CN114944958B - Access request processing method, device and electronic device - Google Patents
Access request processing method, device and electronic device Download PDFInfo
- Publication number
- CN114944958B CN114944958B CN202210669771.4A CN202210669771A CN114944958B CN 114944958 B CN114944958 B CN 114944958B CN 202210669771 A CN202210669771 A CN 202210669771A CN 114944958 B CN114944958 B CN 114944958B
- Authority
- CN
- China
- Prior art keywords
- access request
- target
- firewall
- access
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title description 18
- 238000012545 processing Methods 0.000 claims abstract description 187
- 238000005192 partition Methods 0.000 claims abstract description 125
- 238000000034 method Methods 0.000 claims abstract description 53
- 238000011156 evaluation Methods 0.000 claims description 141
- 230000004044 response Effects 0.000 claims description 75
- 238000012360 testing method Methods 0.000 claims description 68
- 230000000977 initiatory effect Effects 0.000 claims description 49
- 230000007123 defense Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 abstract description 33
- 238000004458 analytical method Methods 0.000 abstract description 9
- 230000000694 effects Effects 0.000 abstract description 5
- 230000005284 excitation Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 239000003999 initiator Substances 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
本申请提出一种访问请求的处理方法、装置和电子设备,其中,方法包括接收用于访问目标对象的访问请求;从防火墙内部的多个候选请求处理分区中,确定访问请求对应的目标请求处理分区;获取目标请求处理分区的安全访问地址段,并根据安全访问地址段对访问请求进行拦截。本申请中,实现了对目标对象的安全访问,以及对访问请求的分流处理,提高了防火墙对访问请求的处理效率,进而提高了对防火墙性能的验证分析效率,实现了对防火墙性能验证的可管理,优化了验证方法以及验证效果。
The present application proposes a method, device and electronic device for processing access requests, wherein the method includes receiving an access request for accessing a target object; determining a target request processing partition corresponding to the access request from multiple candidate request processing partitions inside a firewall; obtaining a secure access address segment of the target request processing partition, and intercepting the access request according to the secure access address segment. In the present application, secure access to the target object and diversion processing of access requests are achieved, the processing efficiency of the firewall for access requests is improved, and the efficiency of verification and analysis of firewall performance is improved, the manageability of firewall performance verification is achieved, and the verification method and verification effect are optimized.
Description
Technical Field
The present application relates to the field of data processing, and in particular, to a method and an apparatus for processing an access request, and an electronic device.
Background
With the development of technology, the application range of system-level chips on products is becoming wider, and in order to realize the security control of a system on a chip and the protection of data in the system, a corresponding security defense system can be configured on the chip.
In the related art, there is a possibility that the operation performance of the chip may be affected after the security defense system is configured on the chip, and thus, it is necessary to perform related verification of the performance of the chip configured with the security defense system.
Disclosure of Invention
The object of the present application is to solve at least to some extent one of the technical problems in the art described above.
The first aspect of the application provides a processing method of an access request, which comprises the steps of receiving the access request for accessing a target object, determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in a firewall, acquiring a safe access address segment of the target request processing partition, and intercepting the access request according to the safe access address segment.
The method for processing the access request provided by the first aspect of the application further has the following technical characteristics that:
According to the embodiment of the application, the access request is intercepted according to the secure access address segment, and the method comprises the steps of obtaining a target access address of the access request to a target object, identifying whether the access request is an illegal access request according to the secure access address segment and the target access address, and intercepting the illegal access request in response to identifying that the access request is the illegal access request.
According to the embodiment of the application, whether the access request is an illegal access request is identified according to the safe access address segment and the target access address, and the method comprises the steps of determining that the access request is the safe access request according to the safe access address segment of the target request processing partition, and determining that the access request is the illegal access request according to the safe access address segment of the target request processing partition and the target access address.
According to the embodiment of the application, the target request processing partition of the access request is determined from a plurality of candidate request processing partitions in the firewall, and the target request processing partition comprises the steps of acquiring an identification corresponding relation between the area identification of the candidate request processing partition and the equipment identification of test equipment, wherein the test equipment is used for initiating the access request to a target object, determining the target equipment identification of the target test equipment for initiating the access request from the information carried by the access request, determining the target area identification corresponding to the target equipment identification according to the identification corresponding relation, and determining the candidate request processing partition corresponding to the target area identification as the target request processing partition for processing the access request.
According to the embodiment of the application, the method further comprises the steps of performing performance evaluation on the firewall and the target object, respectively obtaining a first performance evaluation result of the firewall and a second performance evaluation result of the target object, and evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.
According to the embodiment of the application, a first performance evaluation result of the firewall is obtained, wherein the first performance evaluation result comprises the steps of determining the initiating duty ratio of an illegal access request from the initiating amount of the access request, monitoring the intercepting amount of the illegal access request by the firewall, obtaining the intercepting duty ratio of the intercepting amount in the receiving amount of the access request, and evaluating the performance of the firewall according to the initiating duty ratio and the intercepting duty ratio so as to obtain the first performance evaluation result of the firewall.
According to the embodiment of the application, the performance of the firewall is evaluated according to the initiation duty ratio and the interception duty ratio to obtain a first performance evaluation result of the firewall, wherein the method comprises the steps of obtaining error values of the initiation duty ratio and the interception duty ratio, and determining that the first performance evaluation result of the firewall is qualified in response to the error values belonging to a set error range.
