CN116614251A

CN116614251A - Data security monitoring system

Info

Publication number: CN116614251A
Application number: CN202310377005.5A
Authority: CN
Inventors: 朱谦; 郭洪亮; 田言明; 张伟厚; 刘善宏; 郑轲; 李瑞鹏; 张延诚; 刘欣颖; 唐向文; 陈曦; 汪延峰; 陈建设
Original assignee: Huaneng Power International Inc Jining Power Plant
Current assignee: Huaneng Power International Inc Jining Power Plant
Priority date: 2023-04-04
Filing date: 2023-04-04
Publication date: 2023-08-18

Abstract

The invention provides a data security monitoring system, which relates to the technical field of data security and comprises: acquiring a data access request, obtaining an access type, and verifying according to the access type matching the corresponding access private key; after the verification is qualified, extracting key data in the data to be accessed, and clustering key character strings in the key data and blurring the data to obtain blurred data; in the process of data access, monitoring the transmission process and the transmission end point of the blurred data to obtain an attack process; and analyzing the attack process to obtain a corresponding attack link, and terminating the data transmission of the attack link. The key data in the data to be accessed is extracted through verification according to the access type matching corresponding access private key, data blurring is carried out, an attack process is obtained through monitoring and is analyzed, data transmission of an attack link is terminated, safety of data access and transmission process is guaranteed, and accuracy of transmitted data is guaranteed.

Description

Data security monitoring system

Technical Field

The invention relates to the technical field of data security, in particular to a data security monitoring system.

Background

At present, with the development of science and technology, productivity is greatly improved, and since the advent of the Internet, networks have become indispensable articles in production and life. The security of the network space not only comprises the security of the network itself, but also comprises the generalized security of various aspects such as data, information systems, intelligent systems, information physical fusion systems and the like. Data security is the basis for network space security. Data security refers to the ability to ensure that data is in an effectively protected and legally utilized state and to ensure a continuous security state by taking necessary measures. The data security ensures the security of the whole processes of data production, storage, transmission, access, use, destruction, disclosure and the like, and ensures the confidentiality, integrity and availability of the data processing process.

Accordingly, the present invention provides a data security monitoring system.

Disclosure of Invention

The invention provides a data security monitoring system, which is used for obtaining an access type by acquiring a data access request, matching a corresponding access private key according to the access type, verifying, extracting key data in data to be accessed after verification is qualified, clustering the key data according to key character strings in the key data, and carrying out data blurring to obtain fuzzy data.

The invention provides a data security monitoring system, comprising:

request verification module: acquiring a data access request, obtaining an access type, and verifying according to the access type matching a corresponding access private key;

the key data processing module: after the verification is qualified, extracting key data in the data to be accessed, and clustering and blurring key character strings in the key data to obtain fuzzy data;

and a process monitoring module: in the process of data access, monitoring the transmission process and the transmission end point of fuzzy data to obtain an attack process;

attack processing module: analyzing the attack process to obtain a corresponding attack link, and terminating the data transmission of the attack link.

Preferably, the present invention provides a data security monitoring system, further comprising:

and a log searching module: before verifying according to the access type matching corresponding access private key, acquiring the terminal information of the sending terminal of the data access request, and searching corresponding access log from an information database;

the quantity counting module is used for: based on the access log, counting the number of the access objects of the access terminal and the access times of each access object;

identity judging module: if the number of the access objects is larger than the number of the normal objects, judging that the identity of the sending end of the data access request is suspicious, and refusing access;

or (b)

If the sum of the access times of the access objects of the same sending end is larger than the normal access times, judging that the identity of the sending end of the data access request is suspicious, and refusing the access.

Preferably, the present invention provides a data security monitoring system, a request verification module, comprising:

type string acquisition unit: acquiring a data access request, and extracting a type character string with a type tag in the data access request;

an access type acquisition unit: and obtaining the corresponding access type based on the type character string and the type-character string comparison table.

Preferably, the present invention provides a data security monitoring system, the request verification module further includes:

a primary verification unit: obtaining an access public key of the sending end to perform primary verification to obtain a primary verification result;

type private key acquisition unit: if the primary verification is qualified, an access type is acquired, and a corresponding type private key is matched based on a type-key mapping table;

an access request verification unit: based on the type private key, the data access request is verified.

