# Network Security Situation Assessment Method Based on Markov Game Model.

1. IntroductionIn recent years, with the rapid development of Internet technology, the means of attack are becoming more and more diverse, and security incidents are increasing substantially. The research direction of network security has changed from single security problem to overall situation of global network. The concept of situation assessment originates from military requirements. As an integral part of data fusion, situation awareness is an important part of decision making process[1].As the core of network security situation awareness, network security situation assessment is to analyze and comprehend the security status of the network.

Recent years, domestic and foreign scholars have made a lot of research on network security situation assessment. Boyer S[2] designs a situation assessment framework based on D-S evidence theory. This method does not need to know the probability distribution of variables accurately, but it has a large amount of calculation and has a potential problem of combination explosion; Ramaki A A[3] proposes a risk assessment method based on Bayesian networks. The method has better convergence and fault tolerance. Even in a large network application environment, it can rely on better performance to handle large amounts of data. However, it still needs proper training to obtain the corresponding parameters; Wang C H[4] designs a kind of alert correlation system. The system does not need predefined knowledge database and configuration information of network, it can discover the causal relationship between attack behaviors and identify unknown attack behaviors. But, it cannot handle the behavior of IDS omission; Jinxia Wei[5] proposes a dynamic classification network security defense strategy model by analyzing the security situation of complex computer network. The model can solve a safety problem that the static defense cannot cope with tactics and lack of dynamic change; Xie Lixia[6] proposes a network security situation awareness method based on neural network. She designs a BP neural network structure to meet the evaluation requirements, realize the nonlinear mapping relationship between the first level indicators and the second, and use the hierarchical matrix to accomplish the first level situation evaluation. Li F W[7] proposes a network security situation assessment method based on Hidden Markov model. The method can trace the dynamic characteristics of numerical fluctuations conveniently and intuitively, and realize the effective prediction of the security status; Wen Z C[8] proposes a network security situation prediction method based on Hidden Markov model. The method analyzes the change rules and predicts the trend of development by describing the dependence of the security situation at different times; Xi R R[9] proposes a method for determining the state transition matrix based on the game of safety incidents and protective measures. This method is used to solve the problem that the state transition matrix of hidden Markov model is often obtained by experience. Guan-Yu Hu[10] proposes a forecasting model of network security situation based on the hidden belief rule base model. In order to train the parameters of model, a revised covariance matrix adaption evolution strategy (CMA-ES) algorithm is further developed by adding a modified operator.

At present, most of the researches about network security situation assessment just focus on the network attack behavior, the vulnerability of its own system and so on, and ignore the defense measures. As we knew that the same network attack has different threat level to different network. For the same attack using different defense, the final result of the damage will be a lot of difference. The network security situation assessment method proposed by this paper, takes full account of the network offensive and defensive actions adopted by the two sides, and gives a comprehensive evaluation.

2. Improved Situational Assessment Framework

In 1999, Bass T proposed the concept of network security situation awareness firstly and the security situation assessment framework based on data fusion such as Fig. 1[ 11,12]. The framework is divided into "data-information-knowledge" three processing levels. The underlying security event is the data source. The object base is extracted from data and object reconstruction, and loaded into situation reconstruction and threat assessment. Finally, the top-level situation information is extracted. The framework provided a good theoretical basis and guidance for the follow-up NSSA(Network Security Situation Awareness) study.

This paper proposes a kind of network security situation assessment framework based on Markov Game model, with referencing multiple models[13,14,15,16,17],as shown in Fig. 2. The framework uses Markov Game model to achieve the refinement and evaluation of network threats in Level3, which is the core of the framework. Game theory can well reflect the substantive characteristics of the attackers and the defenders. Their behaviors are closely related, which will have impacts on the network security situation. Markov Decision Process can reflect the uncertainty of network attack and defense. The fusion of Level3 can refine the situation judgement of Level2, and take into account the network defensive behaviors to make a comprehensive assessment.

3. Markov Game Model

The Markov Game model proposed in this paper consists of two sides of the game, the state space, the behavior space, the transition probability and the pay function.

3.1 Two Sides of the Game

In this model, the attackers (blue team) and the defenders (red team) are the two sides of the game. The attackers exploit the vulnerabilities to attack the network in order to steal information and destroy the network. The defenders are the network administrators, who use strengthening program to reduce the destructiveness of threats and cut off their transmission path, thereby enhancing the security of the system.

