Table of Content

    17 November 2015, Volume 1 Issue 2
    Security-Development Road of National E-Gov Network in the “Internet +” Era
    Zhou Min
    2015, 1(2):  98-104. 
    Asbtract ( )   PDF (2278KB) ( )  
    Related Articles | Metrics
    Global Parameters Estimated of MeasurementDeviceIndependent Quantum Key Distribution
    Wang Hong Ma Zhi Jiang HaoDong Gao MIng
    2015, 1(2):  105-111. 
    Asbtract ( )   PDF (5263KB) ( )  
    References | Related Articles | Metrics
    Parameter estimation(the yield and the phase error rate of the single photon) is a major factor that affects the key rate of decoy state MDI-QKD. This paper investigates the issues of parameter estimation in MDI-QKD with a spontaneous parametric down conversion (SPDC) source with a joint estimation method. Different from the existing separate estimation method, we derive analytical solutions to the parameters from the equation set of the average count rate and error rate, and then analyze it as a unitary function conceding the relevance between the two parameters. Through looking at the minimum of the function in the closed interval, a tighter estimation of the secure key rate is obtained. This method provides a new way to increase the performance of the MDI-QKD protocol.
    A C# Source Code SQL Injection Attack Detection Algorithm Based on Abstract Syntax Tree
    Sun Wei Chen Lin
    2015, 1(2):  112-125. 
    Asbtract ( )   PDF (10193KB) ( )  
    References | Related Articles | Metrics
    SQL injection attacks is ranked first in OWASP (open Web application security project) Top10 Web application security threats in both 2010 and 2013. This paper proposes a static abstract syntax tree analysis framework for detecting SQL injections based on the matching rules, and implements the C# sourcecode SQL injection attack detection algorithm. This paper focuses on data flow analysis based on the abstract syntax tree, tracing the route of transmission of data and detecting SQL vulnerability in accordance with the predefined rules. Then this paper achieves injection detection algorithm based on C# language source code and MSSQL. The detection algorithm results show that the algorithm works well for C# language source code. But the results also show that it is possible to make false negative due to lack of supportof detecting the vulnerability existing in the crossfile and crossfunction. However, the proposed architecture and algorithms can be extended to other programming platforms. Finally, this paper makes a summary on both SQL injection and the defense, points out the shortcomings itself and makes a prospect of the SQL injection research.
    Security Problems and Coping Strategies of Cyberspace in Social Network
    Li Yang Lv Xin
    2015, 1(2):  126-130. 
    Asbtract ( )   PDF (4325KB) ( )  
    References | Related Articles | Metrics
    Nowdays, social network has the same characteristics, such as rapid propagation, large numbers of target crowd, wideranging influence, which rapidly becomes one of the important windows reflecting popular wishes. Meanwhile, social network is also faced with some security problems containing behavior, information content and structure, which result in internet fraud, privacy disclosure, rumor propagation, and so on, and influence the safety and prosperity of the masses, social harmony and stability. Therefore, in the face of cyberspace in social network, build a sound law, deeply mine public sentiment, and strengthen the assessment of network, which have important practical significance for utilizing the platform efficiently and maintaining the security of cyberspace in social network.
    A Physical Security Scheme of Wireless Networks using Matrix Projection
    2015, 1(2):  131-139. 
    Asbtract ( )   PDF (7324KB) ( )  
    References | Related Articles | Metrics
    Because the physical layer of wireless communication lacks real shell protection, such as limited communication divergence of data transmission, content can be taken at the same time the listener and the eavesdropper, the purpose of this study lies in how to be wireless radio features as much as possible and improve the security performance of the wireless communication system as a whole, which is on the premise of the listeners can receive disrupt the eavesdropper information acquisition, both be short of one cannot. Most of the physical security method will be based on one or some hypothesis, some make assumptions to the position of the eavesdropper is limited, some assumption of signal attenuation level limit, although simplifies the analysis of the difficulty, but in the practical application often can't meet these assumptions, the safety of the actual situation to find a suitable for general scheme is imperative, this is the physical security research of the difficulty. Taking more into the system (MIMO) as the research basis, by many artificial noise by adding implementation method to improve security features, combined with the related knowledge of matrix projection in the matrix theory, realize the basic noise power allocation, complete the relevant simulation calculations, to improve the physical security of wireless network research purposes.
    A PHP Source-code SQL Injection Attack Detection Algorithm Based on Taint Tracking
    Zhang Bingqi Sun Wei
    2015, 1(2):  140-148. 
    Asbtract ( )   PDF (13503KB) ( )  
    References | Related Articles | Metrics
    The concept of “SQL injection” has been proposed for more than 10 years, however, SQL injection attack was still rated the number one attack on the Open Web Application Security Project(OWASP) in 2013. With the rapid development of dynamic Web applications, PHP becomes popular because it's fast, reliable and can be combined with many different types of RDBMS, and it's also a cheap option for developing and hosting applications on the Web. PHP is a powerful language which can access files, execute commands and open network connections on the server. However, these properties also make anything is run on a Web server insecure by default. As there are several ways of utilizing PHP, there are many configuration options controlling its behavior. A large selection of options guarantees that PHP can be utilized to a lot of purposes. With proper runtime configuration options and coding practices, PHP can provide exactly the combination of freedom and security. This paper considers the security risks related to PHP programming language, and describes different situations which will lead to website vulnerabilities. It also proposes a static lexical analysis framework for detecting SQL injections based on the matching rules, and implements the PHP sourcecode SQL injection attack detection algorithm. The experiments demonstrate that the algorithm is effective, and it can also be extended to detect other “taintstyle” Web vulnerabilities.
