Abstract: Authentication apparatus authenticates user using host connected to forwarding node. Policy management apparatus holds access control policy for identifying host under access control using identifier of forwarding node or identifier of user, and links identifier of host under access control and identifier of forwarding node to which host is connected, or identifier of host under access control and identifier of user using host. Forwarding node transmits to policy management apparatus identifier of host connected to own forwarding node and identifier of own forwarding node. Authentication apparatus transmits to policy management apparatus identifier of host connected to forwarding node and identifier of user. Policy management apparatus refers to access control policy and, if host connected to forwarding node is under access control, notifies content of access control to control apparatus as access control list.

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a method of processing the packet, which is determined by the control device, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, processes the packet in accordance with the processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

Abstract: A communication system includes an information acquisition unit that acquires information for determining an isolation level to which a user terminal belongs, from the user terminal; an isolation level determination unit that determines an isolation level to which the user terminal belongs, based on the acquired information; an isolation level information storage unit that defines whether or not access is possible to respective access destinations for each isolation level; an access control unit that causes a forwarding node(s) to implement forwarding or dropping of a packet, in accordance with whether or not access is possible to the respective access destinations; and a forwarding node(s) that forwards a packet in accordance with control of the access control unit. Stepwise access control is realized using isolation levels.

Abstract: An information sharing system manages computing resources such as files and processes by virtually assigning them to a compartment that is a unique area identified by a group ID. As the information sharing system detects a file input event of an object by using the compartment, it authorizes only referring to files belonging to the same compartment or a lower order compartment. Additionally, as the information sharing system detects a file output event of an object, it allows files to be arranged within only the same compartment. By doing so, it is possible for remotely located users of a user group to share confidential information within the group and at the same time also share information ordinarily and more broadly.

Abstract: A communication system comprises: a plurality of forwarding nodes each of which processes an incoming packet in accordance with a packet handling operation; a data base which stores a first table for determining a role of a user of a source node from information about the source node and a second table for defining an accessible or inaccessible resource for each role and which transmits a response about a resource accessible or inaccessible by the user of the source node in response to a request from a control apparatus; and a control apparatus which uses, when receiving a request for setting the processing rule from any one of the forwarding nodes, information about the source node included in the request for setting the processing rule, querying the data base for a resource accessible or inaccessible by the user of the source node, creating the processing rule based on the response from the data base, and setting the processing rule in the forwarding node.

Abstract: A communication system includes a control device; a forwarding node that processes, in accordance with a processing rule set by control device, a packet transmitted from a user terminal; and a policy management device that manages communication policy and notifies the control device of communication policy that corresponds to a user for whom authentication has succeeded; a setting request transmission permitting unit that, based on notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of processing rule with regard to a packet transmitted from the user terminal; and a path control unit that determines path from user terminal to access destination and sets to forwarding node along the path the second processing rule that corresponds to the path.

Abstract: A communication system comprises: a plurality of forwarding nodes processing an incoming packet in accordance with a processing rule (packet handling operation) in which a matching rule for determining a packet to be processed and a processing content applied to a packet matching the matching rule are associated with each other; an address management apparatus giving an address to a host; and a control apparatus first setting a first processing rule for realizing communication between the host and the address management apparatus in a forwarding node between the host and the address management apparatus and thereafter setting a second processing rule for realizing communication between a host given an address by the address management apparatus and a predetermined network resource.

Abstract: The present invention implements detailed access control according to access rights granted to users, by a simple configuration.

Abstract: Authentication apparatus authenticates user using host connected to forwarding node. Policy management apparatus holds access control policy for identifying host under access control using identifier of forwarding node or identifier of user, and links identifier of host under access control and identifier of forwarding node to which host is connected, or identifier of host under access control and identifier of user using host. Forwarding node transmits to policy management apparatus identifier of host connected to own forwarding node and identifier of own forwarding node. Authentication apparatus transmits to policy management apparatus identifier of host connected to forwarding node and identifier of user. Policy management apparatus refers to access control policy and, if host connected to forwarding node is under access control, notifies content of access control to control apparatus as access control list.

Abstract: At a time of operation verification of programs associated with an update of a shared program, information about a functionality necessary to be verified on a target program of operation verification can be presented. An influence degree calculation unit 102 calculates an influence degree of an update of a shared file to be updated for a shared file referring directly or indirectly to the shared file to be updated, on the basis of the reference relationships. A verification support information generation unit 103 detects a shared file having the influence degree which is equal to or higher than a predetermined value from among shared files referred to directly or indirectly by a verification target application file, on the basis of the reference relationships and the influence degree, and outputs information about a function call included in the detected shared file as information on a functionality necessary to be verified on the verification target application file.

Abstract: A terminal communicating via a network including a forwarding device(s) for forwarding a packet and a control device for controlling the forwarding device(s) in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a process of adding, to a packet, quality information related to communication quality with respect to the terminal, from the control device, a memory unit that stores the received processing rule, and a processing unit that in a case of communicating via the network, adds quality information to a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the memory unit.