3.2 State Space

All the possible states of network nodes compose the state space. For the network node i, whose state vector at time k is [mathematical expression not reproducible] .

[mathematical expression not reproducible]

where w is the working status of the node i, p is the protection status, a is the status of being attacked, and T is the transpose operator. The values of w can be "normal", "response slow", "malfunction", "crashed" and so on. The values of p can be "firewall", "IDS", "email-filter", "and IDS firewall" and so on. The values of a can be "NULL", "attack Web", "bombing email",

"DOS" and so on. Then, the state space of the whole network at time k is [s.sub.k] .

Sk [mathematical expression not reproducible] the number of nodes in the network.

3.3 Action Space

The behaviors of all the network security participants constitute action space(strategy set). At each moment, the different nodes will take the appropriate action according to the obtained information. For example, the blue team may take overflow buffer behavior, if buffer overflow vulnerability is detected. The blue team may take "attempted-admin" or "attempt-dos" according to the established strategy of the attack. The red team may take "firewall strategy adjustment" behavior, if IDS detected attacks. Table 1 is a part of the network attack behaviors take out from the snort manual[ 18].

3.4 Transition Rule

The system state transition rule describes as (R()[S.sub.k+1]|[[S.sup.k.sub.],[u.sup.bule.sub.k],[u.sup.red.sub.k]),where [S.sup.k+1],[S.sub.k] are system states at time k and k+1 respectively, [u.sup.buie.sub.k],[u.sup.red.sub.k] are the overall decisions of the two sides at time k. For each network node, the state of time k+1 is determined by three aspect:1) state at time k; 2) control strategies of the two sides; 3) the attack/defense efficiency.

3.5 Payoff Function

The game between red team and blue team is a kind of mixed strategy game, and the payoffs of the two sides are their expectation payoffs. Fig. 3 is the game matrix of red team member i and blue team member j at time k.

[u.sup.red.sub.i] (k) is the probable behavior of red team member i at time k, p is the probability to take this action,[n.summation over (i=1)] = 1,[p.sub.i] [greater than or equal to] 0;[u.sup.blue.sub.j] (k) is the probable behavior of blue team member j at time k, q is the probability to take this action, [n.summation over (i=1)][q.sub.i] [greater than or equal to] 0 [[alpha].sub.ij]=1is the payoff of i, when i takes the behavior of [u.sup.red.sub.ij] (k) and j takes [u.sup.blue.sub.jj] (k) b At the same time, the payoff of j is [b.sub.ij] Then, the expectation payoff of i and can be obtaind by formula(1) and (2).

[[pi].sup.red.sub.j] (p,q,k) = [n.summation over (i=1)] [p.sub.i] [q.sub.j][b.sub.ij].(1)

[[pi].sup.biue.sub.j](p, q, k)=[n.summation over (i=1)] (2)

blue team member j

u*rik) u^m _ u^ik)

Suppose the total number of both sides is x, then the expectation payoff of red team member i at time k can be expressed as the formula (3).

[[pi].sup.red] (p) = [mathematical expression not reproducible].(3)

Where [[omega].sub.i] (u) is the payoff of red team member i when all members of both teams take the pure strategy (behavior) combination u.[p.sub.j] ([u.sub.j]) is the probability of member j (j may be red team member or blue team member) to take pure strategy (j) . Similarly the expectation payoff of blue team member j at time k can be described by the formula (4).

[mathematical expression not reproducible].(4)

To determine payoff function is the key to calculate the value of security threat situation assessment. The specific payoffs of both sides are determined by the Nash equilibrium point.

4. Using Markov Game Model to Calculate the Security Threat Situation

Suppose the red team member i has three kinds of defense behaviors, [u.sup.red.sub.jl] (k),[u.sup.red.sub.j2],[u.sup.red.sub.i3](k), blue team member j has two kinds of attack behaviors, [u.sup.blue.sub.j1](k),[u.sup.blue.sub.j2](k). The game matrix of i and j is determined by the offensive and defensive efficiency and other empirical data of the both sides, as shown in Fig. 4.

