First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

Slides:

Advertisements

Similar presentations

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Advertisements

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

1 Diverse Firewall Design Alex X. Liu The University of Texas at Austin, U.S.A. July 1, 2004 Co-author: Mohamed G. Gouda.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

Bidding Protocols for Deploying Mobile Sensors Reporter: Po-Chung Shih Computer Science and Information Engineering Department Fu-Jen Catholic University.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Cloud Computing Resource provisioning Keke Chen. Outline  For Web applications statistical Learning and automatic control for datacenters  For data.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Los Angeles September 27, 2006 MOBICOM Localization in Sparse Networks using Sweeps D. K. Goldenberg P. Bihler M. Cao J. Fang B. D. O. Anderson.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:

Firewall Queries Alex X. Liu, Mohamed G. Gouda, The University of Texas at Austin, U.S.A. Huibo Heidi Ma, Anne HH. Ngu Texas State University, U.S.A. December.

Privacy-Preserving Cross-Domain Network Reachability Quantification

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

SafeQ: Secure and Efficient Query Processing in Sensor Networks Fei Chen and Alex X. Liu Department of Computer Science and Engineering Michigan State.

SE 450 Software Processes & Product Metrics 1 Defect Removal.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

university “STRUCTURED FIREWALL” By. Mr. Ganesh N Pathare Mr. Shivram A Popalghat Department Of.

1 25\10\2010 Unit-V Connecting LANs Unit – 5 Connecting DevicesConnecting Devices Backbone NetworksBackbone Networks Virtual LANsVirtual LANs.

1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen

Detection and Resolution of Anomalies in Firewall Policy Rules

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Common Devices Used In Computer Networks

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.

Windows 7 Firewall.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Packet Classifiers In Ternary CAMs Can Be Smaller Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison) Jia Wang.

Palette: Distributing Tables in Software-Defined Networks Yossi Kanizo (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) and David Hay.

On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

Module 10: How Middleboxes Impact Performance

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.

Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan.

1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman.

1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.

Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Introducing a New Concept in Networking Fluid Networking S. Wood Nov Copyright 2006 Modern Systems Research.

Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences.

Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.

Motivation: Finding the root cause of a symptom

Role Of Network IDS in Network Perimeter Defense.

IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo a, Jose G. Delgado-Frias Publisher: Journal of Systems.

1 IP Routing table compaction and sampling schemes to enhance TCAM cache performance Author: Ruirui Guo, Jose G. Delgado-Frias Publisher: Journal of Systems.

Author : Lynn Choi, Hyogon Kim, Sunil Kim, Moon Hae Kim Publisher/Conf : IEEE/ACM TRANSACTIONS ON NETWORKING Speaker : De yu Chen Data :

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

PRESENTED BY. Keywords Firewall : Any barrier that is intended to thwart the spread of a destructive agent. Computer Definition : A system designed to.

Introduction Wireless devices offering IP connectivity

Chapter 4: Access Control Lists (ACLs)

Paper Presentation by Bradley Hanna CSCE 715: Network System Security

MEET-IP Memory and Energy Efficient TCAM-based IP Lookup

Packet Classification Using Binary Content Addressable Memory

Presentation transcript:

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun Hwang Tao Xie Computer Science North Carolina State University Published in the Proceedings of USENIX Large Installation System Administration Conference (LISA 2010) Best Student Paper Award

2/29 What do we do here?  Most firewall policies are poorly configured and contain faults. [Wool 2004 & 2010] ─ A coworker may mess up your firewall rules. ─ Any modification may introduce firewall faults.  We invent methods for fixing firewall policies automatically. ─ We first model 5 types of faults. ─ For each type of faults, we develop an algorithm to fix them. ─ Given a faulty firewall policy, we propose a systematic method to fix the faults automatically using the 5 algorithms.

