An Intrusion Response System for Relational Databases 1. INTRODUCTION RECENTLY, we have seen an interest in products that continuously monitor a database system and report any relevant suspicious activity. Database activity monitoring has been identified by Gartner research as one of the top five strategies that are crucial for reducing data leaks in organizations. Such step-up in data vigilance by organizations is partly driven by various US government regulations concerning data management such as SOX, PCI, GLBA, HIPAA, and so forth. Organizations have also come to realize that current attack techniques are more sophisticated, organized, and targeted than the broad-based hacking days of past. Often, it is the sensitive and proprietary data that is the real target of attackers. Also, with greater data integration, aggregation and disclosure, preventing data theft, from both inside and outside organizations, has become a major challenge. Standard database security mechanisms, such as access control, authentication, and encryption, are not of much help when it Department of MCA, SVCET, Chittoor 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Intrusion Response System for Relational Databases
1. INTRODUCTION
RECENTLY, we have seen an interest in products that continuously monitor
a database system and report any relevant suspicious activity. Database activity
monitoring has been identified by Gartner research as one of the top five strategies
that are crucial for reducing data leaks in organizations. Such step-up in data
vigilance by organizations is partly driven by various US government regulations
concerning data management such as SOX, PCI, GLBA, HIPAA, and so forth.
Organizations have also come to realize that current attack techniques are more
sophisticated, organized, and targeted than the broad-based hacking days of past.
Often, it is the sensitive and proprietary data that is the real target of attackers.
Also, with greater data integration, aggregation and disclosure, preventing data
theft, from both inside and outside organizations, has become a major challenge.
Standard database security mechanisms, such as access control, authentication,
and encryption, are not of much help when it comes to preventing data theft from
insiders. Such threats have thus forced organizations to reevaluate security
strategies for their internal databases. Monitoring a database to detect potential
intrusions, intrusion detection (ID), is a crucial technique that has to be part of any
comprehensive security solution for high-assurance database security. Note that
the ID systems that are developed must be tailored for a Database Management
System (DBMS) since database-related attacks such as SQL injection and data
exhilaration are not malicious for the underlying operating system or the network.
Our approach to an ID mechanism consists of two main elements,
specifically tailored to a DBMS: an anomaly detection (AD) system and an
Department of MCA, SVCET, Chittoor 1
An Intrusion Response System for Relational Databases
anomaly response system. The first element is based on the construction of
database access profiles of roles and users, and on the use of such profiles for the
ADtask. A user-request that does not conform to the normal access profiles is
characterized as anomalous.
Profiles can record information of different levels of details; we refer the
reader to for additional information and experimental results. The second element
of our approach the focus of this paper is in charge of taking some actions once an
anomaly is detected. There are three main types of response actions that we refer
to, respectively, as conservative actions, fine-grained actions, and aggressive
actions. The conservative actions, such as sending an alert, allow the anomalous
request to go through, whereas the aggressive actions can effectively block the
anomalous request. Fine-grained response actions, on the other hand, are neither
conservative nor aggressive. Such actions may suspend or taint an anomalous
request. A suspended request is simply put on hold, until some specific actions are
executed by the user, such as the execution of further authentication steps. A
tainted request is marked as a potential suspicious request resulting in further
monitoring of the user and possibly in the suspension or dropping of subsequent
requests by the same user.
Department of MCA, SVCET, Chittoor 2
An Intrusion Response System for Relational Databases
2. OBJECTIVE
With greater data integration, aggregation and disclosure, preventing data
theft, from both inside and outside organizations, has become a major challenge.
Standard database security mechanisms, such as access control, authentication,
and encryption, are not of much help when it comes to preventing data theft from
insiders. Such threats have thus forced organizations to reevaluate security
strategies for their internal databases. Monitoring a database to detect potential
intrusions, intrusion detection (ID), is a crucial technique that has to be part of any
comprehensive security solution for high-assurance database security.
Our approach is to design an ID mechanism that consists of two main
elements, specifically tailored to a DBMS: an anomaly detection (AD) system and
an anomaly response system. The first element is based on the construction of
database access profiles of roles and users, and on the use of such profiles for the
AD task. A user request that does not conform to the normal access profiles is
characterized as anomalous. The second element of our approach is in charge of
taking some actions once an anomaly is detected.