According to the embodiment of the application, the second performance evaluation result of the target object is obtained, wherein the second performance evaluation result comprises the response delay time of the target object to the access request which is not intercepted by the firewall, and the performance of the target object is evaluated according to the response delay time so as to obtain the second performance evaluation result of the target object.
According to the embodiment of the application, the performance of the target object is evaluated according to the response delay time to obtain the second performance evaluation result of the target object, wherein the evaluation method comprises the steps of obtaining the threshold time of the response delay of the target object, and judging that the second performance evaluation result of the target object is qualified in response to the response delay time being less than or equal to the threshold time.
According to the embodiment of the application, the performance of the target system is evaluated according to the first performance evaluation result and the second performance evaluation result, wherein the performance evaluation of the target system is performed according to the first performance evaluation result and the second performance evaluation result, the firewall performance is qualified according to the first performance evaluation result, the target object performance is qualified according to the second performance evaluation result, and the target system performance evaluation result is judged to be qualified.
The second aspect of the application provides an access request processing device, which comprises a receiving module, a determining module and a processing module, wherein the receiving module is used for receiving an access request for accessing a target object, the determining module is used for determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in a firewall, and the processing module is used for acquiring a safe access address segment of the target request processing partition and intercepting the access request according to the safe access address segment.
The processing device for an access request according to the second aspect of the present application further has the following technical features, including:
according to an embodiment of the application, the processing module is further used for acquiring a target access address of the access request to the target object, identifying whether the access request is an illegal access request according to the secure access address segment and the target access address, and intercepting the illegal access request in response to identifying that the access request is the illegal access request.
According to an embodiment of the application, the processing module is further configured to determine that the access request is a secure access request in response to the target access address belonging to the secure access address field of the target request processing partition, and determine that the access request is an illegal access request in response to the target access address not belonging to the secure access address field of the target request processing partition.
According to the embodiment of the application, the determining module is further used for acquiring an identification corresponding relation between the area identification of the candidate request processing partition and the equipment identification of the test equipment, wherein the test equipment is used for initiating the access request to the target object, determining the target equipment identification of the target test equipment for initiating the access request from the information carried by the access request, determining the target area identification corresponding to the target equipment identification according to the identification corresponding relation, and determining the candidate request processing partition corresponding to the target area identification as the target request processing partition for processing the access request.
According to the embodiment of the application, the device further comprises an evaluation module, wherein the evaluation module is used for evaluating the performance of the firewall and the target object, respectively acquiring a first performance evaluation result of the firewall and a second performance evaluation result of the target object, and evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.
According to the embodiment of the application, the evaluation module is further used for determining the initiating ratio of the illegal access request from the initiating amount of the access request, monitoring the intercepting amount of the firewall to the illegal access request, acquiring the intercepting ratio of the intercepting amount in the receiving amount of the access request, and evaluating the performance of the firewall according to the initiating ratio and the intercepting ratio to acquire a first performance evaluation result of the firewall.
According to the embodiment of the application, the evaluation module is further used for acquiring error values of the initiating duty ratio and the intercepting duty ratio, and determining that the first performance evaluation result of the firewall is qualified in response to the error values belonging to a set error range.
According to the embodiment of the application, the evaluation module is further used for acquiring the response delay time of the target object to the access request which is not intercepted by the firewall, and evaluating the performance of the target object according to the response delay time so as to acquire a second performance evaluation result of the target object.
According to an embodiment of the application, the evaluation module is further used for acquiring the threshold time of the response delay of the target object, and determining that the second performance evaluation result of the target object is qualified in response to the response delay time being smaller than or equal to the threshold time.
According to one embodiment of the application, the evaluation module is further used for responding to the first performance evaluation result to indicate that the firewall performance is qualified, and the second performance evaluation result to indicate that the target object performance is qualified, and judging that the target system performance evaluation result is qualified.
An embodiment of the third aspect of the present application provides an electronic device, including at least one processor, and a memory communicatively connected to the at least one processor, where the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to perform the method for processing an access request set forth in the first aspect of the present application.
An embodiment of a fourth aspect of the present application provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the method for processing an access request set forth in the first aspect of the present application.
An embodiment of a fifth aspect of the present application proposes a computer program product which, when executed by an instruction processor in the computer program product, performs the method of handling an access request proposed by the first aspect of the present application.
The access request processing method and device provided by the application are used for receiving the access request of the target object, determining the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided in the firewall, further, identifying and judging the access request according to the safe access address segment of the target request processing partition, and intercepting the access request which is determined to carry the unsafe access address. According to the application, the firewall is used for identifying and intercepting the access request of the target object, so that the safe access to the target object is realized, the inside of the firewall is divided into a plurality of candidate request processing partitions, the access request is split, the processing efficiency of the firewall to the access request is improved, the verification analysis efficiency of the firewall performance is further improved, the manageability of the firewall performance verification is realized, and the verification method and the verification effect are optimized.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a flow chart illustrating a method for processing an access request according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for processing an access request according to another embodiment of the present application;
FIG. 3 is a flow chart illustrating a method for processing an access request according to another embodiment of the present application;
FIG. 4 is a flow chart of a method for processing an access request according to another embodiment of the present application;
FIG. 5 is a schematic diagram illustrating a structure of an apparatus for processing an access request according to an embodiment of the present application;
Fig. 6 is a block diagram of an electronic device in accordance with an embodiment of the application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present application and should not be construed as limiting the application.
