件的所有加密流量;将所有加密流量与已获得的异常加密流量相减,以获得加密流量文件中的正常加密流量。Obtain all encrypted traffic in the encrypted traffic file; subtract all encrypted traffic from the abnormal encrypted traffic obtained to obtain normal encrypted traffic in the encrypted traffic file.
下面结合表2举例说明异常加密流量的识别如下:The following table 2 illustrates the identification of abnormal encrypted traffic as follows:
表2Table 2
参照表2第一行:行为模式识别结果为Thunder(符合P2P文件传输协议中的Thunder协议),机器学习识别结果为P2P文件下载流量,二者的识别结果相一致,则确定该加密流量为正常P2P文件下载流量-Thunder。Refer to the first line of Table 2: the behavior pattern recognition result is Thunder (in line with the Thunder protocol in the P2P file transfer protocol), and the machine learning recognition result is P2P file download traffic. If the recognition results of the two are consistent, the encrypted traffic is determined to be normal P2P file download traffic - Thunder.
参照表2第五行:行为模式识别结果为非P2P文件下载流量(不符合P2P文件传输协议),机器学习识别结果为P2P文件下载流量,二者的识别结果不一致,则确定该加密流量为异常P2P文件下载流量。Refer to the fifth row of Table 2: the behavior pattern recognition result is non-P2P file download traffic (does not conform to the P2P file transfer protocol), and the machine learning recognition result is P2P file download traffic. If the recognition results of the two are inconsistent, it is determined that the encrypted traffic is abnormal P2P File download traffic.
参照表2第六行:行为模式识别结果为Thunder(符合P2P文件传输协议中的Thunder协议),机器学习识别结果为非P2P文件下载流量,二者的识别结果不一致,则确定该加密流量为异常P2P文件下载流量。Refer to the sixth row of Table 2: the behavior pattern recognition result is Thunder (in line with the Thunder protocol in the P2P file transfer protocol), and the machine learning recognition result is non-P2P file download traffic. If the recognition results of the two are inconsistent, it is determined that the encrypted traffic is abnormal P2P file download traffic.
参照表2第十行:行为模式识别结果为非P2P文件下载流量(不符合P2P文件传输协议),机器学习识别结果为非P2P文件下载流量,二者的识别结果相一致,则确定该加密流量为正常非P2P文件下载流量。Refer to the tenth row of Table 2: the behavior pattern recognition result is non-P2P file download traffic (does not conform to the P2P file transfer protocol), and the machine learning recognition result is non-P2P file download traffic. If the recognition results of the two are consistent, then the encrypted traffic is determined For normal non-P2P file download traffic.
本发明实施例提供的识别异常加密流量的方法,能够准确地对异常加密流量进行识别。The method for identifying abnormally encrypted traffic provided in the embodiment of the present invention can accurately identify abnormally encrypted traffic.
在上述实施例的基础上,所述流量协议的类型包括基础加密协议、C/S即时通信协议、P2P即时通信协议和P2P文件传输协议,相应的,所述根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别,包括:On the basis of the foregoing embodiments, the type of the traffic protocol includes a basic encryption protocol, a C/S instant messaging protocol, a P2P instant messaging protocol, and a P2P file transfer protocol. Correspondingly, according to the type of the traffic protocol, select The corresponding behavior identification rules perform behavior identification on the encrypted traffic, including:
若所述流量协议为所述基础加密协议,选择相对应的第一行为识别规则对所述加密流量进行行为识别。If the traffic protocol is the basic encryption protocol, select a corresponding first behavior recognition rule to perform behavior recognition on the encrypted traffic.
具体的,装置若判断获知所述流量协议为所述基础加密协议,选择相对应的第一行为识别规则对所述加密流量进行行为识别。可参照上述实施例,不再赘述。Specifically, if the device determines that the traffic protocol is the basic encryption protocol, it selects a corresponding first behavior recognition rule to perform behavior recognition on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
或,or,
若所述流量协议为所述C/S即时通信协议,选择相对应的第二行为识别规则对所述加密流量进行行为识别。If the traffic protocol is the C/S instant messaging protocol, select a corresponding second behavior recognition rule to perform behavior recognition on the encrypted traffic.