    Discipline Construction and Talents Training of Cyberspace Security
    Li Jianhua Qiu Weidong Meng Kui Wu Jun
    2015, 1(2):  149-154. 
    Asbtract ( )   PDF (5250KB) ( )  
    References | Related Articles | Metrics
    In June 2015, “Cyberspace Security” was promoted as a national Firstlevel Discipline, while before that, Information Security was founded as a specialty in 2001. This promotion is not only beneficial to the talents training of Information Security, but also set higher demands for the discipline construction. It is time to analyze and discuss the issues related to cyberspace security discipline construction and talent training. Although proposed as a new conception, cyberspace security has drawn great attention these years worldwide, no matter in Unite State, or in China. There are broad requirements of cyberspace security talents, spanning from national defense security, national key infrastructure security, national important information system security, national public security management service and domestic information security industry. According to the statistics, it is shown that there is a huge gap between the cyberspace security talent supply and demand these years. Since the Information Security specialty was founded more than one decade ago, some valuable experiences are summarized. Based upon all these analysis, some suggestions about discipline construction and talent training mode of cyberspace security are proposed, which include clearing the training goals of different talent levels, constructing hierarchical and practical training environment, and building finegrained professional teaching quality evaluation system.
    The Reflection of Legal Position and Content of Critical Infrastructure Protection Legislation in China
    Zhang Min
    2015, 1(2):  163-169. 
    Asbtract ( )   PDF (7008KB) ( )  
    References | Related Articles | Metrics
    Critical infrastructure information security is the precondition of national security andthe normal operation of society. It also ensure the civic right to live and development .The paper proposed the concept of critical infrastructure, the identified standard, and tried to elucidate the relationship between the legislation of critical infrastructure legislation and National Security Law, Network Security Law (Draft) and Hierarchical protection system, then proposed the legal position of critical infrastructure protection legislation—security safeguard law.Chinas critical infrastructure protection legislation should focus on information security safeguarding, the contents of the legislation not only incloud the information security risk prevention and control, but also the promotion of the technical, organizations and law enforcements safeguard abilities and international cooperation on critical infrastructure protection.
    Building Method and Implementation of Cloud Authentication Service in the Autonomous Controllable Network Space
    Li Xiaolin Liao Limin
    2015, 1(2):  170-180. 
    Asbtract ( )   PDF (10761KB) ( )  
    References | Related Articles | Metrics
    Identity authentication is the first threshold to ensure the overall safety of network architecture space. With the rapid popularity of the Internet, especially the rapid popularity of mobile Internet and other new application forms, technical requirements for network authentication and corresponding application research and development shows a strong diversity of development momentum. Mobile Platformbased, serviceoriented, technology integrated and adaptive authentication technology and service model are the new direction of research and development in the field of identity authentication. Through specific case studies and analysis, this paper introduces the architecture, service mode, and application characteristics of the cloud platform based on the independently controllable authentication technology. The case provides referential basis for the construction and application of authentication platform of Internet plus industry. Network identity authentication is the foundation of the network space safety. It is necessary to vigorously support and develop network space identity authentication technology with independent intellectual property rights, and promote its application in various industries with the help of Internet plus strategy.
    Cloud Platform Accountability and Retrospect Technology Based on Security Label
    2015, 1(2):  181-186. 
    Asbtract ( )   PDF (5191KB) ( )  
    References | Related Articles | Metrics
    In oder to achieve the accountability system of cloud platform, retrospect is the primary technology method. Recalling the complete trajectory of the security event in this period,it can be controlled by the ability to trigger and record operations during this period. In order to tackle the challenges of business transparency in cloud system retrospect, the paper reviews the transparency, efficiency and cost of the enterprise. This paper states general retrospect technology based on security label, and establishes an accurate and efficient retrospect technology prototype.
    Facing the Pains, and Seeking Win-Win Solutions-Working Together to Build a New Cyberspace Order in the 21st Century
    Hao Yeli
    2015, 1(2):  187-192. 
    Asbtract ( )   PDF (1476KB) ( )  
    Related Articles | Metrics
    Brief Introduction to Information Security in Air Traffic Management
    Wu Zhijun Hu Taotao
    2015, 1(2):  155-162. 
    Asbtract ( )   PDF (6791KB) ( )  
    References | Related Articles | Metrics
    Air traffic management (ATM) plays a crucial role in ensuring the operation of air transportation system and national airspace safe. ATM is a networkcentralized intelligent system with high information integration, which is vulnerable to threats and attacks. Potential system vulnerabilities and security risks in ATM system, especially, in aeronautical communication, navigation, surveillance, automation, and airborne aeronautical communication network system are explored and analyzed in this paper, and specific examples are given. Finally, security recommendations on ATM information assurance are presented for the purpose of taking protective measures to guarantee the security of ATM operation.