The expectation payoff of i is shown in equation (5):

[[pi].sup.red.sub.i] = 3[p.sub.1] [q.sub.1] + 2[p.sub.1] [q.sub.2] + [p.sub.2] [q.sub.2] + 2[p.sub.3] [q.sub.1]

Because

[n.summation over (i=1)][p.sub.i] = 1 and [p.sub.i] [greater than or equal to] 0 , (6)

[n.summation over (i=1)] [q.sub.i] = 1 and [q.sub.i] [greater than or equal to] 0 (7).

Then

[p.sub.3] = 1 - [p.sub.1], [q.sub.2] = 1-[q.sub.1]

[[pi].sup.red.sub.i] = [q.sub.1](2 - [p.sub.1], - 2[p.sub.2] ) + 2[p.sub.1] + [P.sub.2] (9)

Thus the reaction function of i can be obtained, as shown in equation (10):

[mathematical expression not reproducible] (10)

Similarly, the expectation payoff and reaction function of j are shown in equation (11) and equation(12):

[[pi].sup.bule.sub.j]= [q.sub.1](2 - 3[q.sub.2]) + [q.sub.1] + [q.sub.2] +1 (11)

[mathematical expression not reproducible].(12)

The result is a straight line and a folding surface in the three-dimensional space, as shown in Fig. 5.

The reaction function of red team member i is red line, and that of j is stepped surface. They have one intersection, ()[P.sub.1] (,) [P.sub.2] (,) [P.sub.1]) = (1, 01) , which is the Nash equilibrium point. Thus the expectation payoffs of i and j are:

{{[[pi].sup.red.sub.i] = 3 [[pi].sup.biue.sub.j] = 4' (1,0,1) (13)

As a finite game, red team and blue team will go to the Nash equilibrium point in the process in order to obtain the maximum benefits each other. Blue team member j selects the strategy (1,0), namely takes action [u.sup.blue].sub.j1(k) with 100% chance. At the same time, red team member i selects the strategy (1,0,0), namely takes action [u.sup.red.sub.i1](k) with 100% chance. If i and j are the only members of the both sides, the network security situation value is as the equation (14):

[[pi].sup.blue.sub.j] - [[pi].sup.eed.sub.i] = 4-3 = 1 (14)

In order to directly show the process that using Markov Game model to calculate the threat situation assessment, this paper uses the minimum dimension of the high dimension problem. In fact, the both sides' actions(strategy) are not limited to the 2-3 types, and the algebraic method is used to solve the problem of higher dimensional Nash equilibrium. According to the definition of Nash equilibrium, the purpose of each player is to choose the strategy to maximizes the value of the payoff function. Under the condition of differentiable function, the necessary condition of the extremum is that all partial derivatives of the function [p.sub.m ] = 1-[n.summation over (i=1)][p.sub.[sigma]] [p.sub.n] = 1 - [n.summation over (i=1)]q[?] are equal to 0.Then,take and into formula (1) and (2), to solve simultaneous equations (15).

[mathematical expression not reproducible].(15)

The solutions are all Nash equilibrium candidate solutions, if the candidate solution is unique, then need to verify the results by two order derivative. If the candidate solution is not unique, this paper uses the Pareto advantage standard and the expert experience to verify and determine the final Nash equilibrium point. For example, assuming that both ([p.sub.1] (,) [p.sub.2] (,) (1,0,1) and ([p.sub.1] (,) [p.sub.2] (0,0,1) are candidate solutions, according to Pareto advantage, both sides will get more payoff if selecting [p.sub.1], [p.sub.2] (1,0,1) , so the result is([p.sub.1], [p.sub.2], [q.sub.1]) = (0,0,1).

5. Situation Assessment Algorithm

Input: sensor data, Log data, Flow information, security alarm events and other types of network security data.

Output: equipment support information network security situation information and all kinds of feedback information.

1) Initialization

set sensor information database = null, Log information database = null, Flow information database = null, security event library = null, object database = null, situation information = null;

2) Set up a classification database

Set up the sensor information database, Log information database, Flow information database and security event database according to the original information;

3) Level 0 data fusion

The sensor information database, Log information database, Flow information database and security event library are encapsulated by time parameters.