具体的,装置若判断获知所述流量协议为所述C/S即时通信协议,选择相对应的第二行为识别规则对所述加密流量进行行为识别。可参照上述实施例,不再赘述。Specifically, if the device determines that the traffic protocol is the C/S instant messaging protocol, it selects a corresponding second behavior recognition rule to perform behavior recognition on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
或,or,
若所述流量协议为所述P2P即时通信协议,选择相对应的第三行为识别规则对所述加密流量进行行为识别。If the traffic protocol is the P2P instant messaging protocol, select a corresponding third behavior recognition rule to perform behavior recognition on the encrypted traffic.
具体的,装置若判断获知所述流量协议为所述P2P即时通信协议,选择相对应的第三行为识别规则对所述加密流量进行行为识别。可参照上述实施例,不再赘述。Specifically, if the device determines that the traffic protocol is the P2P instant messaging protocol, it selects a corresponding third behavior recognition rule to perform behavior recognition on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
或,or,
若所述流量协议为所述P2P文件传输协议,选择相对应的第四行为识别规则对所述加密流量进行行为识别。If the traffic protocol is the P2P file transfer protocol, select a corresponding fourth behavior recognition rule to perform behavior recognition on the encrypted traffic.
具体的,装置若判断获知所述流量协议为所述P2P文件传输协议,选择相对应的第四行为识别规则对所述加密流量进行行为识别。可参照上述实施例,不再赘述。Specifically, if the device determines that the traffic protocol is the P2P file transfer protocol, it selects a corresponding fourth behavior recognition rule to perform behavior recognition on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
本发明实施例提供的识别异常加密流量的方法,通过对不同加密流量协议类型对应的加密流量分别进行行为识别,能够更加准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided by the embodiments of the present invention can more accurately identify abnormal encrypted traffic by performing behavior identification on encrypted traffic corresponding to different types of encrypted traffic protocols.
在上述实施例的基础上,所述若所述流量协议为所述基础加密协议,选择相对应的第一行为识别规则对所述加密流量进行行为识别,包括:On the basis of the above embodiments, if the traffic protocol is the basic encryption protocol, selecting the corresponding first behavior recognition rule to perform behavior recognition on the encrypted traffic includes:
对所述加密流量进行端口识别。Perform port identification on the encrypted traffic.
具体的,装置对所述加密流量进行端口识别。Specifically, the device performs port identification on the encrypted traffic.
若端口识别的识别结果为第一识别结果,则根据所述加密流量的包头信息和后续信息是否包括有指定字符串,确定所述加密流量的行为识别结果。If the identification result of the port identification is the first identification result, determine the behavior identification result of the encrypted traffic according to whether the header information and subsequent information of the encrypted traffic include a specified character string.
具体的,装置若判断获知端口识别的识别结果为第一识别结果,则根据所述加密流量的包头信息和后续信息是否包括有指定字符串,确定所述加密流量的行为识别结果。Specifically, if the device determines that the identification result of the known port identification is the first identification result, then determine the behavior identification result of the encrypted traffic according to whether the header information and subsequent information of the encrypted traffic include a specified character string.
或,or,
若端口识别的识别结果为第二识别结果,则获取所述基础加密协议中的客户端节点在发送首个请求握手包过程中所提供的加密方法套件名称。If the identification result of the port identification is the second identification result, the name of the encryption method suite provided by the client node in the basic encryption protocol when sending the first request handshake packet is obtained.
具体的,装置若判断获知端口识别的识别结果为第二识别结果,则获取所述基础加密协议中的客户端节点在发送首个请求握手包过程中所提供的加密方法套件名称。Specifically, if the device determines that the identification result of the known port identification is the second identification result, it acquires the encryption method suite name provided by the client node in the basic encryption protocol when sending the first request handshake packet.
在所述基础加密协议中的服务器节点与所述客户端节点进行后续数据传输的过程中,根据所述服务器节点是否向所述客户端节点发送过针对所述首个请求握手包反馈的服务器节点请求握手包,且所述服务器节点请求握手包的指定字段是否对应有所述加密方法套件名称,确定所述加密流量的行为识别结果。During subsequent data transmission between the server node and the client node in the basic encryption protocol, according to whether the server node has sent the server node feedback on the first request handshake packet to the client node A handshake packet is requested, and the server node requests whether the designated field of the handshake packet corresponds to the name of the encryption method suite, and determines the behavior identification result of the encrypted traffic.