The following describes a processing method, an apparatus, an electronic device, and a storage medium for an access request according to an embodiment of the present application with reference to the accompanying drawings.
Fig. 1 is a flow chart of a processing method of an access request according to an embodiment of the application, as shown in fig. 1, the method includes:
s101, an access request for accessing a target object is received.
In implementation, a System On Chip (SOC) has requirements for security control and security access, where a corresponding security control System may be set on the SOC Chip, so as to protect related functions and related information on the SOC Chip.
Alternatively, a corresponding security control system may be provided at a port for receiving the total information of the SOC chip, and a corresponding security control system may be provided at a port for receiving the information of the functional module on the SOC chip.
The firewall can be arranged at the information receiving port of the functional module of the SOC chip, so that the protection and the safety control of the functional module are realized.
Alternatively, the object protected by the firewall may be determined as the target object.
For example, the target object is set as a double rate synchronous dynamic random access memory (Double Data Rate Synchronous Dynamic Random Access Memory, DDR SDRAM) on the SOC chip, and a corresponding firewall can be configured for the DDR memory system, so that the protection of information stored in the DDR memory system is realized.
In some implementations, the presence of a firewall-configured target object may be affected to some extent as compared to a target object that is not configured with a firewall.
Accordingly, in order to secure the running performance of the target object configured with the firewall, the performance of the target object may be verified and analyzed in association after the firewall is configured.
Accordingly, in order to realize the security protection of the firewall on the target object, after the firewall is configured for the target object, relevant verification and analysis processing can be performed on the interception protection performance of the firewall.
In the embodiment of the application, a corresponding verification environment can be built for the target object configured with the firewall, and a corresponding test case can be built, so that performance verification of the firewall and the target object configured with the firewall is realized.
Optionally, the access request may be sent to the target object configured with the firewall, and the performance verification and analysis of the firewall are implemented through relevant processing information of the firewall on the access request, and correspondingly, the verification and analysis of the performance of the target object configured with the firewall are implemented through relevant information of the response of the target object to the access request.
In the implementation, the firewall realizes the security protection of the target object through the related identification and interception functions, so that the access request can be received by the firewall in advance.
The firewall has a corresponding access port, and the firewall receives the access request through the related function of information receiving configured by the access port.
Alternatively, the sending of the access request and the receiving of the access request by the firewall may be achieved by a bus protocol (Advanced eXtensible Interface, AXI) between the initiator of the access request and the firewall.
S102, determining a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in the firewall.
In the embodiment of the application, the firewall can realize the interception processing of the access request through the access request processing area inside the firewall, wherein the set access request processing area inside the firewall can be divided, a plurality of divided processing areas are obtained, and the divided processing areas are determined to be a plurality of candidate request processing partitions inside the firewall.
Further, different region attribute information is configured for different candidate request processing partitions, so that the different candidate request processing partitions respectively have corresponding processable access requests, and further, the shunting processing of the received access requests is realized.
Alternatively, the information configuration of the candidate request processing partition may be implemented by a top-level module (tb_top module) in the verification environment. For example, the tb_top module may fill the received region attribute information into the region attribute register corresponding to the candidate request processing partition by a set method, so as to implement configuration of the region attribute information of the candidate request processing partition through the region attribute register.
In some implementations, the information of the region attribute register of the candidate request processing partition may be static information, so that the region attribute information of all candidate request processing partitions may be poured into the region attribute register through a setting method, thereby implementing batch configuration of the region attribute information of all candidate request processing partitions inside the firewall.
Further, a corresponding setting standard can be configured for each candidate request processing partition, and when the access request meets the setting standard corresponding to one candidate request processing partition, the candidate request processing partition can be used as the target request processing partition of the access request.
For example, for the candidate request processing partition a, a corresponding setting standard B exists for the processable access request, and when the received access request meets the setting standard B, the candidate request processing partition a can be used as the target request processing partition of the access request.
S103, acquiring a secure access address segment of the target request processing partition, and intercepting the access request according to the secure access address segment.
In the embodiment of the application, the corresponding access address fragments can be configured for the candidate request processing partition in the firewall according to the set access address range of the target object and used as the safety access address fragments corresponding to the candidate request processing partition.
Further, when the candidate request processing partition is used as the target request processing partition to process the access request, whether the access request is a secure access request or not can be judged according to the corresponding secure access address segment, and whether interception processing is performed on the access request or not can be further judged.
If the access address in the access request belongs to the secure access address segment of the target request processing partition, the access request can be determined to be a secure access request, and interception processing is not performed on the secure access request.
Accordingly, if the access address in the access request does not belong to the secure access address segment corresponding to the target request processing partition, the access request may be determined to be a non-secure access request and intercepted.
The access request processing method provided by the application receives the access request of the target object, determines the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided in the firewall, further, performs identification and judgment on the access request according to the safe access address segment of the target request processing partition, and performs interception processing on the access request determined to carry the unsafe access address. According to the application, the firewall is used for identifying and intercepting the access request of the target object, so that the safe access to the target object is realized, the inside of the firewall is divided into a plurality of candidate request processing partitions, the access request is split, the processing efficiency of the firewall to the access request is improved, the verification analysis efficiency of the firewall performance is further improved, the manageability of the firewall performance verification is realized, and the verification method and the verification effect are optimized.