Preferably, the present invention provides a data security monitoring system, and a key data processing module, including:

clustering unit: performing category analysis on the data to be accessed to obtain a data category of the data to be accessed, and performing data clustering on the data to be accessed according to the data category to obtain a corresponding data set;

cluster analysis unit: analyzing the clustering data in the data set to obtain corresponding first data features;

key data acquisition unit: based on the first data features and the key data feature table, information data corresponding to the first data features conforming to the key data features is taken as key data;

key character string acquisition unit: disassembling each key data to obtain related key character strings;

a character string classifying unit: carrying out similar classification on all the key character strings, and constructing a plurality of first character string sets, wherein each first character string set comprises identical first character strings and first character strings which are not identical;

a character string processing unit: screening a subset of character strings to be processed with the occurrence number greater than or equal to 2 according to the number of different character strings of the first character strings related in each first character string set and the occurrence number of each different character string, and according toSetting a conversion number to the corresponding character string subset to be processed, wherein n represents the number of character strings appearing in the corresponding character string subset to be processed and is more than or equal to 2; []Representing a rounding symbol;

a second character string set acquisition unit: counting the conversion number set by each character string subset to be processed and the number of first character strings with the occurrence number of 1, determining the fuzzy number to be set, and carrying out fuzzy processing on the corresponding first character string set to obtain a second character string set;

sequence number marking unit: marking a first serial number on each second character string in the second character string set and marking a second serial number on each first character string in the first character string set;

blurring unit: randomly sequencing each second character string in the corresponding second character string set, and marking a third serial number on each second character string subjected to random sequencing to obtain a corresponding third character string set, so that data blurring is realized;

the first serial number and the second serial number have a first corresponding relation, and the third serial number and the first serial number have a second corresponding relation;

and constructing a fuzzy comparison table according to the first corresponding relation and the second corresponding relation under different serial numbers, and transmitting the fuzzy comparison table to the access terminal by combining the third character string set.

Preferably, the present invention provides a data security monitoring system, a process monitoring module, comprising:

log acquisition unit: capturing a transmission process log and a transmission end log generated by a transmission process and a transmission end point of the fuzzy data in a transmission state;

a process judging unit: if the data transmission times recorded in the transmission process log are greater than the preset data transmission times, judging that the process is attacked;

an end point judgment unit: if the number of the data output terminals recorded in the transmission terminal log is larger than the number of the preset data output terminals, judging that the terminals are attacked.

Preferably, the present invention provides a data security monitoring system, an attack processing module, including:

curve construction unit: after the process is judged to be attacked, based on the transmission process log, extracting attack time and attack degree at each attack time, and constructing a first attack curve;

attack time acquisition unit: inputting the first attack curve into a curve analysis model, and locking special attack time, wherein the special attack time comprises high-frequency attack time and attack time under high attack degree;

attack destructive computing unit: calculating the attack destructiveness of the special attack moment, and calibrating the corresponding special attack moment when the attack destructiveness is larger than the preset destructiveness;

wherein G01 represents attack destructiveness corresponding to a special attack time t; r1 represents a conversion coefficient for attack frequency; r2 represents a conversion coefficient for the degree of attack; g _max,t,q Representing the maximum attack times at the moment t in the same transmission process under the same data access request q; g1 represents the number of current attacks corresponding to the special attack time t; p is p _max,t,q Representing the same transmission under the same data access request qMaximum attack degree at time t in the journey; p1 represents the current attack degree corresponding to the special attack time t;

attack link acquisition unit: dividing the time period of the calibration time according to the attack time interval standard, and carrying out consistent comparison analysis on the time period of the calibration time and the standard time period matched with different transmission links in the transmission process to obtain attack links;

termination degree calculation unit: calculating termination degree according to the number of special moments related to each attack link and the attack degree of each special moment;

wherein m1 represents the number of special moments corresponding to the attack link; m0 represents the total number of moments involved in the corresponding attack moment; max (p) _i I=1, 2,..m 1) represents the attack degree p corresponding to m1 special moments under the corresponding attack link _i The maximum degree of attack in (a); a1 represents the termination degree of the corresponding attack moment;

termination mode acquisition unit: obtaining a termination mode aiming at a corresponding attack link from the number-degree-termination mapping table, and terminating the corresponding attack link for data transmission when the termination degree is greater than or equal to a corresponding preset degree;

termination probability calculation unit: when the termination degree is smaller than the corresponding preset degree, determining termination probability;

wherein A0 represents a corresponding preset degree; g01 represents the termination probability;

termination probability control unit: and controlling the corresponding termination mode to terminate the corresponding attack link for data transmission according to the termination probability.