具体的,装置在所述基础加密协议中的服务器节点与所述客户端节点进行后续数据传输的过程中,根据所述服务器节点是否向所述客户端节点发送过针对所述首个请求握手包反馈的服务器节点请求握手包,且所述服务器节点请求握手包的指定字段是否对应有所述加密方法套件名称,确定所述加密流量的行为识别结果。Specifically, during the subsequent data transmission process between the server node and the client node in the basic encryption protocol, the device, according to whether the server node has sent a handshake packet for the first request to the client node, The feedback server node requests a handshake packet, and whether the specified field of the server node requests the handshake packet corresponds to the name of the encryption method suite, and determines the behavior recognition result of the encrypted traffic.
本发明实施例提供的识别异常加密流量的方法,通过对基础加密协议对应的加密流量进行行为识别,能够准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided in the embodiments of the present invention can accurately identify abnormal encrypted traffic by performing behavior identification on encrypted traffic corresponding to a basic encryption protocol.
在上述实施例的基础上,所述若所述流量协议为所述C/S即时通信协议,选择相对应的第二行为识别规则对所述加密流量进行行为识别,包括:On the basis of the above embodiments, if the traffic protocol is the C/S instant messaging protocol, selecting the corresponding second behavior recognition rule to perform behavior recognition on the encrypted traffic includes:
对所述加密流量进行端口识别。Perform port identification on the encrypted traffic.
具体的,装置对所述加密流量进行端口识别。可参照上述实施例,不再赘述。Specifically, the device performs port identification on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
若端口识别的识别结果为第三识别结果,获取标识由客户端向服务器端发送的请求包类型的类型标识字段、以及标识所述客户端用户身份的身份标识字段;其中,请求包为所述客户端向所述服务器端发送的更新当前用户的朋友列表请求。If the identification result of the port identification is the third identification result, obtain the type identification field identifying the type of the request packet sent by the client to the server, and the identity identification field identifying the identity of the client user; wherein, the request packet is the The request sent by the client to the server to update the friend list of the current user.
具体的,装置若判断获知端口识别的识别结果为第三识别结果,获取标识由客户端向服务器端发送的请求包类型的类型标识字段、以及标识所述客户端用户身份的身份标识字段;其中,请求包为所述客户端向所述服务器端发送的更新当前用户的朋友列表请求。可参照上述实施例,不再赘述。Specifically, if the device determines that the identification result of the known port identification is the third identification result, obtain the type identification field identifying the type of the request packet sent from the client to the server, and the identity identification field identifying the identity of the client user; wherein , the request packet is a request sent by the client to the server to update the friend list of the current user. Reference may be made to the foregoing embodiments, and details are not repeated here.
根据所述类型标识字段和所述身份标识字段,确定候选请求包,所述候选请求包表示同一用户发送的同一类型请求包。A candidate request packet is determined according to the type identifier field and the identity identifier field, and the candidate request packet indicates a request packet of the same type sent by a same user.
具体的,装置根据所述类型标识字段和所述身份标识字段,确定候选请求包,所述候选请求包表示同一用户发送的同一类型请求包。可参照上述实施例,不再赘述。Specifically, the device determines a candidate request packet according to the type identifier field and the identity identifier field, and the candidate request packet indicates a request packet of the same type sent by a same user. Reference may be made to the foregoing embodiments, and details are not repeated here.
获取发送所述候选请求包的时间间隔,并将所述时间间隔小于等于预设时间间隔阈值的候选请求包作为目标请求包。A time interval for sending the candidate request packets is obtained, and candidate request packets whose time intervals are less than or equal to a preset time interval threshold are used as target request packets.
具体的,装置获取发送所述候选请求包的时间间隔,并将所述时间间隔小于等于预设时间间隔阈值的候选请求包作为目标请求包。可参照上述实施例,不再赘述。Specifically, the device acquires a time interval for sending the candidate request packets, and uses the candidate request packets whose time interval is less than or equal to a preset time interval threshold as target request packets. Reference may be made to the foregoing embodiments, and details are not repeated here.
计算所述目标请求包的数量与同一用户发送的所有请求包总数的比值。Calculate the ratio of the number of target request packets to the total number of all request packets sent by the same user.