Department of MCA, SVCET, Chittoor 3
An Intrusion Response System for Relational Databases
3. LITERATURE SURVEY
3.1. DOMAIN KNOWLEDGE
3.1.1 DATA MINING
Generally, data mining (sometimes called data or knowledge discovery) is
the process of analyzing data from different perspectives and summarizing it into
useful information - information that can be used to increase revenue, cuts costs,
or both. Data mining software is one of a number of analytical tools for analyzing
data. It allows users to analyze data from many different dimensions or angles,
categorize it, and summarize the relationships identified. Technically, data mining
is the process of finding correlations or patterns among dozens of fields in large
relational databases.
Although data mining is a relatively new term, the technology is not.
However, continuous innovations in computer processing power, disk storage, and
statistical software are dramatically increasing the accuracy of analysis while
driving down the cost.
3.1.2 DATA AND KNOWLEDGE ENGINEERING
Database Systems and Knowledge base Systems share many common
principles. Data & Knowledge Engineering (DKE) stimulates the exchange of ideas
and interaction between these two related fields of interest. DKE reaches a world-
wide audience of researchers, designers, managers and users. The major aim of
the journal is to identify, investigate and analyze the underlying principles in the
design and effective use of these systems. DKE achieves this aim by publishing
Department of MCA, SVCET, Chittoor 4
An Intrusion Response System for Relational Databases
original research results, technical advances and news items concerning data
engineering, knowledge engineering, and the interface of these two fields.
The problem of insider threats to DBMSs is being recognized as a major
security threat by the organizations; in a 2004 E-crime watch survey conducted by
CERT and US Secret Service, insider threat was identified as the second biggest
threat after hackers. The solution to the insider threat problem requires among
other techniques the adoption of mechanisms able to detect and respond to
access anomalies by users internal to the organization owning the data. For our
IDR system to provide stronger security guarantees, it needs to ensure that the
activities of even the database administrators (DBAs) be monitored, and
responded to if deemed malicious. This is a difficult problem to address since the
policies that specify a response action need to be created for the DBAs who are, in
turn, responsible for managing the same policies.
3.2. SYSTEM INTRODUCTION
Organizations have come to realize that current attack techniques are more
sophisticated, organized, and targeted than the broad-based hacking days of past.
Often, it is the sensitive and proprietary data that is the real target of attackers.
Also, with greater data integration, aggregation and disclosure, preventing data
theft, from both inside and outside organizations, has become a major challenge.
Standard database security mechanisms, such as access control, authentication,
and encryption, are not of much help when it comes to preventing data theft from
insiders. Such threats have thus forced organizations to reevaluate security
strategies for their internal databases. Monitoring a database to detect potential
Department of MCA, SVCET, Chittoor 5
An Intrusion Response System for Relational Databases
intrusions, intrusion detection (ID), is a crucial technique that has to be part of any
comprehensive security solution for high-assurance database security.
3.3 PREVIOUS TAXONOMY
Title : The Cyber Enemy within ... Countering the Threat from Malicious
Insiders.
Authors: D. Brackney,T. Goan,A.Ott, and L. Martin.
One of the most critical problems facing the information security community
is the threat of a malicious insider abusing his computer privileges to modify,
remove, or prevent access to an organization's data. An insider is considered
trusted (at least implicitly) by his organization because he is granted access to its
computing environment. Whether or not that insider is in fact trustworthy is a
question that lies at the heart of the insider threat problem. Complicating this
problem is the fact that there is no "one size fits all" description of a malicious
insider. Motivations, objectives, cyber expertise, system privileges[1] all can and
do vary from one case to the next.
Title : Detecting Anomalous Access Patterns in Relational Databases.
Authors: A. Kamra, E. Terzi, and E. Bertino.