3/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

4/29 Background – Firewalls  A firewall checks all outgoing and incoming packets  The firewall policy decides whether to accept or discard a packet Firewall Private Network Outgoing Packets Incoming Packets Internet

5/29 Background – Firewall Policies  A firewall policy is usually specified as a sequence of rules  Each rule consists of a predicate and a decision. ─ A predicate typically includes five fields: source IP, destination IP, source port, destination port, protocol type ─ Typical decisions are accept and discard.  Conflict Resolution: first-match Src IPDst IPSrc PortDst PortProtocolPayload TCP Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept r2r *25*Discard r3r3 ***** Packet Firewall Policy

6/29 Background – Firewall Policy Faults  Most firewall policies are poorly configured and contain faults. [Wool 2004 & 2010]  It is dangerous to have faults in a firewall policy. A policy fault ─ either allows malicious traffic to sneak into the private network ─ or blocks legitimate traffic and disrupts normal business processes  A faulty policy evaluates some packets to unexpected decisions. ─ Such packets are called misclassified packets of a faulty firewall policy  Manually locating and correcting firewall faults are impractical. ─ A firewall may consist of thousands of rules  Automatically correcting firewall faults is an important problem.

7/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

8/29 Three Key Technical Challenges  It is difficult to determine the number of policy faults and the type of each fault. ─ A set of misclassified packets can be caused by different types of faults and different number of faults.  It is difficult to correct a firewall fault. ─ A firewall policy may consists of a large number of rules. ─ Each rule has a predicate over multi-dimensional fields.  It is difficult to correct a fault without introducing other faults ─ Due to the first match, correcting faults in a firewall rule affects the functionally of all the subsequent rules.

9/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

10/29 Fault Model of Firewall Policies (1/2)  We propose a fault model that includes five types of faults (1) Wrong order: the order of firewall rules is wrong. Correction technique: Order Fixing (2) Missing rules: some rules are missed in the firewall policy. Correction technique: Rule Addition (3) Wrong predicates: the predicates of some rules are wrong. Correction technique: Predicate Fixing Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept r2r *25*Discard Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept r2r *25*Discard r*r* Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept

11/29 Fault Model of Firewall Policies (2/2) (4) Wrong decisions: the decisions of some rules are wrong. Correction technique: Decision Fixing (5) Wrong extra rules: some rules are not needed in the policy. Correction technique: Rule Deletion Each operation of these five techniques is called a modification. Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept r2r *25*Discard Src IPDst IPSrc PortDst PortProtocolDecision r1r * *25TCPAccept r2r *25*Discard r3r3 *****

12/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

13/29 Detection of Faulty Firewall Policies  A faulty firewall policy is detected when ─ administrators find that the policy allows some malicious packets or blocks some legitimate packets.  These packets cannot provide enough information about the faults ─ The number of these observed packets is typically small  Bruteforce testing every possible packets needs  How to generate test packets for faulty firewall policies? Faulty Firewall Policy Administrator Malicious Packets Legitimate Packets ×

14/29 Generating Test Packets for Faulty Policies  We employ the automated packet generation techniques in [Hwang et al. 2008] to generate test packets  Administrators identify passed/failed tests automatically or manually According to security requirements for the firewall policy, ─ If the decision of a packet is correct, administrators classify it as a passed test. ─ Otherwise, administrators classify it as a failed test. Faulty Firewall Policy Packet Generation Classify Packets Passed Packets Failed Packets

15/29 Problem Statement  Input: (1) A faulty firewall policy FW (2) A set of passed tests PT, |PT|≥0 (3) A set of failed tests FT, |FT|>0  Output: A sequence of modifications, where M j (1≤j ≤m) denotes one modifition, satisfies the following two conditions: (1) After applying to FW, all tests in PT and FT become passed tests. (2) No other sequence that satisfies the first condition has the smaller number of modifications than m.  This is a global optimization problem and hard to solve because ─ a policy may consist of a large number of rules, and ─ different combinations of modifications can be made.

16/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

17/29 Automatic Correction of Firewall Policy Faults  We propose a greedy algorithm to address this problem. ─ For each step, we correct one fault in the policy such that |PT| increases. ─ To determine which technique should be used, we try the five correction techniques and then find the one that maximizes |PT|. Faulty Firewall Policy Passed Packets Failed Packets Order Fixing Rule Addition Predicate Fixing Decision Fixing Rule Deletion |Failed Tests|=0 ? Fixed Firewall Policy No Yes

18/29 Running Example r 1 : F 1  [1, 5]  F 2  [1, 10]  a r 2 : F 1  [1, 6]  F 2  [3, 10]  a r 3 : F 1  [6,10]  F 2  [1, 3]  d r 4 : F 1  [7,10]  F 2  [4, 8]  a r 5 : F 1  [1,10]  F 2  [1, 10]  d p 1 : (3, 2)  a p 2 : (5, 7)  a p 3 : (6, 7)  a p 4 : (7, 2)  d p 5 : (8,10)  d p 6 : (6, 3)  d p 7 : (7, 9)  a p 8 : (8, 5)  d A faulty firewall policy A set of passed tests A set of failed tests