具体的,装置计算所述目标请求包的数量与同一用户发送的所有请求包总数的比值。可参照上述实施例,不再赘述。Specifically, the device calculates the ratio of the number of target request packets to the total number of all request packets sent by the same user. Reference may be made to the foregoing embodiments, and details are not repeated here.
根据所述比值是否大于比值阈值,确定所述加密流量的行为识别结果。Determine the behavior recognition result of the encrypted traffic according to whether the ratio is greater than a ratio threshold.
具体的,装置根据所述比值是否大于比值阈值,确定所述加密流量的行为识别结果。可参照上述实施例,不再赘述。Specifically, the device determines the behavior recognition result of the encrypted traffic according to whether the ratio is greater than a ratio threshold. Reference may be made to the foregoing embodiments, and details are not repeated here.
本发明实施例提供的识别异常加密流量的方法,通过对C/S即时通信协议对应的加密流量进行行为识别,能够准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided by the embodiment of the present invention can accurately identify abnormal encrypted traffic by performing behavior identification on encrypted traffic corresponding to the C/S instant messaging protocol.
在上述实施例的基础上,所述若所述流量协议为所述P2P即时通信协议,选择相对应的第三行为识别规则对所述加密流量进行行为识别,包括:On the basis of the foregoing embodiments, if the traffic protocol is the P2P instant messaging protocol, selecting the corresponding third behavior recognition rule to perform behavior recognition on the encrypted traffic includes:
对所述加密流量进行端口识别。Perform port identification on the encrypted traffic.
具体的,装置对所述加密流量进行端口识别。可参照上述实施例,不再赘述。Specifically, the device performs port identification on the encrypted traffic. Reference may be made to the foregoing embodiments, and details are not repeated here.
若端口识别的识别结果为第四识别结果,则获取所述加密流量的源地址和目的地址,并根据当前网络掩码的配置,计算所述源地址对应的源广播地址、所述目的地址对应的目的广播地址。If the identification result of port identification is the fourth identification result, then obtain the source address and destination address of the encrypted traffic, and calculate the source broadcast address corresponding to the source address and the corresponding destination address according to the configuration of the current network mask. The destination broadcast address.
具体的,装置若判断获知端口识别的识别结果为第四识别结果,则获取所述加密流量的源地址和目的地址,并根据当前网络掩码的配置,计算所述源地址对应的源广播地址、所述目的地址对应的目的广播地址。可参照上述实施例,不再赘述。Specifically, if the device determines that the identification result of the known port identification is the fourth identification result, then obtain the source address and destination address of the encrypted traffic, and calculate the source broadcast address corresponding to the source address according to the configuration of the current network mask , the destination broadcast address corresponding to the destination address. Reference may be made to the foregoing embodiments, and details are not repeated here.
根据所述加密流量文件是否存在从所述源地址发送至所述源广播地址、且端口为所述第四识别结果的广播包,确定所述加密流量的行为识别结果。Determine the behavior identification result of the encrypted traffic according to whether there is a broadcast packet sent from the source address to the source broadcast address in the encrypted traffic file and the port is the fourth identification result.
具体的,装置根据所述加密流量文件是否存在从所述源地址发送至所述源广播地址、且端口为所述第四识别结果的广播包,确定所述加密流量的行为识别结果。可参照上述实施例,不再赘述。Specifically, the device determines the behavior identification result of the encrypted traffic according to whether there is a broadcast packet sent from the source address to the source broadcast address in the encrypted traffic file, and the port is the fourth identification result. Reference may be made to the foregoing embodiments, and details are not repeated here.
或,or,
根据所述加密流量是否存在从所述目的地址发送至所述目的广播地址、且端口为所述第四识别结果的广播包,确定所述加密流量的行为识别结果。Determine the behavior identification result of the encrypted traffic according to whether there is a broadcast packet sent from the destination address to the destination broadcast address in the encrypted traffic and the port is the fourth identification result.
具体的,装置根据所述加密流量是否存在从所述目的地址发送至所述目的广播地址、且端口为所述第四识别结果的广播包,确定所述加密流量的行为识别结果。可参照上述实施例,不再赘述。Specifically, the device determines the behavior identification result of the encrypted traffic according to whether there is a broadcast packet sent from the destination address to the destination broadcast address in the encrypted traffic, and the port is the fourth identification result. Reference may be made to the foregoing embodiments, and details are not repeated here.