A considerable effort has been recently devoted to the development of
Database Management Systems (DBMS) which guarantee high assurance and
security. An important component of any strong security solution is represented by
Intrusion Detection (ID) techniques, able to detect anomalous behavior of
applications and users. To date, however, there have been few ID mechanisms
proposed which are specifically tailored to function within the DBMS. In this
paper[2], we propose such a mechanism. Our approach is based on mining SQL
Department of MCA, SVCET, Chittoor 6
An Intrusion Response System for Relational Databases
queries stored in database audit log files. The result of the mining process is used
to form profiles that can model normal database access behavior and identify
intruders. We consider two different scenarios while addressing the problem.
Title : Responding to Anomalous Database Requests.
Authors: A. Kamra, E. Bertino, and R.V. Nehme.
Organizations have recently shown increased interest in database activity
monitoring and anomaly detection techniques to safeguard their internal
databases. Once an anomaly is detected, a response from the database is needed
to contain the effects of the anomaly. However, the problem of issuing an
appropriate response to a detected database anomaly has received little attention
so far. In this paper[3], we propose a framework and policy language for issuing a
response to a database anomaly based on the characteristics of the anomaly. We
also propose a novel approach to dynamically change the state of the access
control system in order to contain the damage that may be caused by the
anomalous request. We have also carried out an experimental evaluation to
assess the performance overhead introduced by our response mechanism. The
experimental results show that the techniques are very efficient.
Title : Design and Implementation of SAACS: A State-Aware Access
Control System.
Authors: A. Kamra and E. Bertino.
The intrusion response component of an overall intrusion detection system
is responsible for issuing a suitable response to an anomalous request. We
propose the notion of database response policies to support our intrusion response
system tailored for a DBMS. Our interactive response policy language makes it
very easy for the database administrators to specify appropriate response actions
Department of MCA, SVCET, Chittoor 7
An Intrusion Response System for Relational Databases
for different circumstances depending upon the nature of the anomalous request
[4]. The two main issues that we address in context of such response policies are
that of policy matching, and policy administration. For the policy matching problem,
we propose two algorithms that efficiently search the policy database for policies
that match an anomalous request. We also extend the PostgreSQL DBMS with our
policy matching mechanism, and report experimental results. The experimental
evaluation shows that our techniques are very efficient.
3.4 OUR TAXONOMY
Our proposed solution is to design and implement an intrusion
response system to overcome the drawbacks of the existing system. The two main
issues that we address in context of such response policies are that of policy
matching, and policy administration. For the policy matching problem, we propose
two algorithms that efficiently search the policy database for policies that match an
anomalous request. We also extend the PostgreSQL DBMS with our policy
matching mechanism, and report experimental results. The experimental
evaluation shows that our techniques are very efficient. The other issue that we
address is that of administration of response policies to prevent malicious
modifications to policy objects from legitimate users. We propose a novel Joint
Threshold Administration Model (JTAM) that is based on the principle of separation
of duty. The key idea in JTAM is that a policy object is jointly administered by at
least k database administrator (DBAs), that is, any modification made to a policy
object will be invalid unless it has been authorized by at least k DBAs. We present
design details of JTAM which is based on a cryptographic threshold signature
Department of MCA, SVCET, Chittoor 8
An Intrusion Response System for Relational Databases
scheme, and show how JTAM prevents malicious modifications to policy objects
from authorized users.
The main contributions can be summarized as follows:
We present a framework for specifying intrusion response policies in the
context of a DBMS.
We present a novel administration model called JTAM for administration of
response policies.
We present algorithms to efficiently search the policy database for policies
that match an anomalous request.
We extend the PostgreSQL DBMS with our response policy mechanism,
and conduct an experimental evaluation of our techniques.
3.4.1 POLICY LANGUAGE
The detection of an anomaly by the detection engine can be considered as
a system event. The attributes of the anomaly, such as user, role, SQL command,
then correspond to the environment surrounding such an event. Intuitively, a policy
can be specified taking into account the anomaly attributes to guide the response
engine in taking a suitable action. Keeping this in mind, we propose an Event-
Condition-Action (ECA) language for specifying response policies.