In the above embodiment, regarding interception of processing of an access request, it can be further understood with reference to fig. 2, and fig. 2 is a flow chart of a processing method of an access request according to another embodiment of the present application, as shown in fig. 2, the method includes:
S201, a target access address of the access request to the target object is obtained.
In the embodiment of the application, the firewall can acquire the intention access address of the initiator of the access request to the target object from the received access request, and determine the access address as the target access address of the initiator of the access request for accessing the target object.
Optionally, the firewall may read the belief information of the received access request through the configured access port, so as to obtain the target access address carried in the firewall.
S202, identifying whether the access request is an illegal access request according to the secure access address segment and the target access address.
In the implementation, in the access request for accessing the target object, there is a possibility that an illegal access request occurs, and in the scenario that the illegal access request successfully accesses the target object, there is a possibility that the security of information stored on the target object is affected to a certain extent.
For example, if the target object is set as a storage system on the SOC chip, in a scenario that the storage system is successfully accessed by an illegal access request, information leakage of the storage system may occur, which affects information security of the storage system.
In this scenario, the illegal access request can be intercepted by the configured firewall, so that successful access of the illegal access request to the target object is avoided, and therefore, in order to effectively verify the interception performance of the firewall, the illegal access request with a set proportion can be configured in the access request received by the firewall.
Optionally, a judgment standard corresponding to the illegal access request can be obtained, the received access request is compared with the set judgment standard, and the identification judgment of the illegal access request is realized according to the comparison result.
Wherein, the judgment standard of illegal access request can be set according to the access address.
For example, the target access address in the access request and the secure access address segment corresponding to the target request processing partition corresponding to the access request may be obtained respectively, and whether the access request is an illegal access request may be determined according to the relationship between the target access address and the secure access address segment.
And determining that the access request is a secure access request in response to the target access address belonging to the secure access address segment of the target request processing partition.
It can be understood that when the target access address belongs to an access address in the secure access address segment, it can be determined that the target access address is a secure access address of the target object, and an access request initiated to the target object based on the target access address does not affect the information security of the target object, so that the access request carrying the target access address can be determined as a secure access request.
Accordingly, in response to the target access address not belonging to the secure access address segment of the target request processing partition, the access request is determined to be an illegitimate access request.
It is understood that when the target access address does not belong to the secure access address segment corresponding to the target request processing partition, it may be determined that the target access address is an abnormal access address of the target object, and when the target object is accessed based on the target access address, there is a possibility that the information security of the target object is affected, so that the access request carrying the target access address may be determined as an illegal access request.
S203, in response to identifying the access request as an illegal access request, intercepting the illegal access request.
In order to avoid the influence of the illegal access request on the information security of the target object, the firewall can intercept the determined illegal access request and avoid the access of the illegal access request to the target object, so that the security protection of the target object is realized.
For example, the secure access address segment of the target request processing partition a corresponding to the access request is set to be a1 to a8, when the target access address carried by the access request is a3, it may be determined that the target access address a3 belongs to the secure access address segment of the target request processing partition a, and the access request is not an illegal access request.
Accordingly, when the target access address carried by the access request is a9, it may be determined that the target access address a9 does not belong to the secure access address segment of the target request processing partition a, and the access request may be determined to be an illegal access request and intercepted.
The access request processing method provided by the application comprises the steps of obtaining a target access address of an access request for accessing a target object, obtaining a safe access address segment of a target request processing partition corresponding to the access request, and judging whether the access request is an illegal access request according to the target access address and the safe access address segment. Further, when the access request is determined to be an illegal access request, the access request is intercepted. According to the application, the target object access request is identified and intercepted through the firewall, so that the target object is safely accessed, the access request is processed through the candidate request processing partition in the firewall, the processing efficiency of the firewall on the access request is improved, the setting proportion of illegal access requests received by the access request is controlled, the firewall performance is effectively verified, and the verification method and the verification effect are optimized.
In the above embodiment, regarding the determination of the target request processing partition, it may be further understood with reference to fig. 3, and fig. 3 is a flow chart of a processing method of an access request according to another embodiment of the present application, as shown in fig. 3, where the method includes:
s301, acquiring an identification corresponding relation between the area identification of the candidate request processing partition and the equipment identification of the test equipment, wherein the test equipment is used for initiating an access request to the target object.
In some implementations, a firewall and a target object configured with the firewall may be configured with a corresponding access request initiating device, and the initiation of the access request to the target object is achieved by controlling the portion of devices.
In order to realize the manageability of the performance verification of the firewall, the part of access request initiating equipment can be configured with equipment attribute information matched with the area attribute information in the firewall, so that the access request initiating equipment has a corresponding candidate request processing partition in the firewall.
Further, the device that initiated the access request may be determined as a firewall and a test device for performance verification of the target object configured with the firewall.
Alternatively, the initiation of the access request by the test device to the target object may be controlled by a test stimulus generator in the verification environment. The test excitation generator can process regional attribute information of partition configuration according to candidate requests in the firewall, generate a test excitation sequence corresponding to the test equipment, and initiate various pieces of information required by access requests for the corresponding test equipment configuration through the test excitation sequence.