Abstract: A check code generating means 10 generates, based on metadata of files satisfying a designated condition, a first check code uniquely representing a characteristic of a first file set whose components are files satisfying the condition. Moreover, the check code generating means 10 generates, based on metadata of files satisfying the condition, a second check code uniquely representing a characteristic of a second file set whose components are files satisfying the condition. An inconsistency detecting means 20 compares the first check code and the second check code and, based on inconsistency between the check codes, detecting inconsistency between the first file set and the second file set.

Abstract: Each domain is provided with an access right management device which creates a resource-sharing policy and performs processing for resource-sharing policy negotiation between a plurality of domain administrators. An access right management device that has created a resource-sharing policy identifies, for each policy unit included in the resource-sharing policy, an access right management device that is a negotiating partner to negotiate with about the policy unit in question. The access right management device generates negotiation information including an identification name of the identified negotiating-partner access right management device and the policy unit in question and sends the negotiation information to the negotiating-partner access right management device. Only when all policy units are agreed on by respective identified negotiating-partner access right management devices, the resource-sharing policy is set on shared resources.

Abstract: A project managing unit 11 authenticates users of virtual machines 24-1 to 24-N and specifies a project to which the users belong. A key managing unit 12 distributes an encryption key, which is assigned in advance to the project specified by the project managing unit 11, to encryption processing units 232-1 to 232-N of virtualizing units 23-1 to 23-N. Input/output monitoring units 231-1 to 231-N of the virtualizing units 23-1 to 23-N receive input/output data generated between the virtual machines 24-1 to 24-N and devices 22-1 to 22-N, and deliver the data to the encryption processing units 232-1 to 232-N. The encryption processing units 232-1 to 232-N encrypt output (write) data and decrypt input (read) data by using the distributed encryption key.

Abstract: There are provided a role information storing unit (11) that stores role information including information indicative of subject sets, and information capable of specifying inclusion relationships between subject sets, a policy description storing unit (12) that stores policy descriptions including information indicative of policies and information for identifying subject sets to which the policies are to be applied, a policy stratifying unit (13) that generates a policy hierarchy in which two or more policies are stratified based on inclusion relationships between subject sets to which each policy is applied, and a policy ordering unit (14) that totally orders policy sets made of the two or more policies to be totally ordered based on information indicative of the policy hierarchy while maintaining a higher/lower relationship in a hierarchy.

Abstract: A project managing unit 11 authenticates users of virtual machines 24-1 to 24-N and specifies a project to which the users belong. A key managing unit 12 distributes an encryption key, which is assigned in advance to the project specified by the project managing unit 11, to encryption processing units 232-1 to 232-N of virtualizing units 23-1 to 23-N. Input/output monitoring units 231-1 to 231-N of the virtualizing units 23-1 to 23-N receive input/output data generated between the virtual machines 24-1 to 24-N and devices 22-1 to 22-N, and deliver the data to the encryption processing units 232-1 to 232-N. The encryption processing units 232-1 to 232-N encrypt output (write) data and decrypt input (read) data by using the distributed encryption key.

Abstract: An attack defending system allows effective defense against attacks from external networks even when a communication system uses a communication path encryption technique such as SSL. A firewall device and a decoy device are provided. The firewall device refers to the header of an input IP packet and, when it is determined that the input IP packet is suspicious, it is guided into the decoy device. The decoy device monitors a process providing a service to detect the presence or absence of attacks. When an attack has been detected, an alert including the attack-source IP address is sent to the firewall device so as to reject subsequent packets from attack source.

Abstract: A policy storage stores an access control policy as a set of setting information items to make resources (access destinations) shared by an adhoc group. When a part of the access control policy is edited, a policy analyzer updates a rule generated from the edited access control policy. At this time, the rule is updated with use of object knowledge having a data configuration capable of expressing a user as belonging to plural user groups. An access control list setting means updates a part of an access control list, based on the updated rule. Accordingly, an access control list can be generated with respect to a user group including a user who belongs to plural organizations, and the access control list can be updated efficiently.

Abstract: [Problems] To provide a data use managing system which forces a face- to face permission by an administrator of confidential data when using the confidential data stored in mobile terminal. [Means for Solving Problems] A user mobile terminal (2) transmits a use request token for requesting a use if encrypted confidential data to an administrator mobile terminal (1) by near-distance radio communication. If the administrator of the confidential data as the user of the administrator mobile terminal (1) performs a permission operation of use of the confidential data by the use mobile terminal (2) to the administrator mobile terminal (1), the administrator mobile terminal (1) transmits a permission token indicating the permission to use the confidential data to a right managing server (3). The right managing sever (3) transmits a decryption key to the user mobile terminal (2). The user mobile terminal (2) decrypted confidential data by the received key and user the confidential data by a predetermined use method.

Abstract: An editing apparatus generates a capsular work with usage conditions for each of plural usages and usage secret information. A ticket server apparatus issues a ticket containing a ticket key in the case of allowing a user to practice the usage requested by the user. A distribution center apparatus distributes the capsular work in accordance with the user's request. An audiovisual apparatus acquires the capsular work from the distribution center apparatus and requests the ticket necessary to make use of the capsular work from the ticket server apparatus, and then decrypts the encrypted work data contained in the capsular work and reproduces the work data only in the case where the audiovisual apparatus has acquired the ticket.