Preferably, the present invention provides a data security monitoring system, and an attack processing module, further including:

retransmission unit: and after judging that the terminal is attacked, terminating the current data transmission process, and acquiring a standby communication channel for transmission.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.

The technical scheme of the invention is further described in detail through the drawings and the embodiments.

Drawings

The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:

FIG. 1 is a block diagram of a data security monitoring system in an embodiment of the present invention.

Detailed Description

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.

Example 1:

an embodiment of the present invention provides a data security monitoring system, as shown in fig. 1, including:

the key data processing module: after the verification is qualified, extracting key data in the data to be accessed, and clustering key character strings in the key data and blurring the data to obtain fuzzy data;

In this embodiment, the data access request refers to a request sent by the access sending end to the server end for performing data interaction by establishing a connection, and the request includes an access type and an access public key.

In this embodiment, the access type refers to an interaction type of establishing connection sent by the access sending end to the server end for data interaction, and includes: read, write, execute, add, delete, list listing.

In this embodiment, the access private key refers to an encryption algorithm that encrypts and decrypts data at the authorized access originating end.

In this embodiment, the key data refers to data including key content, such as data including client identity information and data including information to be transmitted in a web page, in addition to functional data and structural data.

In this embodiment, the key string refers to a string of characters consisting of numbers, letters and underlines of the key content except the functional string and the structural string in the key data, for example, characters in double quotation marks in the key data only containing the client identity key words and characters only containing the information to be transmitted in the web page.

In this embodiment, the data blurring refers to replacing key character strings in key data with random character strings of the same length, so as to achieve the purpose of blurring the key data.

In this embodiment, the fuzzy data refers to fuzzy data which is obtained by replacing key character strings in key data with random character strings with the same length and does not contain the key character strings.

In this embodiment, the transmission process refers to a process that data is encapsulated into frames and sent to a transmission medium, after reaching a target host, each layer of protocol strips off a corresponding header, and finally, application layer data is transmitted to an access transmitting end.

In this embodiment, the transmission destination refers to a data receiving node accessing the transmitting end.

In this embodiment, the attack process refers to an attack that generates an unexpected result by sending data to a program, and typically gives an attacker permission to access the target system, and the data-driven attack is classified into a buffer overflow attack, a formatted string attack, an input verification attack, a synchronization vulnerability attack, a trust vulnerability attack, and the like.

In this embodiment, the attack link refers to a link where an attack is located, and includes: an attack preparation link, an attack starting link, an attack process link and an attack ending link.

The working principle and the beneficial effects of the technical scheme are as follows: obtaining an access type by obtaining a data access request, matching a corresponding access private key according to the access type, verifying, extracting key data in data to be accessed after verification is qualified, clustering the key data according to key character strings in the key data, and performing data blurring to obtain fuzzy data, monitoring a transmission process and a transmission end point of the fuzzy data in a data access process, obtaining an attack process and analyzing to obtain a corresponding attack link, terminating data transmission of the attack link, ensuring safety of the data access and the transmission process, and ensuring correctness of the transmitted data.

Example 2:

the embodiment of the invention provides a data security monitoring system, which further comprises:

or (b)

In this embodiment, the terminal information refers to the domain name of the sending terminal of the data access request, so as to achieve the purpose of identifying the identity of the sending terminal of the data access request.

In this embodiment, the information database refers to a database containing end information and corresponding access logs.

In this embodiment, the access log refers to a log obtained by searching the information database for the end information of the sending end of the data access request, so as to obtain the corresponding object of sending the access request recorded in the network and the corresponding times.