19/29 Order Fixing (1/2)  Swapping every two rules is computationally expensive. ─ There are (n-1)(n-2)/2 pairs of rules that can be swapped  We use all-match firewall decision diagrams (all-match FDDs) [Liu et al. 2008] as the core data structure. ─ Any firewall policy can be converted to an equivalent all-match FDD. [1, 5] [7, 10] F1F1 [1, 2] F2F2 F2F2 F2F2 [3, 10] [3,3] [4,10] [1,3] [4,8] [9,10] [6, 6] 1,51,2,53,52,3,52,53,54,55 r 1 : F 1  [1, 5]  F 2  [1, 10]  a r 2 : F 1  [1, 6]  F 2  [3, 10]  a r 3 : F 1  [6,10]  F 2  [1, 3]  d r 4 : F 1  [7,10]  F 2  [4, 8]  a r 5 : F 1  [1,10]  F 2  [1, 10]  d

20/29 Order Fixing (2/2)  All-match FDD has the following nice property. Swapping two rules is equivalent to swapping the sequence numbers of the two rules in the terminal nodes of all-match FDD  For the running example, this technique can find that swapping r 2 and r 3 can increase |PT| by 1 ─ change the failed test (6, 3)  d to a passed test [1, 5] [7, 10] F1F1 [1, 2] F2F2 F2F2 F2F2 [3, 10] [3,3] [4,10] [1,3] [4,8] [9,10] [6, 6] 1,51,2,53,52,3,52,53,54,55 3,2,5 

21/29 Rule Addition  Bruteforce addition for each position is computationally expensive ─ The number of possible rules that can be added for each position is O(2 204 ).  The basic idea of rule addition is that for each position ─ Find all possible failed tests that can be corrected by adding a rule ─ Compute a rule that matches the maximum number of failed tests ● For adding a rule between r 1, r 2, we can compute F 1  [6, 8]  F 2  [3, 5]  d to correct two failed tests p 6 : (6, 3)  d and p 8 : (8, 5)  d. r 1 : F 1  [1, 5]  F 2  [1, 10]  a r 2 : F 1  [1, 6]  F 2  [3, 10]  a r 3 : F 1  [6,10]  F 2  [1, 3]  d r 4 : F 1  [7,10]  F 2  [4, 8]  a r 5 : F 1  [1,10]  F 2  [1, 10]  d p 7 : (7, 9)  a p 6 : (6, 3)  d p 8 : (8, 5)  d p 6 : (6, 3)  d p 7 : (7, 9)  a p 8 : (8, 5)  d p 8 : (8, 5)  d p 7 : (7, 9)  a r * : F 1  [, ]  F 2  [, ]  dec

22/29 Evaluation Setup  We generate faulty firewall policies from 40 real-life policies. ─ Each faulty policy contains one type of fault, and the number of faults ranges from 1 to 5. ─ For each faulty policy, we employed the packet generating technique [Hwang et al. 2008] and then classified them into passed and failed tests ─ We applied our greedy algorithm to produce the fixed policy.  Methodology ─ Difference ratio over FW real, FW faulty, and FW fixed ─ The average number of modifications Real Policy FW real Faulty Policy FW faulty Fixed Policy FW fixed  (FW real, FW faulty )  (FW real, FW fixed )

23/29 Roadmap  Background ─ Firewalls ─ Firewall policies ─ Firewall policy faults  Technical challenges  Fault model of firewall policies ─ Five types of faults  Problem formalization  Our solution  Experimental results

24/29 Effectiveness (1/4)  For wrong decision faults The percentages of fixed policies that are equivalent to their corresponding real-life policies are 73.5%, 68.8%, 63.7%, 59.3%, and 53.8%, respectively.

25/29 Effectiveness (2/4)  For wrong order faults The percentages of fixed policies that are equivalent to their corresponding real-life policies are 69.7%, 64.2%, 59.7%, 54.3%, and 48.9%, respectively.

26/29 Effectiveness (3/4)  For wrong extra rule faults The percentages of fixed policies that are equivalent to their corresponding real-life policies are 68.3%, 63.5%, 59.3%, 53.2%, and 47.3%, respectively.