本发明实施例提供的识别异常加密流量的方法,通过对P2P即时通信协议对应的加密流量进行行为识别,能够准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided by the embodiment of the present invention can accurately identify abnormal encrypted traffic by performing behavior identification on encrypted traffic corresponding to the P2P instant messaging protocol.
在上述实施例的基础上,所述方法还包括:On the basis of the foregoing embodiments, the method further includes:
若端口识别的识别结果不为所述第四识别结果,则获取所述加密流量的源地址。If the identification result of the port identification is not the fourth identification result, acquire the source address of the encrypted traffic.
具体的,装置若判断获知端口识别的识别结果不为所述第四识别结果,则获取所述加密流量的源地址。Specifically, if the device determines that the identification result of the known port identification is not the fourth identification result, acquire the source address of the encrypted traffic.
在所述加密流量中获取所述源地址发出的第一类型请求包或第二类型请求包。Obtain the first-type request packet or the second-type request packet sent by the source address in the encrypted traffic.
具体的,装置在所述加密流量中获取所述源地址发出的第一类型请求包或第二类型请求包。Specifically, the device acquires the first-type request packet or the second-type request packet sent by the source address in the encrypted traffic.
根据所述第一类型请求包是否包括有对应的第一预设数量的第一指定字段,或所述第二类型请求包是否包括有对应的第二预设数量的第二指定字段,确定目标第一类型请求包或目标第二类型请求包。Determine the target according to whether the first type request packet includes a corresponding first preset number of first specified fields, or whether the second type request packet includes a corresponding second preset number of second specified fields Type 1 request packet or target Type 2 request packet.
具体的,装置根据所述第一类型请求包是否包括有对应的第一预设数量的第一指定字段,或所述第二类型请求包是否包括有对应的第二预设数量的第二指定字段,确定目标第一类型请求包或目标第二类型请求包。Specifically, according to whether the first type request packet includes a corresponding first preset number of first specified fields, or whether the second type request packet includes a corresponding second preset number of second specified fields field, to determine the target type 1 request packet or the target type 2 request packet.
根据所述目标第一类型请求包或所述目标第二类型请求包的发送数量是否大于数量阈值,且每个目标第一类型请求包或每个目标第二类型请求包所包括的字节数是否小于字节数阈值,确定所述加密流量的行为识别结果。According to whether the number of the target first-type request packets or the target second-type request packets sent is greater than the quantity threshold, and the number of bytes included in each target first-type request packet or each target second-type request packet Whether it is less than the byte number threshold, determine the behavior recognition result of the encrypted traffic.
具体的,装置根据所述目标第一类型请求包或所述目标第二类型请求包的发送数量是否大于数量阈值,且每个目标第一类型请求包或每个目标第二类型请求包所包括的字节数是否小于字节数阈值,确定所述加密流量的行为识别结果。Specifically, the device determines whether the number of the target first-type request packets or the target second-type request packets sent is greater than the quantity threshold, and each target first-type request packet or each target second-type request packet includes Whether the number of bytes of the encrypted traffic is less than the threshold value of the number of bytes determines the behavior recognition result of the encrypted traffic.
本发明实施例提供的识别异常加密流量的方法,进一步通过对P2P即时通信协议对应的加密流量进行行为识别,能够准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided by the embodiment of the present invention can further accurately identify the abnormal encrypted traffic by performing behavior identification on the encrypted traffic corresponding to the P2P instant messaging protocol.
在上述实施例的基础上,所述若所述流量协议为所述P2P文件传输协议,选择相对应的第四行为识别规则对所述加密流量进行行为识别,包括:On the basis of the foregoing embodiments, if the traffic protocol is the P2P file transfer protocol, selecting the corresponding fourth behavior recognition rule to perform behavior recognition on the encrypted traffic includes:
获取所述加密流量中的每两个IP地址间的所有通信报文。Obtain all communication packets between every two IP addresses in the encrypted traffic.
具体的,装置获取所述加密流量中的每两个IP地址间的所有通信报文。Specifically, the device acquires all communication packets between every two IP addresses in the encrypted traffic.