In this embodiment, the normal object number refers to a preset maximum number of objects that a client issues an access request when it is running normally.

In this embodiment, the normal access number refers to a preset maximum number of times that one client makes an access request to an access object when it is running normally.

The working principle and the beneficial effects of the technical scheme are as follows: the number of access objects and the access times of the sending end of the data access request are verified, so that data invasion and illegal access covered under reasonable authorization are eliminated, and the safe access of the data is ensured.

Example 3:

the embodiment of the invention provides a data security monitoring system, which comprises a request verification module, a data security monitoring system and a data security monitoring system, wherein the request verification module comprises:

In this embodiment, the type tag refers to a tag for performing type distinction on a character string, and includes a read tag, a write tag, an execute tag, an add tag, a delete tag, and a list tag.

In this embodiment, the type string refers to various types of strings obtained by labeling the type on the string, including reading the string, writing the label string, executing the string, adding the string, deleting the string, and listing the list string.

In this embodiment, the type-string comparison table refers to a table of access types and corresponding type string comparisons.

The working principle and the beneficial effects of the technical scheme are as follows: and the type analysis is carried out on the type character string with the type tag in the data access request to obtain the corresponding access type, so that the data analysis is refined, the follow-up blurring of the data is facilitated, and the safe transmission of the data is ensured.

Example 4:

the embodiment of the invention provides a data security monitoring system, which is provided with a request verification module and further comprises:

type private key acquisition unit: if the primary verification is qualified, an access type is obtained, and a corresponding type private key is matched based on a type-private key mapping table;

In this embodiment, accessing the public key refers to the non-secret half of the key pair used with the private key algorithm, the initial decoding algorithm at the server side.

In this embodiment, primary authentication refers to the preliminary authentication of the authority of the originating party with the access public key.

In this embodiment, the primary verification result refers to whether the authorization verification is acceptable or the verification result is unacceptable.

In this embodiment, the type-private key mapping table refers to a mapping table containing access types and corresponding type private keys.

In this embodiment, the type private key refers to an encryption algorithm that encrypts and decrypts data corresponding to the access type match.

The working principle and the beneficial effects of the technical scheme are as follows: by carrying out double verification on the access request, the corresponding type private key is matched according to the access type, and the safety of data transmission is ensured.

Example 5:

the embodiment of the invention provides a data security monitoring system, which comprises a key data processing module, a data processing module and a data processing module, wherein the key data processing module comprises:

In this embodiment, the data category refers to a category of data divided by its structure and content, and includes: functional data, structural data, and content data.

In this embodiment, data clustering refers to clustering by aggregating data of the same data class in the data to be accessed.

In this embodiment, the first data feature refers to content that is obtained by analyzing data in each clustered data set and that corresponds to a characteristic of the data.

In this embodiment, the key data feature table refers to a table containing key data and corresponding key data features.

In this embodiment, the key data feature refers to the category of the information in the double-quoted number in the data obtained by analyzing the key data to remove redundancy and noise, and can represent the content of the key data feature, for example, the category of the character of the client identity information.

In this embodiment, the first set of strings refers to a set of similar key strings obtained by classifying the key strings similarly, where the category of information in the double-quote in the data is the same, for example, a set of strings of all client identity information.

In this embodiment, the to-be-processed character string subset refers to a set of first character strings with occurrence numbers greater than or equal to two obtained by analyzing the number of different character strings of the first character strings related in each first character string set and the occurrence number of each different character string.

In this embodiment, the number of transitions refers to the number of transitions according toThe number of character string conversion required by the first character string in the determined character string subset to be processed is represented by n, wherein n is the number of character strings appearing in the corresponding character string subset to be processed and is more than or equal to 2; []Representing a rounding symbol.

In this embodiment, the fuzzy number refers to the number obtained by adding the conversion number set by each subset of the character strings to be processed and the number of the first character strings with the occurrence number of 1, and represents the number of the character string replacement required, so as to achieve the purpose of fuzzy the key character strings, for example, the character strings 0011 with the occurrence number of more than 1 exist, and according to the conversion number, the fuzzy replacement of the corresponding times of 0011 with the same character which occurs for many times is determined, and the character string with the fuzzy replacement can be 1100, mainly ensuring the safety of data.