Therefore, there is a set correspondence between the test device and the candidate request processing partition inside the firewall.
In the embodiment of the application, the test equipment has the corresponding equipment identifier, and the candidate request processing partition has the corresponding area identifier, so that the corresponding relation between the test equipment and the candidate request processing partition can be determined by acquiring the corresponding relation between the equipment identifier and the area identifier, thereby determining the corresponding target request processing partition for the access request initiated by the test equipment.
Alternatively, the area identification information of the candidate request processing partition may be configured when the area attribute information of the candidate request processing partition divided inside the firewall is configured. The identification information may be a digital number, or may be other identification information, which is not limited herein.
Correspondingly, the test equipment has corresponding equipment identifiers, related identification information can be set for each test equipment through a set method, and the identification information corresponding to each equipment is determined to be the equipment identifier of the test equipment.
It should be noted that, the device identifier of the test device and/or the area identifier of the candidate request processing partition have uniqueness, and the device identifier of the test device corresponds to the area identifier of the candidate request processing partition one by one.
For example, if a set correspondence exists between the test device D and the candidate request processing partition F inside the firewall, the access request initiated by the test device D may take the candidate request processing partition F as its corresponding target request processing partition.
That is, after the association relationship between the test equipment and the candidate request processing partition is constructed according to the set method, the target request processing partition corresponding to any access request initiated by the test equipment is the candidate request processing partition having the association relationship with the test equipment.
Alternatively, a correspondence relationship between the device identification of the test device and the area identification of the candidate request processing partition may be constructed based on the set condition.
The device identifier and the area identifier having the same digital information may be determined as the device identifier and the area identifier having the correspondence relationship.
For example, the device identifiers of the test device are set to be D1, D2, D3, and Dn, respectively, the region identifiers of the candidate request processing regions are set to be F1, F2, F3, and Fn, and then a correspondence exists between the device identifier D1 and the region identifier F1, a correspondence exists between the device identifier D2 and the region identifier F2, a correspondence exists between the device identifier D3 and the region identifier F3, and a correspondence exists between the device identifier Dn and the region identifier Fn.
Further, the correspondence may be determined as an identification correspondence between a device identification of the test device and a region identification of the candidate request processing partition.
S302, determining a target device identification of target test devices initiating the access request from information carried by the access request.
In the embodiment of the application, the detailed information carried by the access request can contain the equipment identification information of the test equipment initiating the access request, and the firewall can acquire the related information carried by the detailed information about the test equipment initiating the access request by reading the information of the access request.
The test device initiating the access request can be determined as the target test device of the access request, and when the access request is initiated, the target device identification information of the target test device can be carried by the access request and received and read by the firewall.
S303, determining a target area identifier corresponding to the target equipment identifier according to the identifier correspondence, and determining a candidate request processing partition corresponding to the target area identifier as a target request processing partition for processing the access request.
In the embodiment of the application, the area identifier with the corresponding relation with the target equipment identifier can be determined as the target area identifier.
Further, according to the identifier correspondence between the target device identifier and the target area identifier, it may be determined that a correspondence exists between the test device corresponding to the target device identifier and the candidate request processing partition corresponding to the target area identifier.
Therefore, it can be determined that the access request initiated by the target test device can be subjected to relevant processing such as identification judgment by the candidate request processing partition corresponding to the target area identification.
Further, the candidate request processing partition corresponding to the target area identifier may be determined as the target request processing partition corresponding to the access request carrying the target access address.
The access request processing method provided by the application acquires the identifier corresponding relation between the equipment identifier of the test equipment and the region identifier of the candidate request processing partition. And acquiring a target equipment identifier of target test equipment initiating the access request from the received access request, determining a corresponding target area identifier according to the identifier corresponding relation, and determining a target request processing partition corresponding to the access request according to the target area identifier. In the application, the corresponding relation exists between the equipment identifier and the area identifier, the target request processing partition of the access request is determined according to the corresponding relation of the identifier, and the confirmation method of the target request processing partition is optimized, so that the access request initiated by the test equipment can have the corresponding request processing partition in the firewall, thereby realizing the shunting processing of the access request and improving the processing efficiency of the access request.
Further, as for performance verification analysis of the firewall and performance verification analysis of the target object configured with the firewall, it can be understood with reference to fig. 4, fig. 4 is a flow chart of a processing method of an access request according to another embodiment of the present application, as shown in fig. 4, where the method includes:
S401, performing performance evaluation on the firewall and the target object, and respectively obtaining a first performance evaluation result of the firewall and a second performance evaluation result of the target object.
In the embodiment of the application, the system formed by the firewall and the target object can be determined as the target system, and the performance evaluation of the target system formed by the firewall and the target object is realized by performing independent performance evaluation on the firewall and independent performance evaluation on the target object.
Alternatively, the performance evaluation of the firewall may be implemented by the firewall as a result of the identification and interception of the illegal access request from among the access requests.
Wherein, the initiating duty ratio of the illegal access request can be determined from the initiating amount of the access request.
In some implementations, the test stimulus sequence generated by the test stimulus generator may configure related information for the test device to initiate the access request, and control the test device to initiate the access request to the target object.