4) Level 1 data fusion

Do consistent analysis of Level 0 output data , and output objects to form Object database; [set .sup.i = 0]

5) Level 2 data fusion [if.sup. i = 0]

Determine the relationship between the Objects, and form a preliminary situation information else

Combine the threat assessment of Level 3 to form the final situation information goto 7 ) endif

6) Level 3 data fusion

6.1) Markov Game model initialazation

set [team.sub.red] = null [team.sub.blue] = null [S.sub.k] = null [action.sub.red] = null [action.sub.red] = null

[team.sub.red] [team.sub.blue] . [action.sub. red] [action.sub.blue] = mull [team.sub.red] [team.sub.blue] are the two sides of the game, [action.sub.red] [action.sub.blue] are the action spaces.

6.2) Assignment

Determine [team.sub.red],[team.sub.blue],[S.sub.k],[action.sub.red] and [action.sub.blue] according to the Level 2 data

6.3) Threat assessment

6.3.1) Determine the game matrix according to the Level 2 data and expert experience data 6.3.2) Use reaction function , algebraic method or other methods to determine the Nash equilibrium.

6.3.3) Determine threat assessment values Use formula (3) and (4) to calculate the payoffs of the game players.

threat assessment value=| [[pi].sup.blue] - [[pi].sup.red]|,[[pi].sup.blue] and [[pi].sup.red] are the sum of the payoffs at the time k

6.4) [.sup i =i +1], goto 5); 7) Entry into Level 4, resources management, feedback data, adjust parameters.

6. Experiment and analysis

In order to validate the Markov Game model, this paper constructs a network environment, and the topology structure is shown in Fig. 6.

Through pre script, the network attack software is used to attack the network automatically, and the experiment process lasts for 48 hours. The network security situation assessment system based on Markov Game model analyzes and processes data in every 2 hours. In order

1) Initialization

set sensor information database = null, Log information database = null, Flow information database = null, security event library = null, object database = null, situation information = null;

2) Set up a classification database

Set up the sensor information database, Log information database, Flow information database and security event database according to the original information;

3) Level 0 data fusion

The sensor information database, Log information database, Flow information database and security event library are encapsulated by time parameters.

4) Level 1 data fusion Do consistent analysis of Level 0 output data , and output objects to form Object database; [set.sup. 1 = 0]

5) Level 2 data fusion [if.sup. i = 0]

Determine the relationship between the Objects, and form a preliminary situation information else

Combine the threat assessment of Level 3 to form the final situation information goto 7 )

endif

6) Level 3 data fusion

6.1) Markov Game model initialazation

set [team.sub.red] = null [team.sub.blue] = null, [S.sub.k] = null, [action.sub.red] = null,[action.sub.blue] = null [team.sub.red, tea[m.sub.blue] are the two sides of the game,[action.sub.red] [action.sub.blue] are the action spaces.

6.2) Assignment

Determine [team.sub.red, [team.sub.blue],[S.sub.k],[action.sub.red] and [action.sub.blue] according to the Level 2 data

6.3) Threat assessment

6.3.1) Determine the game matrix according to the Level 2 data and expert experience data

6.3.2) Use reaction function , algebraic method or other methods to determine the Nash equilibrium.

6.3.3) Determine threat assessment values

Use formula (3) and (4) to calculate the payoffs of the game players. threat assessment value= [mathematical expression not reproducible] and [[pi].sup.red] are the sum of the payoffs at the time k

6.4)i=i+1, goto 5);

7) Entry into Level 4, resources management, feedback data, adjust parameters.

6. Experiment and analysis

In order to validate the Markov Game model, this paper constructs a network environment, and the topology structure is shown in Fig. 6.

Through pre script, the network attack software is used to attack the network automatically, and the experiment process lasts for 48 hours. The network security situation assessment system based on Markov Game model analyzes and processes data in every 2 hours. In order to verify the accuracy of the Markov Game model, 6 experts are selected to evaluate the network security situation. The expert score is the average value after removing a maximum value and a minimum value. The results of the security situation are shown in Table 2 and Fig.7. By modifying the script, as well as fixing the payoff value, the second experiment is carried out for 48 hours, and the experimental results are shown in Table 2 and Fig. 8.

From the experimental results, we can see that the trend of network security situation curve is consistent with the preset attack strength and attack density. In the first experiment, the system evaluation data and expert evaluation data are basically consistent, but there are still some deviations. In the second experiment, the both sides' payoff values of the Markov Game model are modified. It can be seen from the result that the system data and expert data are more consistent after adjustment.