3.4.1.1 Attributes and Conditions
The anomaly detection mechanism provides its assessment of the anomaly
using the anomaly attributes. We have identified two main categories for such
attributes. The first category, referred to as contextual category includes all
attributes describing the context of the anomalous request such as user, role,
Department of MCA, SVCET, Chittoor 9
An Intrusion Response System for Relational Databases
source, and time. The second category, referred to as structural category includes
all attributes conveying information about the structure of the anomalous request
such as SQL command, and accessed database objects.
3.4.1.2 Response Actions
Once a database request has been flagged off as anomalous, an action is
executed by the response system to address the anomaly. The response action to
be executed is specified as part of a response policy.
3.4.2 POLICY ADMINISTRATION
The main issue in the administration of response policies is how to protect a
policy from malicious modifications made by a DBA that has legitimate access
rights to the policy object. To address this issue, we propose an administration
model referred to as the Joint Threshold Administration Model (JTAM).The threat
scenario that we assume is that a DBA has all the privileges in the DBMS, and
thus it is able to execute arbitrary SQL insert, update, and delete commands to
make malicious modifications to the policies. Such actions are possible even if the
policies are stored in the system catalogs. JTAM protects a response policy
against malicious modifications by maintaining a digital signature on the policy
definition. The signature is then validated either periodically or upon policy usage
to verify the integrity of the policy definition.
One of the key assumptions in JTAM is that we do not assume the DBMS to
be in possession of a secret key for verifying the integrity of policies. If the DBMS
had possessed such key, it could simply create a HMAC (Hashed Message
Authentication Code) of each policy using its secret key, and later use the same
Department of MCA, SVCET, Chittoor 10
An Intrusion Response System for Relational Databases
key to verify the integrity of the policy. However, management of such secret key is
an issue since we cannot assume the key to be hidden from a malicious DBA. The
fundamental premise of our approach is that we do not trust a single DBA (with the
secret key) to create or manage the response policies, but the threat is mitigated if
the trust (the secret key) is distributed among multiple DBAs. This is also the
fundamental problem in threshold cryptography, that is, the problem of secure
sharing of a secret. We thus base JTAM on a threshold cryptographic signature
scheme.
3.4.3 POLICY MATCHING
We present our algorithms for finding the set of policies matching an
anomaly. Such search is executed by matching the attributes of the anomaly
assessment with the conditions in the policies.
. Policy matching is the problem of searching for policies applicable to an
anomalous request. When an anomaly is detected, the response system must
search through the policy database and find policies that match the anomaly. Our
ID mechanism is a real-time intrusion detection and response system; thus
efficiency of the policy search procedure is crucial. There are two variations of our
policy matching algorithm. The first algorithm, called the Base Policy Matching
algorithm and the second algorithm is called the Ordered Policy Matching
algorithm.
Department of MCA, SVCET, Chittoor 11
An Intrusion Response System for Relational Databases
3.4.4 RESPONSE ACTION SELECTION
In the event of multiple policies matching an anomaly, we must provide for a
resolution scheme to determine the response to be issued. We propose the
following two rank-based selection options that are based on the severity level of
the response actions:
Most Severe Policy (MSP)
The severity level of a response policy is determined by the highest
severity level of its response action. This strategy selects the most severe policy
from the set of matching policies. Note that the response actions described in
Section 3.1.2 are categorized according to their severity levels. Also, in the case of
interactive ECA response policies, the severity of the policy is taken as the severity
level of the Failure Action.
Least Severe Policy (LSP)
This strategy, unlike the MSP strategy, selects the least severe policy.
Department of MCA, SVCET, Chittoor 12
An Intrusion Response System for Relational Databases
4. PROBLEM IDENTIFICATION & SYSTEM
FRAMEWORK
4.1 PROBLM DEFINITION & EXAMPLE
Data represent today an important asset for companies and organizations.