根据所述所有通信报文是否包括TCP和UDP报文,且所述UDP报文长度是否都在第一预设字节数到第二预设字节数之间、所述UDP报文是否都是沿从传送方到接收方的同一方向发送、每个UDP报文的到达时间间隔是否为预设值,确定所述加密流量的行为识别结果。According to whether all the communication messages include TCP and UDP messages, and whether the length of the UDP messages is between the first preset number of bytes and the second preset number of bytes, whether the UDP messages are all It is sent along the same direction from the sender to the receiver, whether the arrival time interval of each UDP message is a preset value, and determines the behavior identification result of the encrypted traffic.
具体的,装置根据所述所有通信报文是否包括TCP和UDP报文,且所述UDP报文长度是否都在第一预设字节数到第二预设字节数之间、所述UDP报文是否都是沿从传送方到接收方的同一方向发送、每个UDP报文的到达时间间隔是否为预设值,确定所述加密流量的行为识别结果。Specifically, the device is based on whether all the communication messages include TCP and UDP messages, and whether the length of the UDP messages is between the first preset number of bytes and the second preset number of bytes, the UDP Whether the packets are sent in the same direction from the transmitter to the receiver, and whether the arrival time interval of each UDP packet is a preset value determine the behavior identification result of the encrypted traffic.
本发明实施例提供的识别异常加密流量的方法,通过对P2P文件传输协议对应的加密流量进行行为识别,能够准确地对异常加密流量进行识别。The method for identifying abnormal encrypted traffic provided by the embodiments of the present invention can accurately identify abnormal encrypted traffic by performing behavior identification on encrypted traffic corresponding to the P2P file transfer protocol.
图2为本发明实施例识别异常加密流量的装置结构示意图,如图2所示,本发明实施例提供了一种识别异常加密流量的装置,包括获取单元1、确定单元2、选择单元3和识别单元4,其中:Figure 2 is a schematic structural diagram of a device for identifying abnormally encrypted traffic according to an embodiment of the present invention. As shown in Figure 2, an embodiment of the present invention provides a device for identifying abnormally encrypted traffic, including an acquisition unit 1, a determination unit 2, a selection unit 3 and Identification unit 4, wherein:
获取单元1用于获取加密流量文件;确定单元2用于对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;选择单元3用于根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;识别单元4用于根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。The obtaining unit 1 is used to obtain the encrypted traffic file; the determining unit 2 is used to preprocess the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic; the selection unit 3 is used to select the corresponding traffic protocol according to the type of the traffic protocol. The behavior recognition rules for behavior recognition of the encrypted traffic; the recognition unit 4 is used to identify abnormal encrypted traffic according to the recognition result of the behavior recognition, the machine learning recognition result of the encrypted traffic obtained in advance and the preset rules.
具体的,获取单元1用于获取加密流量文件;确定单元2用于对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;选择单元3用于根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;识别单元4用于根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。Specifically, the obtaining unit 1 is used to obtain the encrypted traffic file; the determining unit 2 is used to preprocess the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic; the selection unit 3 is used to, according to the type of the traffic protocol, Select the corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic; the recognition unit 4 is used to identify abnormal encrypted traffic according to the recognition result of the behavior recognition, the machine learning recognition result of the encrypted traffic obtained in advance and the preset rules.
本发明实施例提供的识别异常加密流量的装置,能够准确地对异常加密流量进行识别。The device for identifying abnormally encrypted traffic provided by the embodiment of the present invention can accurately identify abnormally encrypted traffic.
本发明实施例提供的识别异常加密流量的装置具体可以用于执行上述各方法实施例的处理流程,其功能在此不再赘述,可以参照上述方法实施例的详细描述。The device for identifying abnormal encrypted traffic provided by the embodiments of the present invention can be specifically used to execute the processing procedures of the above-mentioned method embodiments, and its functions will not be described in detail here, and reference can be made to the detailed description of the above-mentioned method embodiments.