7. Conclusion

The security situation assessment method proposed in this paper combines the Markov Decision Process and the Game Theory. This method reflects the characteristics of network security that the process of network attack and defense is a game with randomness. It can be seen from the experiment that the method can accurately assess the security situation of the network, so as to provide a strong support for network security management. At the same time, the method can also be used to predict the situation of network security, and provide suggestions of security event processing for network managers. The advantages of this method are as follows:

* The judgment of network security situation is not only to consider the network threat caused by the attackers, but also to take into account the defense measures to weaken the threat. Comprehensive two sides' factors, the network security situation is relatively objective.

* This method can reflect the characteristics of different networks, and the evaluation of network security situation can be more targeted.

The disadvantages of this method are as follows:

* The payoffs of both sides will have a great impact on the evaluation result, but they may be affected by human factors.

* Due to the network attack and the defense sides are not completely rational, this method is difficult to estimate the possible jitter.

In order to improve the accuracy of the method, the next step is to study the game matrix in depth. The reward value in the matrix can be referred to CVSS (Common Vulnerability Scoring System). At present, CVSS has been fully supported by NVD (Nation Vulnerability Database).

References

[1] Gong Z H, Zhuo Y. "Research on Cyberspace Situational Awareness," Journal of Software, vol.21, no.7, pp.1605-1619, 2010. Article (CrossRef Link)

[2] Boyer S, Dain O, Cunningham R. "Stellar: A fusion system for scenario construction and security risk assessment," in Proc. of the 13th IEEE Int'l Workshop on Information Assurance, pp. 105-116, 2015. Article (CrossRef Link)

[3] Ramaki A A, Khosravi-Farmad M, Bafghi A G. "Real time alert correlation and prediction using Bayesian networks," in Proc. of the ISCISC, pp.98-103, 2015. Article (CrossRef Link)

[4] Wang C H, Chiou Y C. "Alert correlation system with automatic extraction of attack strategies by using dynamic feature weights," Int 'l Journal of Computer and Communication Engineering, vol.5, no.1, pp. 1-10, 2016. Article (CrossRef Link)

[5] Jinxia Wei, Ru Zhang , Jianyi Liu, et al. "Defense Strategy of Network Security based on Dynamic Classification," Ksii Transactions on Internet and Information Systems, vol.9, no.12, pp.5116-5134, 2015. Article (CrossRef Link)

[6] Xie L X, Wang Y C, Yu J B. "Network Security Situation Awareness Approach Based on Markov Game Model," J Tsinghua Univ (Sci & Technol), vol.53, no.12, pp.1750-1760, 2013.

Article (CrossRef Link)

[7] Li F W, Sun S, Zhu J, etal. "Situation Assessment Method based on Hidden Markov Model," Computer Engineering and Design, vol.36, no.7, pp.1706-1711, 2015. Article (CrossRef Link)

[8] Wen Z C, Chen Z G. "Network security situation prediction method based on hidden Markov model," Journal of Central South University (Science and Technology), vol.46, no.10, pp.3689-3695, 2015. Article (CrossRef Link)

[9] Xi R R, Yun X C, Zhang Y Z, etal. "An Improved Quantitative Evaluation Method for Network Security," Chinese Journal of Computers, vol.38, no.4, pp.749-758, 2015. Article (CrossRef Link)

[10]Guan-Yu Hu, Zhi-Jie Zhou, Bang-Cheng Zhang, etal. "A method for predicting the network security situation based on hidden BRB model and revised CMA-ES algorithm," Applied Soft Computing, vol.48, pp.404-418, 2016. Article (CrossRef Link)

[11] Bass T. "Multi sensor data fusion for next generation distributed intrusion detection systems," in Proc. of the '99 IRIS National Symp. on Sensor and Data Fusion. pp.24-27, 1999. Article (CrossRef Link)

[12] Bass T. "Intrusion detection systems and multi sensor data fusion," Communications of the ACM, vol.43, no.4, pp.99-105, 2000. Article (CrossRef Link)

[13] Gad A, Farooq M. "Data fusion architecture for maritime surveillance," in Proc. of theInt'lSociety on Information Fusion(ISIF), pp.448-455, 2002. Article (CrossRef Link)

[14] Kadar I. "Knowledge representation issues in perceptual reasoning managed situation assessment," in Proc. of the FUSION, pp.13-15, 2005. Article (CrossRef Link)