In this embodiment, the blurring processing refers to randomly generating a second string set with the same string length according to the string length of the first string corresponding to the blurring number, and randomly selecting strings with the same length from the second string set to replace the first string.

In this embodiment, the second string set is a string set with the same string length generated randomly according to the string length of the first string corresponding to the fuzzy number.

In this embodiment, the first sequence number refers to a sequence number generated in order for each second string in the second string set.

In this embodiment, the second sequence number refers to a sequence number generated in order for each first character string in the first character string set.

In this embodiment, the third sequence number refers to a sequence number generated by each second string in the obtained third string set according to the sequence after each second string in the second string set is randomly ordered.

In this embodiment, the third string set refers to a string set in which each of the second strings in the second string set is randomly ordered.

In this embodiment, the first correspondence refers to a one-to-one correspondence between a first serial number of one second string in the second string set and a corresponding ambiguous string in the second serial number of the first string set.

In this embodiment, the second correspondence refers to a one-to-one correspondence between the first serial number of one second string in the second string set and the corresponding third serial number of the blurred string in the third string set, where the purpose of setting the correspondence is to facilitate effective subsequent analysis of the characters to determine the transmission data.

In this embodiment, the fuzzy comparison table refers to a table of comparison relations between the second string and the third string, in which the first correspondence relation and the second correspondence relation correspond to the second sequence number and the third sequence number according to the commonly owned first sequence number.

The working principle and the beneficial effects of the technical scheme are as follows: the key data in the data to be accessed are extracted to obtain key character strings, the key character strings are classified according to the similar types of the key character strings to obtain corresponding first character string sets, the character strings in the first character string sets are analyzed to obtain fuzzy numbers to be replaced, the random second character string sets with the same length are generated according to the lengths of the character strings to be replaced, the first corresponding relations of the corresponding first serial numbers and the second serial numbers are replaced and recorded, the sequence of the second character strings in the second character string sets is randomly ordered, the second corresponding relations of the second serial numbers and the third serial numbers are recorded, fuzzy comparison table transmission is generated based on the first corresponding relations and the second corresponding relations, the complexity and the safety degree of obtaining the key data are improved, and safe transmission of the key data is guaranteed.

Example 6:

the embodiment of the invention provides a data security monitoring system, a process monitoring module, comprising:

In this embodiment, the transmission process log refers to a log containing the number of times data is exchanged and time nodes in the data transmission process.

In this embodiment, the transmission end log refers to a log containing information and the number of output nodes of data transmission.

In this embodiment, the number of data transfers refers to the number of times data is transferred and exchanged in the transfer process log.

In this embodiment, the preset number of data transmission times refers to a preset maximum number of times data is transmitted and exchanged when the transmission process is not attacked.

In this embodiment, the number of data output end points refers to the number of end nodes of data output in the transmission end point log.

In this embodiment, the preset number of data output end points refers to the preset maximum number of end nodes of data output when the transmission end point is not attacked.

The working principle and the beneficial effects of the technical scheme are as follows: and analyzing the transmission process logs and the transmission end logs to obtain the data transmission times and the number of data output ends, judging whether the data are attacked or not, monitoring whether the data are attacked or not in real time, and ensuring the safety of data transmission.

Example 7:

the embodiment of the invention provides a data security monitoring system, an attack processing module, comprising:

wherein G01 represents attack destructiveness corresponding to a special attack time t; r1 represents a conversion coefficient for attack frequency; r2 represents a conversion coefficient for the degree of attack; g _max,t,q Representing the maximum attack times at the moment t in the same transmission process under the same data access request q; g1 represents the number of current attacks corresponding to the special attack time t; p is p _max,t,q Representing the maximum attack degree at the moment t in the same transmission process under the same data access request q; p1 represents the current attack degree corresponding to the special attack time t;

In this embodiment, the attack time refers to the time when data is abnormally exchanged and lost.

In this embodiment, the degree of attack refers to the data exchanged abnormally and the percentage of lost data to the total data.

