Web项目中的SQL注入问题研究与防范方法

基于B/S模式的网络服务构架技术的应用被普遍采用,许多该类型的应用程序在设计与开发时没有充分考虑到数据合法性校验问题,因此使其在应用中存在安全隐患.在横向比较SQL注入攻击模式的基础之上,分析了SQL注入攻击的特点、原理,并对常用注入途径进行了总结.提出在主动式防范模型的基础上,使用输入验证,sQLserver防御以及使用存储过程替代参数化查询相结合的形式构建出一种有效防范SQL注入攻击的思路和方法.测试结果表明该防范模型具有较高的实用性和安全性.     

基于Cisco网络平台的安全EIGRP路由配置

互联网络中的路由安全是网络安全的核心内容,路由器被攻击会导致整个网络的瘫痪,其破坏影响远远大于对单台计算机或服务的攻击。EIGRP是Cisco公司的一种专有路由协议,广泛应用于大中型的园区网络。介绍了EIGRP路由协议的特点,分析了针对EIGRP路由可能的路由攻击方式。以Cisco3640路由器为背景,进行了安全的EIGRP路由验证配置,使用DynamipsGU12．8软件对配置进行了验证,结果表明,为EIGRP配置验证能够有效地防止路由攻击。     

An Achilles heel: denial of service attacks on Australian critical information infrastructures

Critical, or national, information infrastructure protection, referred to as either CIIP or NIIP, has been highlighted as a critical factor in overall national security by the United States, the United Kingdom, India and the European Community. As nations move inexorably towards so-called ‘digital economies’, critical infrastructure depends on information systems to process, transfer, store and exchange information through the Internet. Electronic attacks such as denial of service attacks on critical information infrastructures challenge the law and raise concerns. A myriad of issues potentially plague the protection of critical information infrastructures owing to the lack of legal regulation aimed at ensuring the protection of critical information infrastructures. This paper will highlight the legal concerns that relate to the denial of service attacks on critical information infrastructures and provide an introductory overview of the law as it relates to CIIP in Australia.     

网络编码中ACK类攻击的防御研究

近年来,网络编码以其巧妙的思想展现出生机勃勃的应用前景,但是安全问题一直是其在网络中大规模应用的最大障碍.本文分析了网络编码中存在的特有的ACK类攻击,给出了针对该类攻击的基于典型集和哈希函数以及马尔可夫模型的防御方法,并利用数据挖掘的方法获得了典型集的元素组成,同时分析了TCP流中ACK状态数的分布,展望了网络编码的发展方向.     

Ring signature scheme based on multivariate public key cryptosystems

The ring signature scheme is an important cryptographic primitive that enables a user to sign a message on behalf of a group in authentic and anonymous way, i.e. the recipient of the message is convinced that the message is valid and it comes from one of the group members, but does not know who the actual signer is. Currently, all the existing ring signatures are based on traditional cryptosystems. However, the rapid advances in the field of quantum computing indicate a growing threat to traditional cryptosystems. Multivariate public key cryptosystems (MPKCs) is one of the promising alternatives which may resist future quantum computing attacks. In this work, we propose a novel ring signature scheme based on multivariate polynomials with the security model for the first time. Our ring signature scheme has a great advantage in efficiency compared to many existing ring signature schemes, and currently it seems to be immune to quantum computing attacks.     

非超递增序列背包加密算法研究

为了提高背包加密体制的安全性,对基于超递增序列的背包加密算法进行了分析,指出了利用非超递增序列构造背包所存在的难题,提出一种无冲突非超递增序列的构造方法,并给出严格的证明。依据该方法提出了一种基于无冲突非超递增序列的背包公钥加密算法,有效地避免了利用非超递增序列构造背包的过程中出现的难题。理论分析和仿真实验结果表明,该算法具有高的安全性能,在抵抗Shamir攻击和低密度攻击方面都具有良好的性能。     

Optimal correlation attack on the multiplexer generator

The security of the well-known multiplexer generator with respect to correlation attacks on the data shift register is investigated. Apart from the basic correlation attack exploiting the bitwise correlation between the output sequence and any data input sequence, two new correlation attacks are introduced. One is based on computing the a posteriori probabilities and is statistically optimal, whereas the other makes use of the accumulated bitwise correlation to all data input sequences. It is theoretically argued and experimentally confirmed that the optimal attack requires a significantly shorter output sequence to be successful than the basic attack. The experiments also show that the less complex accumulated correlation attack requires a somewhat longer output sequence than the optimal attack.     

Secure network coding for wireless mesh networks: Threats, challenges, and directions

In recent years, network coding has emerged as a new communication paradigm that can significantly improve the efficiency of network protocols by requiring intermediate nodes to mix packets before forwarding them. Recently, several real-world systems have been proposed to leverage network coding in wireless networks. Although the theoretical foundations of network coding are well understood, a real-world system needs to solve a plethora of practical aspects before network coding can meet its promised potential. These practical design choices expose network coding systems to a wide range of attacks.We identify two general frameworks (inter-flow and intra-flow) that encompass several network coding-based systems proposed in wireless networks. Our systematic analysis of the components of these frameworks reveals vulnerabilities to a wide range of attacks, which may severely degrade system performance. Then, we identify security goals and design challenges in achieving security for network coding systems. Adequate understanding of both the threats and challenges is essential to effectively design secure practical network coding systems. Our paper should be viewed as a cautionary note pointing out the frailty of current network coding-based wireless systems and a general guideline in the effort of achieving security for network coding systems.     

Utilizing bloom filters for detecting flooding attacks against SIP based services

Any application or service utilizing the Internet is exposed to both general Internet attacks and other specific ones. Most of the times the latter are exploiting a vulnerability or misconfiguration in the provided service and/or in the utilized protocol itself. Consequently, the employment of critical services, like Voice over IP (VoIP) services, over the Internet is vulnerable to such attacks and, on top of that, they offer a field for new attacks or variations of existing ones. Among the various threats–attacks that a service provider should consider are the flooding attacks, at the signaling level, which are very similar to those against TCP servers but have emerged at the application level of the Internet architecture. This paper examines flooding attacks against VoIP architectures that employ the Session Initiation Protocol (SIP) as their signaling protocol. The focus is on the design and implementation of the appropriate detection method. Specifically, a bloom filter based monitor is presented and a new metric, named session distance, is introduced in order to provide an effective protection scheme against flooding attacks. The proposed scheme is evaluated through experimental test bed architecture under different scenarios. The results of the evaluation demonstrate that the required time to detect such an attack is negligible and also that the number of false alarms is close to zero.     

RSA公钥密码算法的计时攻击与防御

计时攻击根据密码算法在密码设备中运行时的执行时间差异,分析和判断密码算法的各种有效信息,是最具威胁的旁路攻击方式之一。该文研究RSA加密算法和计时攻击的原理,分析RSA解密过程,阐述针对基于模幂算法的RSA计时攻击的原理,讨论如何抵御该计时攻击。