Some of these data are worth millions of dollars and organizations take great care
at controlling access to these data, with respect to both internal users, within the
organization, and external users, outside the organization. Data security is also
crucial when addressing issues related to privacy of data pertaining to individuals;
companies and organizations managing such data need to provide strong
guarantees about the confidentiality of these data in order to comply with legal
regulations and policies. Overall, data security has a central role in the larger
context of information systems security. Therefore, the development of Database
Management Systems (DBMSs) with high-assurance security is a central research
issue. The development of such DBMSs requires a revision of architectures and
techniques adopted by traditional DBMS. An important component of this new
generation security-aware DBMS is an Intrusion Detection (ID) mechanism. Even
though DBMSs provide access control mechanisms, these mechanisms alone are
not enough to guarantee data security; they need to be complemented by suitable
ID mechanisms. However, despite the fact that building ID systems for networks
and operating systems has been an active area of research, few ID systems exist
that are specifically tailored to DBMS.
Department of MCA, SVCET, Chittoor 13
An Intrusion Response System for Relational Databases
For example, consider that a database user/application normally access
data only from the human resources schema. Consider that such user/application
submits a SQL command to the DBMS that accesses the financial records of the
employees from the finance schema. Such anomalous access pattern of the SQL
command may be the result of a SQL Injection vulnerability or privilege abuse by
an authorized user. The key observation is that an ID system designed for a
network or an operating system is ineffective against such database specific
malicious actions.
4.2 SYSTEM FRAME WORK
Our proposed solution is to design and implement an intrusion response
system to overcome the drawbacks of the existing system. The two main issues
that we address in context of such response policies are that of policy matching,
and policy administration. For the policy matching problem, we propose two
algorithms that efficiently search the policy database for policies that match an
anomalous request. The other issue that we address is that of administration of
response policies to prevent malicious modifications to policy objects from
legitimate users. We propose a novel Joint Threshold Administration Model
(JTAM) that is based on the principle of separation of duty. The key idea in JTAM
is that a policy object is jointly administered by at least k database administrator
(DBAs), that is, any modification made to a policy object will be invalid unless it
has been authorized by at least k DBAs. We present design details of JTAM which
Department of MCA, SVCET, Chittoor 14
An Intrusion Response System for Relational Databases
is based on a cryptographic threshold signature scheme, and show how JTAM
prevents malicious modifications to policy objects from authorized users.
Fig.4.1 System Frame Work
Department of MCA, SVCET, Chittoor 15
An Intrusion Response System for Relational Databases
4.3 SYSTEM FLOW CHART
A flow chart is graphical tool used to describe and analyze the movement of
data through a system. The transformation of data from input to output, through
processing, may be described logically associated with the system.
Fig.4.2 System Flow Chart
Department of MCA, SVCET, Chittoor 16
An Intrusion Response System for Relational Databases
4.4 SYSTEM REQUIREMENTS
4.4.1 FUNCTIONAL REQUIREMENTS
Functional requirements should include functions performed by specific
screens, outlines of work-flows performed by the system and other business or
compliance requirements the system must meet.
The functionalities in my project are:
File should be browsed.
Select the conditions for the browsed file.
Send the file to the detector.
Detector accepts the request and verifies whether it is anomaly or not.
For anomaly requests the query is not processed and the detector takes
appropriate actions.
For non-anomaly requests the query is processed and the sink is updated.
4.4.2 NON FUNCTIONAL REQUIREMENTS
The non functionalities in my project are:
ACCESSIBILITY
Accessibility can be viewed as the "ability to access" and possible benefit of
some system or entity. Accessibility is often used to focus on people with
disabilities and their right of access to the system.
PERFORMANCE
Computer performance is characterized by the amount of useful work
accomplished by a computer system compared to the time and resources used.
Department of MCA, SVCET, Chittoor 17
An Intrusion Response System for Relational Databases
PORTABILITY
Portability is the software-code base feature to be able to reuse the existing
code instead of creating new code when moving software from an environment to
another.
SECURITY
Security is the degree of protection against danger, loss, and criminals.
Security has to be compared and contrasted with other related concepts: Safety,
continuity, reliability.
4.4.3 HARDWARE REQUIREMENTS
Processor : PENTIUM IV 2.6 GHz
RAM : 256Mb and above
Hard Disk : 10 GB.
Input device : Standard Keyboard and Mouse.
Output device : VGA and High Resolution Monitor.