In this embodiment, the first attack curve refers to a curve formed by the attack degree and the corresponding attack time, where the attack degree and the attack times at different times are all reflected on the curve, for example, the attack degree is represented by a magnitude value based on a vertical axis on the curve, and the attack times are represented by a thickness of a point corresponding to a curve point on the curve.

In this embodiment, the curve analysis model is a model which is obtained by training an attack curve and a corresponding special attack moment and can extract the moment of high-frequency attack and the attack moment of high attack degree in the attack curve.

In this embodiment, the special attack time includes a time of high-frequency attack and an attack time of high attack degree, the high-frequency attack time refers to a time when the number of attacks is greater than a preset number, and the high attack degree refers to an attack degree of greater than the preset attack degree at the corresponding time.

In this embodiment, attack destructiveness refers to the percentage of data that is abnormally exchanged and lost at a particular attack time to the total data.

In this embodiment, the preset destructiveness refers to a preset maximum value of destructiveness that does not affect the data integrity.

In this embodiment, the attack time interval criterion refers to an interval criterion of attack time set in advance according to an occurrence time interval of attack.

In this embodiment, the standard time period refers to a time period corresponding to different transmission links, where the transmission links include: a transmission preparation link, a transmission start link, a transmission process link and a transmission end link.

In this embodiment, the number-degree-termination mapping table refers to a mapping table constructed by the number of attacks, the corresponding degree of attacks, and the corresponding attack termination manner.

In this embodiment, the termination mode refers to a mode of attack termination, and is determined according to the attack degree and the corresponding attack link.

In this embodiment, the termination degree refers to the data abnormally exchanged at the current time and the percentage of the lost data in the total data.

In this embodiment, the preset degree refers to a preset minimum value of the abnormal exchanged data and the lost data which can be continuously transmitted and account for the percentage of the total data.

In this embodiment, the termination probability refers to the probability of attack of the obtained termination data by calculating the preset degree and the termination degree.

The working principle and the beneficial effects of the technical scheme are as follows: the method comprises the steps of analyzing data when a transmission process is attacked to obtain an attack curve and analyzing the attack curve to obtain special attack time, calculating attack destructiveness, obtaining corresponding attack links according to attack time interval standards, calculating termination degree according to the number of the special time involved in each attack link and the attack degree of each special time, obtaining termination modes aiming at the corresponding attack links from a number-degree-termination mapping table, terminating the corresponding attack links to perform data transmission when the termination degree is greater than or equal to the corresponding preset degree, determining termination probability when the termination degree is less than the corresponding preset degree, terminating the corresponding attack links to perform data transmission according to the termination probability, accurately analyzing attack counterattack in time, guaranteeing safe transmission of data, and improving the capability of resisting attack.

Example 8:

the embodiment of the invention provides a data security monitoring system, which comprises:

retransmission unit: and when the terminal is judged to be attacked, terminating the transmission process of the fuzzy data, and acquiring a standby communication channel for retransmission.

In this embodiment, the backup communication channel refers to the same backup channel as the communication channel used in the current transmission process, thereby achieving the purpose of coping with an attack.

The working principle and the beneficial effects of the technical scheme are as follows: and (3) stopping the transmission process of the fuzzy data when the terminal is attacked, acquiring a standby communication channel for retransmission, and ensuring the safe transmission of the data.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A data security monitoring system, comprising:

2. The system of claim 1, further comprising:

or (b)

3. The system of claim 1, wherein the request verification module comprises:

4. The system of claim 2, wherein the request verification module further comprises:

5. The system of claim 1, wherein the critical data processing module comprises:

6. The system of claim 1, wherein the process monitoring module comprises:

7. The system of claim 6, wherein the attack handling module comprises:

wherein G01 represents attack destructiveness corresponding to a special attack time t; r1 represents a conversion coefficient for attack frequency; r2 represents a conversion coefficient for the degree of attack; g _max,t,q Representing the maximum attack times at the moment t in the same transmission process under the same data access request q; g1 represents the number of current attacks corresponding to the special attack time t; p is p _max,, Representing the time during the same transmission as under the data access request qMaximum attack degree of t; p1 represents the current attack degree corresponding to the special attack time t;

8. The system of claim 6, wherein the attack handling module further comprises: