Data-mining based SQL injection attack detection using internal query trees

Detecting SQL injection attacks (SQLIAs) is becoming increasingly important in database-driven web sites. Until now, most of the studies on SQLIA detection have focused on the structured query language (SQL) structure at the application level. Unfortunately, this approach inevitably fails to detect those attacks that use already stored procedure and data within the database system. In this paper, we propose a framework to detect SQLIAs at database level by using SVM classification and various kernel functions. The key issue of SQLIA detection framework is how to represent the internal query tree collected from database log suitable for SVM classification algorithm in order to acquire good performance in detecting SQLIAs. To solve the issue, we first propose a novel method to convert the query tree into an n-dimensional feature vector by using a multi-dimensional sequence as an intermediate representation. The reason that it is difficult to directly convert the query tree into an n-dimensional feature vector is the complexity and variability of the query tree structure. Second, we propose a method to extract the syntactic features, as well as the semantic features when generating feature vector. Third, we propose a method to transform string feature values into numeric feature values, combining multiple statistical models. The combined model maps one string value to one numeric value by containing the multiple characteristic of each string value. In order to demonstrate the feasibility of our proposals in practical environments, we implement the SQLIA detection system based on PostgreSQL, a popular open source database system, and we perform experiments. The experimental results using the internal query trees of PostgreSQL validate that our proposal is effective in detecting SQLIAs, with at least 99.6% of the probability that the probability for malicious queries to be correctly predicted as SQLIA is greater than the probability for normal queries to be incorrectly predicted as SQLIA. Finally, we perform additional experiments to compare our proposal with syntax-focused feature extraction and single statistical model based on feature transformation. The experimental results show that our proposal significantly increases the probability of correctly detecting SQLIAs for various SQL statements, when compared to the previous methods.     

基于FPGA实现AES的侧信道碰撞攻击

为了解决攻击点在能量迹中具体位置的识别问题,在对侧信道碰撞攻击技术研究的基础上,提出了通过计算能量迹中每个采样点的方差来识别攻击点的方差检查技术。并利用基于相关系数的碰撞检测方法,对一种AES的FPGA实现实施了攻击。实验结果表明,方差检查技术可以有效地识别攻击点在能量迹中的具体位置。     

A genetic tango attack against the David–Prasad RFID ultra‐lightweight authentication protocol

Radio frequency identification (RFID) is a powerful technology that enables wireless information storage and control in an economical way. These properties have generated a wide range of applications in different areas. Due to economic and technological constrains, RFID devices are seriously limited, having small or even tiny computational capabilities. This issue is particularly challenging from the security point of view. Security protocols in RFID environments have to deal with strong computational limitations, and classical protocols cannot be used in this context. There have been several attempts to overcome these limitations in the form of new lightweight security protocols designed to be used in very constrained (sometimes called ultra‐lightweight) RFID environments. One of these proposals is the David–Prasad ultra‐lightweight authentication protocol. This protocol was successfully attacked using a cryptanalysis technique named Tango attack. The capacity of the attack depends on a set of boolean approximations. In this paper, we present an enhanced version of the Tango attack, named Genetic Tango attack, that uses Genetic Programming to design those approximations, easing the generation of automatic cryptanalysis and improving its power compared to a manually designed attack. Experimental results are given to illustrate the effectiveness of this new attack.     

解决组合公钥共谋攻击和密钥碰撞的新方法

以解决组合公钥体制中共谋攻击和密钥碰撞问题为目的。首先,针对线性共谋攻击,提出了一种新的构造种子矩阵的方法,使得种子密钥和大于基点加法群的阶数,从而使密钥之间不能相互线性表示。其次在密钥的生产过程中,引入系数破坏了层不同和层互斥不同的关系,为解决选择共谋攻击提供了一种有效的方法,同时增强了抵御随机共谋攻击的能力。最后,在密钥产生的流程中,通过公钥对比来避免密钥碰撞,为解决密钥碰撞问题提出了一种新方法。     

Analysis of impersonation attacks on systems using RF fingerprinting and low-end receivers

Recently, physical layer security commonly known as Radio Frequency (RF) fingerprinting has been proposed to provide an additional layer of security for wireless devices. A unique RF fingerprint can be used to establish the identity of a specific wireless device in order to prevent masquerading/impersonation attacks. In the literature, the performance of RF fingerprinting techniques is typically assessed using high-end (expensive) receiver hardware. However, in most practical situations receivers will not be high-end and will suffer from device specific impairments which affect the RF fingerprinting process. This paper evaluates the accuracy of RF fingerprinting employing low-end receivers. The vulnerability to an impersonation attack is assessed for a modulation-based RF fingerprinting system employing low-end commodity hardware (by legitimate and malicious users alike). Our results suggest that receiver impairment effectively decreases the success rate of impersonation attack on RF fingerprinting. In addition, the success rate of impersonation attack is receiver dependent.     