Optionally, in the control process, the test stimulus generator may control the duty ratio of the illegal access request in the initiation amount of the access request by controlling the duty ratio of the illegal access address carried in the test stimulus sequence.
Wherein the relevant information of the ratio of the illegal access request in the total access request initiation amount can be configured in the test stimulus generator before performance verification starts.
For example, if the ratio of the illegal access requests to the total access request initiation amount is set to 10%, the data may be configured in the test stimulus generator before performance verification starts. When the test excitation generator generates a test excitation sequence, the test excitation generator can generate an excitation sequence with illegal access addresses in a corresponding proportion, and based on the excitation sequence with illegal access addresses in the part, illegal access requests with corresponding initiation duty ratio can be generated.
Alternatively, the launch duty ratio of the illegal access requests configured therein in the launch amount of all the access requests may be acquired from the relevant data storage area of the test stimulus generator.
Further, the interception amount of the firewall to the illegal access request can be monitored, and the interception duty ratio of the interception amount in the receiving amount of the access request can be obtained.
Optionally, a corresponding monitoring code may be hung at the access port of the firewall, so as to realize monitoring of the interception amount of the illegal access request by the firewall.
As a possible implementation manner, a setting code for counting the number of illegal access requests intercepted by the firewall may be hung on a path port of the firewall, and interception of the interception amount of the illegal access requests is realized through operation of the setting code.
Further, according to the counted interception amount of the illegal access request and the receiving amount of the firewall to the access request, determining the interception duty ratio corresponding to the illegal access request in all the access requests received by the firewall.
As another possible implementation manner, a setting code for counting the number of the security access requests passing through the firewall may be attached to the access port of the firewall, and the throughput counting of the security access requests is realized through the running of the setting code.
Further, according to the counted throughput and the receiving amount of the firewall to the access requests, the passing duty ratio corresponding to the security access requests in all the access requests received by the firewall is determined, and then the interception duty ratio corresponding to the illegal access requests is determined.
And evaluating the performance of the firewall according to the initiation duty ratio and the interception duty ratio to acquire a first performance evaluation result of the firewall.
In the embodiment of the application, the acquired initiation duty ratio and interception duty ratio can be compared, and the performance evaluation of the firewall is realized according to the comparison result.
Wherein, the evaluation result obtained by performing the performance evaluation on the firewall can be determined as the first performance evaluation result.
As one possible implementation, the interception duty cycle and the initiation duty cycle may be calculated by a setting algorithm, and an error value between the interception duty cycle and the initiation duty cycle is obtained.
Further, a set error range corresponding to the error value is obtained, and when the obtained error value belongs to the set error range, the firewall can be judged to be qualified for performance evaluation of illegal access request interception processing.
As shown in table 1, the target object is set as a storage system on the SOC chip, where the initiation ratio corresponding to the read illegal access request is 10% in all the read access requests initiated by the test device to the storage system, and correspondingly, the initiation ratio corresponding to the write illegal access request is 10% in all the write access requests initiated by the test device to the storage system.
Further, as shown in table 1, the interception duty ratio of the firewall to read the illegal access request and the interception duty ratio of the firewall to write the illegal access request are respectively obtained, so that performance evaluation of the firewall is realized, and a first evaluation result of the performance evaluation of the firewall is obtained.
Table 1:
As is clear from table 1, the read illegal access request interception ratio and the write illegal access request interception ratio are both 10.05%.
Further, an error value 1 between 10% of the initiation ratio of the illegal read access request and 10.05% of the interception ratio of the illegal read access request in all the read access requests received by the firewall is obtained, and an error value 2 between 10% of the initiation ratio of the illegal write access request and 10.05% of the interception ratio of the illegal write access request in all the write access requests received by the firewall is obtained.
If the error value 1 and the error value 2 both belong to the set error range, the performance of the firewall can meet the requirements of practical application in the scenario that the interception performance of the firewall to the illegal access request is shown in table 1, and then the first performance evaluation result of the firewall evaluation can be determined to be qualified.
Further, after the firewall intercepts and filters the access request, performance evaluation of the target object can be achieved according to relevant response information of the target object to the access request which is not intercepted by the firewall. The response delay time of the target object to the access request which is not intercepted by the firewall can be obtained.
Optionally, when the target object responds to the access request which is not intercepted by the firewall, the response delay time of the target object can be monitored, so that the response delay time of the target object to the access request which is not intercepted by the firewall is obtained.
Further, the performance of the target object is evaluated according to the response delay time, so that a second performance evaluation result of the target object is obtained.
As one possible implementation manner, the response delay time of the target object without the firewall configured to the access request and the response delay time of the target object with the firewall configured to the access request not intercepted by the firewall may be obtained, so as to evaluate the target object, and further obtain a second performance evaluation result of the performance evaluation of the target object.
As another possible implementation manner, a threshold time corresponding to the response delay time may be obtained, and the obtained response delay time is compared with the threshold time, and when the response delay time is less than or equal to the threshold time, it may be determined that the response delay of the target object currently configured with the firewall does not affect the normal operation performance of the target object, so that it may be determined that the second performance evaluation result of the target object in the scene is qualified.
As shown in table 2, the target object is set as a storage system, and the initiation speed and the response speed of the storage system to the read access request and the initiation speed and the response speed of the write access request can be counted respectively, so as to obtain the relevant information of the response delay time of the storage system to the read access request and the relevant information of the response delay time of the storage system to the write access request.