4.4.4 SOFTWARE REQUIREMENTS
Front End : Java
Operating System : Windows
Back End : SQL Server 2005
Department of MCA, SVCET, Chittoor 18
An Intrusion Response System for Relational Databases
5. SYSTEM DESIGN
5.1 DATABASE DESIGN
ENTITY RELATIONSHIP (E-R) DIAGRAM
Logical or graphical representation of data for an organization using entities,
attributes and their relationships is termed as an E-R diagram.
Entity: An entity may be defined as a thing which is recognized as being capable
of an independent existence and which can be uniquely identified.
Entity is represented by rectangle.
Relationship: A relationship captures how two or more entities are related to one
another.
or
Attributes: Entities and relationships can both have attributes. Represented with
An Intrusion Response System for Relational Databases
APPENDIX- II
SCREEN SHOTS
Browse file: This screen is used to browse a file and send the selected request to
the Intrusion Detetor based on the leyers number type.
Screen Number: 1
Department of MCA, SVCET, Chittoor 94
An Intrusion Response System for Relational Databases
Sink1: This is the destination point where the sent file is stored displayed in case
of normal request.
Screen Number: 2
Dectector1: This screen detects the request as anomaly or not and takes
appropriate actions based on the layer number type
Screen Number: 3
Department of MCA, SVCET, Chittoor 95
An Intrusion Response System for Relational Databases
Display Response: Here the response is displayed that is sent by the Intrusion
Detector in case of normal request.
Screen Number: 4
Request found: Here as the request is found not anomaly the JTAM asks for
signature from remaining DB’s.
Screen Number: 5
Department of MCA, SVCET, Chittoor 96
An Intrusion Response System for Relational Databases
Acceptance: Asks the DBA’s to conform their acceptance.
Screen Number: 6
Display file:Display’s the browsed file after getting acceptance from all the DBA’s.
Screen Number: 7
Department of MCA, SVCET, Chittoor 97
An Intrusion Response System for Relational Databases
Destination Screen: This is the destination screen that displays the sent file via
Intrusion detector.
Screen Number: 8
Response sent: Response sent by the Intrusion Detector in case of an anomals
request is displayed.
Screen Number: 9
Department of MCA, SVCET, Chittoor 98
An Intrusion Response System for Relational Databases
Response sent by system: Response sent by the system in case of not getting
acceptance from K authorized users is displayed.
Screen Number: 10
Action taken: An action is taken by the Intrusion response system
Screen Number: 11
Department of MCA, SVCET, Chittoor 99
An Intrusion Response System for Relational Databases
APPENDIX- III
BASE PAPER
Department of MCA, SVCET, Chittoor 100
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 101
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 102
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 103
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 104
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 105
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 106
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 107
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 108
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 109
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 110
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 111
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 112
An Intrusion Response System for Relational Databases
Department of MCA, SVCET, Chittoor 113
An Intrusion Response System for Relational Databases
APPENDIX- IV
REFERENCES
[1] D. Brackney, T. Goan, A. Ott, and L. Martin, “The Cyber Enemy within ... Countering the Threat from Malicious Insiders,” Proc. Ann. Computer Security Applications Conf. (ACSAC). pp. 346-347, 2004.
[2] A. Kamra, E. Terzi, and E. Bertino, “Detecting Anomalous Access Patterns in Relational Databases,” J. Very Large DataBases (VLDB), vol. 17, no. 5, pp. 1063-1077, 2008.
[3] A. Kamra, E. Bertino, and R.V. Nehme, “Responding to Anomalous Database Requests,” Secure Data Management, pp. 50- 66, Springer, 2008.
[4] A. Kamra and E. Bertino, “Design and Implementation of SAACS: A State- Aware Access Control System,” Proc. Ann. Computer Security Applications Conf. (ACSAC), 2009.
[5] A. Conry-Murray, “The Threat from within. Network Computing(Aug. 2005),” http://www.networkcomputing.com/showArticle jhtml?articleID=166400792, July 2009.
[6] R. Mogull, “Top Five Steps to Prevent Data Loss and Information Leaks. Gartner Research (July 2006),” http://www.gartner.com, 2010.
BOOKS
[7] The Complete Reference Java J2SE, 5th Edition, Herbert Schildt, TMH.