清洁镀铬用紫色硫酸铬

紫色硫酸铬是一种新型清洁镀铬（Cr^3 镀铬）的原料，在镀铬中显示了优良的性能，特别是镀液无需预电解处理亦能得到满意镀层这一实验结论，使清洁镀铬工艺实现工业生产又向前迈进了一步，介绍了它的制法，技术要求，物相分析及使用效果。     

基于中位数的用户信誉度排名算法

针对推荐系统易受Spammer攻击的影响,从而导致对象的实际得分不准确的问题,提出基于中位数的用户信誉度排名算法。通过衡量用户信誉度调整用户打分权重,根据中位数具有不易受极端打分影响的特性,选取用户打分与对象得分差距的中位数作为降低用户信誉度的标准,不断迭代调整用户信誉度以及最终得分直至收敛。在多个真实数据集上的运行结果证明,相比现有排名算法,该算法具有更合理的信誉度分布和更高的排名结果准确度,通过该算法预处理后的数据集在SVD++上运行可以得到更低的均方根误差。     

基于椭圆曲线的RFID协议的安全分析

Matinez等人已经提出了一种只依赖于椭圆曲线密码和零知识认证模式的无线射频认证协议. 本文中,我们指出该协议不能抵抗去同步化攻击. 攻击者只需拦截最后服务器发给标签的确认消息,就会导致后台服务器和标签存储的共享秘钥不一致. 对此,我们提出了修正方案,并证明了修订后的协议可以抵抗去同步化攻击.     

Fate of nitrogen fertilizer applied to lowland rice on a Sulfic Tropaquept

A field experiment was conducted on an acid sulfate soil in Thailand to determine the effect of N fertilization practices on the fate of fertilizer-N and yield of lowland rice (Oryza sativa L.). A delayed broadcast application of ammonium phosphate sulfate (16-20-0) or urea was compared with basal incorporation of urea, deep placement of urea as urea supergranules (USG), and amendment of urea with a urease inhibitor. Deep placement of urea as USG significantly reduced floodwater urea- and ammoniacal-N concentrations following N application but did not reduce N loss, as determined from an¹⁵N balance, in this experiment where runoff loss was prevented. The urease inhibitor, phenyl phosphorodiamidate (PPD), had little effect on floodwater urea- and ammoniacal-N, and it did not reduce N loss. The floodwater pH never exceeded 4.5 in the 7 days following the first N applications, and application of 16-20-0 reduced floodwater pH by 0.1 to 0.3 units below the no-N control. The low floodwater pH indicated that ammonia volatilization was unimportant for all the N fertilization practices. Floodwater ammoniacal-N concentrations following application of urea or 16-20-0 were greater on this Sulfic Tropaquept than on an Andaqueptic Haplaquoll with near neutral pH and alkaline floodwater. The prolonged, high floodwater N concentrations on this Sulfic Tropaquept suggested that runoff loss of applied N might be a potentially serious problem when heavy rainfall or poor water control follow N fertilization. The unaccounted-for¹⁵N in the¹⁵N balances, which presumably represented gaseous N losses, ranged from 20 to 26% of the applied N and was unaffected by urea fertilization practice. Grain yield and N uptake were significantly increased with applied N, but grain yield was not significantly affected by urea fertilization practice. Yield was significantly lower (P = 0.05) for 16-20-0 than for urea; however, this difference in yield might be due to later application of P and hence delayed availability of P in the 16-20-0 treatment.     

社会网络的隐私保护研究综述*

某些网站将匿名处理后的社会网络数据公开发布,或者提供给科研机构、大学或者其他组织和个人使用,而这些数据往往侵犯了用户的隐私,但有关社会网络中个人信息安全和隐私保护的研究却处于起步阶段。综述了当前在线社会网络的研究成果,主要就社会网络及其隐私漏洞、信息泄露、再识别攻击、聚集攻击、推理攻击等进行了分析,并对今后的发展提出了预测,为社会网络的科研指出了可行的研究方向。