27/29 Effectiveness (4/4)  In terms the number of modifications The number of modifications of our approach is close to the minimum number.

28/29 Contributions  Propose the first comprehensive fault model for firewall policies  Propose the first systematic approach that can automatically correct all or part of the misclassified packets of a faulty policy.  Conduct extensive experiments on real-life firewall policies to evaluate the effectiveness of our approach.

29/29 Questions Thank you!

30/29 Reference  [Wool 2004] A quantitative study of firewall configuration errors. IEEE Computer 37, 6 (2004), pp. 62–67.  [Wool 2010] Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese. IEEE Internet Computing 14, 4 (2010), pp. 58–65.  [Hwang et al. 2008] Systematic structural testing of firewall policies. In Proceedings of IEEE International Symposium on Reliable Distributed Systems (SRDS) (2008), pp. 105–114.  [Liu et al. 2008] All-match based complete redundancy removal for packet classifiers in TCAMs. In Proceedings of IEEE Conference on Computer Communications (INFOCOM) (2008), pp. 574–582.

31/29 Limitation of Prior Art  A firewall fault localization scheme was proposed [Marmorstein et al. 2007]. ─ Find failed tests that violate the security requirement of a firewall policy ─ Use the failed tests to locate two or three faulty rules in the policy.  Drawbacks ─ Many types of faults cannot be located. For example, wrong order of firewall rules cannot be located. ─ Even if a faulty rule is located, it may not be corrected by just changing the faulty rules. For example, if a firewall policy misses one rule, change existing rules cannot correct the fault. ─ The scheme only were applied to a simple policy with 5 rules, which cannot strongly demonstrate the effectiveness of the scheme.

32/29 Predicate Fixing  The basic idea of predicate fixing is similar to rule addition.  However, there are two major differences. ─ For fixing r i ’s predicate, compute only a rule with the same decision of r i. ─ After fixing r i ’s predicate, the original rule r i does not exist.  Compute a rule that matches the maximum number of failed test ─ The new rule r 2 with accept decision can be computed as F 1  [6, 7]  F 2  [7, 9]  a PT(i+1) a PT(i+1) d FT(i) a * FT(i) d * r 1 : F 1  [1, 5]  F 2  [1, 10]  a p3p3 p 4, p 5 p 1, p 2, p 7 p 6, p 8 r 2 : F 1  [1, 6]  F 2  [3, 10]  a -p 4, p 5 p 3, p 7 p 6, p 8 r 3 : F 1  [6,10]  F 2  [1, 3]  d -p5p5 p7p7 p 4, p 8 r 4 : F 1  [7,10]  F 2  [4, 8]  a -p5p5 p7p7 p8p8

33/29 Decision Fixing  The idea of decision fixing is that for each rule r i ─ Find the passed and failed tests whose first-match rule is r i ● The set of the passed tests for r i can be computed as PT(i)-PT(i+1) ● The set of the passed tests for r i can be computed as FT(i)-FT(i+1) ─ The increased number of passed tests by change the decision of r i is |FT(i)-FT(i+1)| - |PT(i)-PT(i+1)| ● If change r i ’s decision, the passed tests in PT(i)-PT(i+1) become failed tests and the failed tests in FT(i)-FT(i+1) become passed tests. ─ Changing r 4 ’s decision can change the failed test p 8 to a passed test. PT(i)-PT(i+1)FT(i)-FT(i+1) r 2 : F 1  [1, 5]  F 2  [1, 10]  a p 1, p 2 - r 2 : F 1  [1, 6]  F 2  [3, 10]  a p3p3 p6p6 r 3 : F 1  [6,10]  F 2  [1, 3]  d p4p4 - r 4 : F 1  [7,10]  F 2  [4, 8]  a -p8p8

34/29 Rule Deletion  The idea of rule deletion ─ Use all-match FDD to calculate the increased number of passed packets  Deleting r 4 changes p 8 to a passed test. ─ The failed test p 8 matches the first path ─ r 4 and r 5 have different decisions [1, 5] [7, 10] F1F1 [1, 2] F2F2 F2F2 F2F2 [3, 10] [3,3] [4,10] [1,3] [4,8] [9,10] [6, 6] 1,51,2,53,52,3,52,53,54,55