图3为本发明实施例提供的装置实体结构示意图,如图3所示,所述装置包括:处理器(processor)301、存储器(memory)302和总线303;FIG. 3 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention. As shown in FIG. 3 , the device includes: a processor (processor) 301, a memory (memory) 302, and a bus 303;
其中,所述处理器301、存储器302通过总线303完成相互间的通信;Wherein, the processor 301 and the memory 302 complete mutual communication through the bus 303;
所述处理器301用于调用所述存储器302中的程序指令,以执行上述各方法实施例所提供的方法,例如包括:获取加密流量文件;对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。The processor 301 is used to call the program instructions in the memory 302 to execute the methods provided by the above method embodiments, for example, including: obtaining encrypted traffic files; preprocessing the encrypted traffic files to determine encrypted The traffic protocol corresponding to the traffic; according to the type of the traffic protocol, select the corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic; according to the recognition result of the behavior recognition, the machine learning recognition result of the encrypted traffic obtained in advance and Preset rules to identify abnormal encrypted traffic.
本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如包括:获取加密流量文件;对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by the computer, the computer The method provided by each of the above method embodiments can be executed, for example, including: obtaining an encrypted traffic file; preprocessing the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic; according to the type of the traffic protocol, select the corresponding The encrypted traffic is identified according to the behavior identification rules; the abnormal encrypted traffic is identified according to the identification result of the behavior identification, the machine learning identification result of the encrypted traffic obtained in advance, and the preset rules.
本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法,例如包括:获取加密流量文件;对所述加密流量文件进行预处理,以确定加密流量对应的流量协议;根据所述流量协议的类型,选择相对应的行为识别规则对所述加密流量进行行为识别;根据行为识别的识别结果、预先获得的所述加密流量的机器学习识别结果和预设规则,识别异常加密流量。This embodiment provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the above method embodiments, for example, including : Obtain an encrypted traffic file; preprocess the encrypted traffic file to determine the traffic protocol corresponding to the encrypted traffic; according to the type of the traffic protocol, select a corresponding behavior recognition rule to perform behavior recognition on the encrypted traffic; The recognition result of the behavior recognition, the machine learning recognition result of the encrypted traffic obtained in advance and the preset rules identify the abnormal encrypted traffic.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
以上所描述的装置等实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The devices and other embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may Located in one place, or can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative efforts.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.
最后应说明的是:以上各实施例仅用以说明本发明的实施例的技术方案,而非对其限制;尽管参照前述各实施例对本发明的实施例进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明的实施例各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, not to limit them; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art The skilled person should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the present invention The scope of the technical solution of each embodiment of the embodiment.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710561737.4ACN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710561737.4ACN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
| Publication Number | Publication Date |
|---|---|
| CN107360159A CN107360159A (en) | 2017-11-17 |
| CN107360159Btrue CN107360159B (en) | 2019-12-03 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710561737.4AActiveCN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
| Country | Link |
|---|---|
| CN (1) | CN107360159B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019140554A1 (en)* | 2018-01-16 | 2019-07-25 | Oppo广东移动通信有限公司 | Data verification method, network device, user equipment and computer storage medium |
| CN108833360B (en)* | 2018-05-23 | 2019-11-08 | 四川大学 | A Malicious Encrypted Traffic Identification Method Based on Machine Learning |
| CN110999256B (en)* | 2018-05-23 | 2021-12-03 | Oppo广东移动通信有限公司 | Communication method, terminal equipment and core network equipment |
| CN108881306B (en)* | 2018-08-08 | 2020-04-28 | 西安交通大学 | Encrypted flow analysis defense method based on data packet size sequence |
| CN109672687B (en)* | 2018-12-31 | 2021-04-13 | 南京理工大学 | HTTP confusion flow detection method based on suspicion degree evaluation |
| CN109547489B (en)* | 2018-12-31 | 2021-08-03 | 南京理工大学 | A detection method for Obfuscated-Openssh protocol traffic |
| CN109818976B (en)* | 2019-03-15 | 2021-09-21 | 杭州迪普科技股份有限公司 | Abnormal flow detection method and device |