[15] Llinas J, Hall D. "An introduction to multi sensor data fusion," in Proc. of the ISCAS '98 -Proceedings of the 1998 IEEE International Symposium on Circuits and Systems, vol. 6, pp.537-540, 1998. Article (CrossRef Link)

[16] Blasch E, Plano S. "DFIG level5 issues supporting situational assessment reasoning," in Proc. of the FUSION, pp.35-43, 2005. Article (CrossRef Link)

[17] Zhang Y, Tan X B, Cui X L, etal. "Network Security Situation Awareness Approach Based on Markov Game Model," Journal of Software, vol.22, no.3, pp.495-508, 2011. Article (CrossRef Link)

[18] The snort project. "SNORT Users Manual," Article (CrossRef Link)

Xi Li received the M.S. degree from Ordnance Engineering College. Now, he is a Ph.D. Candidates of Ordnance Engineering College. His research interests include network security and information technology of equipment support.

Yu Lu received the Ph.D. from Beihang University. Now, he is a professor of Ordnance Engineering College. His research interests include information security, computer network and cryptograph.

Sen Liu received the M.S. degree from Yanshan University. Now, she is a senior engineer of the 54th Research Institute of CETC. Her research interests include signal processing and information resistance.

Wei Nie received the Ph.D. from the University of Electronic Science and Technology. He is a Lecturer of Shenzhen University. His research interests include network security and optimization theory.

Xi Li (1), Yu Lu (1), Sen Liu (2) and Wei Nie (3)

(1) Information Engineering Department Ordnance Engineering College Shijiazhuang 050003, China (2) The 54th Research Institute of CETC Shijiazhuang 050200, China (3) College of Information Engineering Shenzhen University Shenzhen 518060, China [e-mail: wei.nie@szu.edu.cn] (*)Corresponding author: Wei Nie

Received May 10, 2017; revised September 23, 2017; revised October 30, 2017; accepted January 18, 2018; published May 31, 2018

This research was supported by the National Natural Science Foundation of China [No. 61271152] and the Natural Science Foundation of Hebei Province, China [No. F2012506008].

http://doi.org/10.3837/tiis.2018.05.027

Table 1. Snort Default Classifications Classtype Description Priority attempted-admin Attempted high Administrator Privilege Gain attempted-user Attempted User high Privilege Gain inappropriate-content Inappropriate Content high was Detected policy-violation Potential Corporate high Privacy Violation shellcode-detect Executable code was high detected successful-admin Successful high Administrator Privilege Gain trojan-activity A Network Trojan was high detected web -application-attack Access to a potentially high vulnerable web application unusual-client-port-connection A client was using an medium unusual port attempted-dos Attempted Denial of medium Service attempted-recon Attempted Information medium Leak rpc-portmap-decode Decode of an RPC medium Query system-call-detect A system call was medium detected protocol-command-decode Generic Protocol low Command Decode network-scan Detection of a Network low Scan string-detect A suspicious string was low detected tcp-connection A TCP connection was Very low detected Table 2. Results of security situation sampling the first 48 hours the second 48 hours point expert data system data expert data system data 1 12 18 54 52 2 38 27 68 66 3 75 85 78 80 4 23 30 32 33 5 45 50 55 50 6 13 23 52 55 7 85 78 57 60 8 67 64 69 70 9 90 80 87 86 10 67 60 77 80 11 35 30 24 27 12 22 15 30 32 13 78 85 82 80 14 54 58 51 52 15 67 60 81 79 16 37 30 23 21 17 24 30 16 18 18 33 37 43 42 19 21 25 34 31 20 14 20 16 17 21 25 28 25 25 22 36 40 38 37 23 45 39 26 25 24 29 25 24 26

Printer friendly Cite/link Email Feedback | |

Author: | Li, Xi; Lu, Yu; Liu, Sen; Nie, Wei |
---|---|

Publication: | KSII Transactions on Internet and Information Systems |

Article Type: | Report |

Date: | May 1, 2018 |

Words: | 4654 |

Previous Article: | A Robust and Adaptive Trust Management System for Guaranteeing the Availability in the Internet of Things Environments. |

Next Article: | Enabling Efficient Verification of Dynamic Data Possession and Batch Updating in Cloud Storage. |

Topics: |