As shown in table 2, the information about the response delay time of the storage system to the read access request may include a maximum delay time, a minimum delay time, and an average delay time of the response of the storage system to the read access request, and the information about the response delay time of the storage system to the write access request may include a maximum delay time, a minimum delay time, and an average delay time of the response of the storage system to the write access request.
Further, according to the response speed and the relevant information of the response time shown in table 2, the performance of the storage system is evaluated, so that the storage system shown in table 2 is determined, after the firewall is configured, the performance of the storage system still can meet the actual requirement, and further, the second performance evaluation result of the target object configured with the firewall can be determined to be qualified.
Table 2:
S402, evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.
According to the embodiment of the application, the performance evaluation of the target system can be realized according to the detailed contents of the first performance evaluation result and the second performance evaluation result.
Optionally, in response to the first performance evaluation result indicating that the firewall performance is acceptable and the second performance evaluation result indicating that the target object performance is acceptable, determining that the target system performance evaluation result is acceptable.
When the first performance evaluation result indicates that the firewall performance is qualified, it can be determined that the interception performance of the firewall to the illegal access request can meet the actual requirement. Accordingly, when the second performance evaluation result indicates that the performance of the target object is appropriate, it can be determined that the performance of the response of the current target object to the access request may satisfy the actual requirement, and therefore, in this scenario, it can be determined that the target system composed of the firewall and the target object may satisfy the actual requirement.
Further, it may be determined that the performance evaluation result of the target system is qualified.
According to the access request processing method, performance evaluation is performed on the firewall to obtain a first performance evaluation result, performance evaluation is performed on the target object to obtain a corresponding second performance evaluation result, and performance evaluation on the target system is achieved according to the first performance evaluation result and the second performance evaluation result. According to the application, through the performance evaluation of the firewall and the target object, the performance evaluation of the target system formed by the firewall and the target object is realized, so that the evaluation of the performance influence degree of the configuration firewall on the target object is realized, and the performance verification of the security and the stability of the target system formed by the firewall and the target object is realized.
In correspondence with the processing methods of the access request set forth in the foregoing embodiments, an embodiment of the present application also sets forth an apparatus for processing an access request, and since the processing apparatus of the access request set forth in the embodiment of the present application corresponds to the processing methods of the access request set forth in the foregoing embodiments, implementation manners of the processing methods of the access request set forth in the foregoing embodiments are also applicable to the processing apparatus of the access request set forth in the embodiment of the present application, and will not be described in detail in the following embodiments.
Fig. 5 is a schematic structural diagram of an apparatus for processing an access request according to an embodiment of the present application, as shown in fig. 5, the apparatus 500 for processing an access request includes a receiving module 51, a determining module 52, a processing module 53, and an evaluating module 54, where:
A receiving module 51, configured to receive an access request for accessing a target object;
A determining module 52, configured to determine a target request processing partition corresponding to the access request from a plurality of candidate request processing partitions in the firewall;
the processing module 53 is configured to obtain a secure access address segment of the target request processing partition, and intercept the access request according to the secure access address segment.
In the embodiment of the application, the processing module 53 is further configured to obtain a target access address of the access request to the target object, identify whether the access request is an illegal access request according to the secure access address field and the target access address, and intercept the illegal access request in response to identifying that the access request is the illegal access request.
In the embodiment of the application, the processing module 53 is further configured to determine that the access request is a secure access request in response to the target access address belonging to the secure access address field of the target request processing partition, and determine that the access request is an illegal access request in response to the target access address not belonging to the secure access address field of the target request processing partition.
In the embodiment of the present application, the determining module 52 is further configured to obtain an identifier correspondence between an area identifier of the candidate request processing partition and an equipment identifier of the test equipment, where the test equipment is configured to initiate an access request to the target object, determine, from information carried by the access request, a target equipment identifier of the target test equipment that initiates the access request, determine, according to the identifier correspondence, a target area identifier corresponding to the target equipment identifier, and determine, as a target request processing partition that processes the access request, a candidate request processing partition corresponding to the target area identifier.
In the embodiment of the application, the device further comprises an evaluation module 54, which is used for performing performance evaluation on the firewall and the target object, respectively obtaining a first performance evaluation result of the firewall and a second performance evaluation result of the target object, and evaluating the performance of the target system according to the first performance evaluation result and the second performance evaluation result.
In the embodiment of the application, the evaluation module 54 is further configured to determine an initiation duty ratio of the illegal access request from the initiation amount of the access request, monitor the interception amount of the illegal access request by the firewall, obtain the interception duty ratio of the interception amount in the receiving amount of the access request, and evaluate the performance of the firewall according to the initiation duty ratio and the interception duty ratio to obtain a first performance evaluation result of the firewall.
In the embodiment of the present application, the evaluation module 54 is further configured to obtain error values of the initiation duty cycle and the interception duty cycle, and determine that the first performance evaluation result of the firewall is qualified in response to the error values belonging to the set error range.
In the embodiment of the present application, the evaluation module 54 is further configured to obtain a response delay time of the target object to the access request that is not intercepted by the firewall, and evaluate the performance of the target object according to the response delay time, so as to obtain a second performance evaluation result of the target object.