| CN114465962B (en)* | 2019-09-16 | 2024-01-05 | 华为技术有限公司 | Data stream type identification method and related equipment |
| CN110708341B (en)* | 2019-11-15 | 2020-09-29 | 中国科学院信息工程研究所 | A method and system for detecting user behavior based on differences in remote desktop encrypted network traffic patterns |
| CN111010409B (en)* | 2020-01-07 | 2021-08-17 | 南京林业大学 | Encryption attack network traffic detection method |
| CN113595967A (en)* | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
| CN113645176B (en)* | 2020-05-11 | 2023-08-08 | 北京观成科技有限公司 | Method and device for detecting fake flow and electronic equipment |
| CN112019500B (en)* | 2020-07-15 | 2021-11-23 | 中国科学院信息工程研究所 | Encrypted traffic identification method based on deep learning and electronic device |
| CN112367292B (en)* | 2020-10-10 | 2021-09-03 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
| CN112422589B (en)* | 2021-01-25 | 2021-06-08 | 腾讯科技(深圳)有限公司 | Domain name system request identification method, storage medium and electronic device |
| CN114119221B (en)* | 2021-11-19 | 2025-05-13 | 恒安嘉新(北京)科技股份公司 | Behavior recognition method, device, equipment and storage medium based on blockchain |
| CN114584371B (en)* | 2022-03-04 | 2024-07-12 | 桀安信息安全技术(上海)有限公司 | Method, system and device for detecting encrypted traffic behavior |
| CN114866301B (en)* | 2022-04-25 | 2023-05-02 | 中国科学院信息工程研究所 | Encryption traffic identification and classification method and system based on direct push graph |
| CN117118859A (en)* | 2023-08-29 | 2023-11-24 | 北京观成科技有限公司 | Network traffic screening method and device based on encrypted traffic |
| CN117955734A (en)* | 2024-03-21 | 2024-04-30 | 道普信息技术有限公司 | Encryption protocol pcap metadata analysis method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en)* | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid Intrusion Detection Method Based on Internet Protocol Version 6 |
| CN103580960A (en)* | 2013-11-19 | 2014-02-12 | 佛山市络思讯环保科技有限公司 | Online pipe network anomaly detection system based on machine learning |
| CN104135474A (en)* | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106911637A (en)* | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9386034B2 (en)* | 2013-12-17 | 2016-07-05 | Hoplite Industries, Inc. | Behavioral model based malware protection system and method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en)* | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid Intrusion Detection Method Based on Internet Protocol Version 6 |
| CN103580960A (en)* | 2013-11-19 | 2014-02-12 | 佛山市络思讯环保科技有限公司 | Online pipe network anomaly detection system based on machine learning |
| CN104135474A (en)* | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106911637A (en)* | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| Publication number | Publication date |
|---|---|
| CN107360159A (en) | 2017-11-17 |
| Publication | Publication Date | Title |
|---|---|---|
| CN107360159B (en) | A kind of method and device of the abnormal encryption flow of identification | |
| US10250466B2 (en) | Application signature generation and distribution | |
| US10812525B2 (en) | Method and system for defending distributed denial of service attack | |
| US10742722B2 (en) | Server load balancing | |
| CN107948076B (en) | Method and device for forwarding message | |
| US20220038466A1 (en) | System and method for de-anonymizing actions and messages on networks | |
| US9813442B2 (en) | Server grouping system | |
| CN111049781B (en) | A detection method, device, equipment and storage medium of a rebound network attack | |
| CN106162584A (en) | Identify the method for refuse messages, client, cloud server and system | |
| US9935861B2 (en) | Method, system and apparatus for detecting instant message spam | |
| US20240303656A1 (en) | System and method for cryptocurrency networks | |
| CN111193756B (en) | VXLAN tunnel load balancing method and related equipment | |
| US11399016B2 (en) | System and method for identifying exchanges of encrypted communication traffic | |
| CN104734939B (en) | Session keep-alive method and equipment | |
| CN113411292B (en) | Intercepting services and providing services to content destinations based on chained service tapping | |
| CN106888229A (en) | A kind of call management method and server | |
| Cusack et al. | Detecting and tracing slow attacks on mobile phone user service | |
| CN113067741B (en) | Information processing method, device, terminal and storage medium | |
| CN103780605A (en) | Fast encryption and decryption method and gateway | |
| CN107547498B (en) | Auditing method and device | |
| CN106411723A (en) | Message processing method and device | |
| Schliep | Secure Group Communication | |
| KR20110044680A (en) | Traffic classification device and method | |
| JP2018085616A (en) | Communication apparatus, communication management system, and communication management method |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |