Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions.

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and comprises an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and includes an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions.

Abstract: A communication system includes: a control apparatus setting control information in a forwarding node(s); a forwarding node(s); and an access control apparatus. The forwarding node(s) forwards packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s). The access control apparatus includes a determination unit determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s) and requesting the control apparatus to generate control information.

Abstract: A communication system includes a communication apparatus configured to process a packet, and a controller configured to set the communication apparatus for processing a packet. The controller includes a memory storing instructions, and a processor configured to execute program instructions to determine a forwarding path for a packet addressed to a virtual machine based on an access rule indicating connectivity between virtual machines in accordance with an arrangement of the virtual machine, and set the communication apparatus for processing the packet.

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and includes an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

Abstract: A communication system, includes: a node that requests a processing rule for processing a packet; and a control apparatus that notifies the node of the processing rule in response to the request. The control apparatus, upon being notified of change of a connection relationship between a communication apparatus to which a packet is addressed and the node, determines a forwarding path for a packet addressed to the communication apparatus and notifies the node of a processing rule for realizing the forwarding path.

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes a communication unit that receives a processing rule indicating that a packet for communicating with a first destination is changed so as to communicate with a second destination, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, changes a destination of a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and includes an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

Abstract: A communication terminal comprises: first means that communicates with a network system that includes a forwarding apparatus forwarding a packet and a control apparatus informing the forwarding apparatus of a processing rule prescribing a packet processing method; second means that determines a processing operation to be executed by the network system from among packet processing operations to be executed by the communication terminal; and third means that informs the forwarding apparatus of a processing rule corresponding to the determined packet processing operation.

Abstract: In a filtering setting support device, a logical/physical mapping section generates mapping information that represents a path on the layout of a network by a combination of start nodes and end nodes, the path being, for each flow identifier, from a transmission source node to a destination node, based on node physical layout information and access policy information. The access policy information manages flow information including a combination of transmission source node and destination node, by attaching a flow identifier. A filtering point analysis section specifies as a filtering point a node where a plurality of flows are co-present. A common formal rule generating section generates common formal rules that are to be set at the filtering point. A common formal rule output section presents common formal rules to a network administrator.

Abstract: A project managing unit 11 authenticates users of virtual machines 24-1 to 24-N and specifies a project to which the users belong. A key managing unit 12 distributes an encryption key, which is assigned in advance to the project specified by the project managing unit 11, to encryption processing units 232-1 to 232-N of virtualizing units 23-1 to 23-N. Input/output monitoring units 231-1 to 231-N of the virtualizing units 23-1 to 23-N receive input/output data generated between the virtual machines 24-1 to 24-N and devices 22-1 to 22-N, and deliver the data to the encryption processing units 232-1 to 232-N. The encryption processing units 232-1 to 232-N encrypt output (write) data and decrypt input (read) data by using the distributed encryption key.

Abstract: A route request mediation apparatus comprises a resource management unit that manages a resource of a network to be managed; a request receiving unit that receives a route request with an added service level condition from a user or another route request mediation apparatus; a negotiation status management unit that forwards the route request to a destination specified by the route request, and manages a negotiation status based on a response from the destination; an acceptance assessment unit that assesses whether or not to accept the route request by referring to the negotiation status managed by the negotiation status management unit and to the resource management unit; and a response sending unit that responds with an assessment result that indicates whether or not the route request is accepted to the request source of the route request.

Abstract: A communication system includes: a forwarding node(s) in which a first packet handling operation(s) for processing incoming packets is set and which processes packets in accordance with the packet handling operation(s); a first control apparatus setting the first packet handling operation(s) in the forwarding node(s); a flow control node(s) arranged upstream of the forwarding node(s); and a second control apparatus setting a second packet handling operation(s) in the flow control node(s). The flow control node(s) intercepts forwarding of packets that do not satisfy a predetermined condition(s) to the forwarding node(s) in accordance with the second packet handling operation(s).

Abstract: A communication system includes: a control apparatus setting control information in a forwarding node(s); a forwarding node(s); and an access control apparatus. The forwarding node(s) forwards packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s). The access control apparatus includes a determination unit determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s) and requesting the control apparatus to generate control information.

Abstract: A terminal communicating via a network including a forwarding device(s) for forwarding a packet and a control device for controlling the forwarding device(s) in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a process of adding, to a packet, quality information related to communication quality with respect to the terminal, from the control device, a memory unit that stores the received processing rule, and a processing unit that in a case of communicating via the network, adds quality information to a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the memory unit.

Abstract: A communication system includes a control device; a forwarding node that processes, in accordance with a processing rule set by control device, a packet transmitted from a user terminal; and a policy management device that manages communication policy and notifies the control device of communication policy that corresponds to a user for whom authentication has succeeded; a setting request transmission permitting unit that, based on notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of processing rule with regard to a packet transmitted from the user terminal; and a path control unit that determines path from user terminal to access destination and sets to forwarding node along the path the second processing rule that corresponds to the path.

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a method of processing the packet, which is determined by the control device, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, processes the packet in accordance with the processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes a communication unit that receives a processing rule indicating that a packet for communicating with a first destination is changed so as to communicate with a second destination, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, changes a destination of a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.