In the embodiment of the present application, the evaluation module 54 is further configured to obtain a threshold time of the response delay of the target object, and determine that the second performance evaluation result of the target object is qualified in response to the response delay time being less than or equal to the threshold time.
In the embodiment of the present application, the evaluation module 54 is further configured to determine that the performance evaluation result of the target system is acceptable in response to the first performance evaluation result indicating that the firewall performance is acceptable and the second performance evaluation result indicating that the target object performance is acceptable.
The processing device for the access request receives the access request of the target object, determines the target request processing partition corresponding to the access request from a plurality of candidate request processing partitions divided in the firewall, further, performs identification and judgment on the access request according to the safe access address segment of the target request processing partition, and performs interception processing on the access request determined to carry the unsafe access address. According to the application, the firewall is used for identifying and intercepting the access request of the target object, so that the safe access to the target object is realized, the inside of the firewall is divided into a plurality of candidate request processing partitions, the access request is split, the processing efficiency of the firewall to the access request is improved, the verification analysis efficiency of the firewall performance is further improved, the manageability of the firewall performance verification is realized, and the verification method and the verification effect are optimized.
To achieve the above embodiments, the present application also proposes an electronic device, a computer-readable storage medium and a computer program product.
Fig. 6 is a block diagram of an electronic device according to an embodiment of the present application, and a processing method for executing the access request of the embodiment of fig. 1 to 4 may be implemented according to the electronic device shown in fig. 6.
In order to implement the above-described embodiments, the present application also proposes a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the processing method of the access request of the embodiments of fig. 1 to 4.
In order to implement the above embodiments, the present application also proposes a computer program product which, when executed by an instruction processor in the computer program product, performs the method of processing an access request of the embodiments of fig. 1 to 4.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order from that shown or discussed, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include an electrical connection (an electronic device) having one or more wires, a portable computer diskette (a magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware as in another embodiment, may be implemented using any one or combination of techniques known in the art, discrete logic circuits with logic gates for implementing logic functions on data signals, application specific integrated circuits with appropriate combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), etc.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210669771.4A CN114944958B (en) | 2022-06-14 | 2022-06-14 | Access request processing method, device and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210669771.4A CN114944958B (en) | 2022-06-14 | 2022-06-14 | Access request processing method, device and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114944958A CN114944958A (en) | 2022-08-26 |
| CN114944958B true CN114944958B (en) | 2025-03-04 |
Family
ID=82908844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210669771.4A Active CN114944958B (en) | 2022-06-14 | 2022-06-14 | Access request processing method, device and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114944958B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097576B (en) * | 2023-10-20 | 2024-01-02 | 北京凯芯微科技有限公司 | AXI bus firewall for functional safety |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8782779B2 (en) * | 2007-09-26 | 2014-07-15 | Hewlett-Packard Development Company, L.P. | System and method for achieving protected region within computer system |
| US8381281B2 (en) * | 2010-04-07 | 2013-02-19 | International Business Machines Corporation | Authenticating a remote host to a firewall |
| US11165883B2 (en) * | 2019-01-02 | 2021-11-02 | Bank Of America Corporation | Entry point classification of requests requiring access to data |
| CN113014571B (en) * | 2021-02-22 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Method, device and storage medium for processing access request |
-
2022
- 2022-06-14 CN CN202210669771.4A patent/CN114944958B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114944958A (en) | 2022-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12321455B2 (en) | Malicious software detection based on API trust | |
| US7953980B2 (en) | Signed manifest for run-time verification of software program identity and integrity | |
| US8042190B2 (en) | Pre-boot protected memory channel | |
| US20210167960A1 (en) | Certifying Authenticity of Stored Code and Code Updates | |
| US11132467B2 (en) | Information processing device, information processing method, and computer program product | |
| US20090172814A1 (en) | Dynamic generation of integrity manifest for run-time verification of software program | |
| CN110300125B (en) | API access control method and API access proxy device | |
| CN113312676A (en) | Data access method and device, computer equipment and readable storage medium | |
| US11570201B2 (en) | System and method for detecting and blocking malicious attacks on a network | |
| US20160232379A1 (en) | Memory integrity checking | |
| WO2020114262A1 (en) | Kernel security detection method, apparatus, and device, and storage medium | |
| CN114944958B (en) | Access request processing method, device and electronic device | |
| CN108898012B (en) | Method and apparatus for detecting illegal programs | |
| KR20190021673A (en) | Apparatus and method for preventing ransomware | |
| WO2020198001A1 (en) | Run-time code execution validation | |
| CN114707147A (en) | Service request processing method and electronic equipment | |
| US10809924B2 (en) | Executable memory protection | |
| US10802982B2 (en) | Trusted out-of-band memory acquisition for IOMMU-based computer systems | |
| CN114024879B (en) | Deployment method, device and storage medium of a network probe | |
| CN116524987A (en) | RPMB test method, device, computer equipment and storage medium | |
| CN111639340B (en) | Malicious application detection method and device, electronic equipment and readable storage medium | |
| CN115048333A (en) | Inter-core communication method, device, system and storage medium | |
| CN114048154A (en) | Storage authority control method and device, mobile terminal and storage medium | |
| CN115248738A (en) | A memory protection unit, electronic device and access monitoring method | |
| US10275367B2 (en) | Command source verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |