Abstract: An information processing system is configured to acquire log data of a system including a network and a plurality of constituent elements that communicate via the network, and output information of one or more attack vectors including information of constituent elements related to the one or more attack vectors, based on the log data and network configuration information of the system in a case where an attack is detected in the system.

Abstract: An information processing system according to the present invention includes: an analysis device; and a control device. The analysis device performs first operations. The first operations includes: executing analysis, based on an analysis rule with respect to data to be input as an object of analysis; outputting an analysis result; managing the analysis rule; The analysis device store the analysis rule; and analysis state information indicating a state of the analysis to be generated or referred to by the first processor. The control device performs second operations. The second operations includes: monitoring a usage status of the first memory storing the analysis state information; acquiring and managing an evaluation result with respect to the analysis result; and controlling the analysis rule via the analysis device, based on a usage status of the first memory storing the analysis state information and the evaluation result.

Abstract: The present invention contributes to facilitating: setting for connection between a TEP in a virtual network configured by using a virtual tunnel and a virtual network; and management of the connection. A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.

Abstract: A relay apparatus includes: a data request part which requests, based on a data acquisition request(s) from a data request source(s), a data provision apparatus(es) that provides data by using a predetermined application programming interface(s) to transmit data; a conversion instruction part which transmits a conversion rule(s) for data transmitted from the data provision apparatus(es) to the data request source(s) and instructs the data request source(s) to convert the data transmitted from the data provision apparatus(es); and a data forwarding part which forwards data transmitted from the data provision apparatus(es) to the data request source(s).

Abstract: An information processing system according to the present invention includes: an analysis device; and a control device. The analysis device performs first operations. The first operations includes: executing analysis, based on an analysis rule with respect to data to be input as an object of analysis; outputting an analysis result; managing the analysis rule; The analysis device store the analysis rule; and analysis state information indicating a state of the analysis to be generated or referred to by the first processor. The control device performs second operations. The second operations includes: monitoring a usage status of the first memory storing the analysis state information; acquiring and managing an evaluation result with respect to the analysis result; and controlling the analysis rule via the analysis device, based on a usage status of the first memory storing the analysis state information and the evaluation result.

Abstract: The present invention contributes to facilitating: setting for connection between a TEP in a virtual network configured by using a virtual tunnel and a virtual network; and management of the connection. A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.

Abstract: A network system, a network control method, and a control apparatus are provided that can easily achieve assurance of the quality of a network service and optimization of the throughput of an entire system. A network control apparatus (10) controls a network (20) having a multi-layer structure, monitors whether or not a network service on a first layer fulfills a required service level, and depending on a result of the monitoring, changes a setting of a packet header so that resources on the first layer will be changed, wherein resources on the lower layer are changed in accordance with a change in the setting of the packet header.

Abstract: A network system, a network control method, and a control apparatus are provided that can easily achieve assurance of the quality of a network service and optimization of the throughput of an entire system. A network control apparatus (11) controls a network having a multi-layer structure, sets a first layer path that provides virtual network functions for a network service on a first layer, monitors whether or not the network service on the first layer fulfills a required service level, and depending on a result of the monitoring, changes a setting of a packet header so that the first layer path will be switched at an end point of the network service. This causes a resource on a second layer, which is a lower layer than the first layer, to change.

Abstract: The present invention contributes to facilitating: setting for connection between a TEP in a virtual network configured by using a virtual tunnel and a virtual network; and management of the connection. A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.

Abstract: A relay apparatus includes: a data request part which requests, based on a data acquisition request(s) from a data request source(s), a data provision apparatus(es) that provides data by using a predetermined application programming interface(s) to transmit data; a conversion instruction part which transmits a conversion rule(s) for data transmitted from the data provision apparatus(es) to the data request source(s) and instructs the data request source(s) to convert the data transmitted from the data provision apparatus(es); and a data forwarding part which forwards data transmitted from the data provision apparatus(es) to the data request source(s).

Abstract: A communication system includes a plurality of control apparatuses that determine a packet handling operation; a plurality of packet processing units that process packets in accordance with the packet handling operation notified by the control apparatus; an assignment unit that assigns, with respect to each of the packet processing unit, a control apparatus that controls the packet processing unit concerned; and a database that is shared by the plurality of control apparatuses and that stores information related to the packet handling operation; wherein each of the control apparatuses refers to the database to determine the packet handling operation.

Abstract: A communication system includes at least one node that processes a packet, and a control device that receives a request for a transmission of a first processing rule from said node, the first processing rule including a matching rule and a second processing rule that conforms to the matching rule, the matching rule being for comparing with information included in the packet. The control device retrieves a first processing rule which corresponds to an identifier from a database if the identifier for identifying the first processing rule is included in the request.

Abstract: A technique capable of changing communication services that can be provided by a communication system is provided. A communication system according to the present invention includes: first means that is capable of executing a network function for providing a communication service; and second means that adds second identification information corresponding to first identification information that is assigned to a group of network functions, to a packet belonging to the group, and sends the packet to the network function, which performs packet forwarding within the group based on the second identification information.

Abstract: Communication allowance determination means determines, using information of a packet received by a packet relay unit and based on a policy which is information associating a match condition with communicability information, whether to allow or not to allow communication to a destination unit for the packet that meets the match condition, the match condition being information identifying the packet, and the communicability information indicating whether to allow or not to allow the communication to the destination unit for the packet that meets the match condition. Rule setting means sets, at least in the packet relay unit receiving the packet, a rule of executing a process for suppressing forwarding of the packet to the destination unit, on condition that the communication allowance determination means determines not to allow the communication to the destination unit for the packet that meets the match condition.

Abstract: A network system, a network control method, and a control apparatus are provided that can easily achieve assurance of the quality of a network service and optimization of the throughput of an entire system. A network control apparatus (11) controls a network having a multi-layer structure, sets a first layer path that provides virtual network functions for a network service on a first layer, monitors whether or not the network service on the first layer fulfills a required service level, and depending on a result of the monitoring, changes a setting of a packet header so that the first layer path will be switched at an end point of the network service. This causes a resource on a second layer, which is a lower layer than the first layer, to change.

Abstract: A network system, a network control method, and a control apparatus are provided that can easily achieve assurance of the quality of a network service and optimization of the throughput of an entire system. A network control apparatus (10) controls a network (20) having a multi-layer structure, monitors whether or not a network service on a first layer fulfills a required service level, and depending on a result of the monitoring, changes a setting of a packet header so that resources on the first layer will be changed, wherein resources on the lower layer are changed in accordance with a change in the setting of the packet header.

Abstract: An apparatus includes an input unit that receives a requested resource, and a VM arrangement destination computation unit that predicts traffic volume flowing through a network with the physical machines connected thereto in a case wherein the virtual machine is arranged on the physical machine that conform to a condition specified by the requested resource, and based on the predicted traffic volume, and selects the physical machine that balances a link utilization of the network as an arrangement destination of the virtual machine.

Abstract: A control apparatus includes a packet handling operation setting unit that sets a packet handling operation for processing a packet for a communication node selected from a plurality of communication nodes. The packet handling operation setting unit sets the packet handling operation for communication nodes out of the plurality of communication nodes other than the selected communication node, in response to the fact that it was possible to set the packet handling operation for the selected communication node.

Abstract: The present invention contributes to facilitating: setting for connection between a TEP in a virtual network configured by using a virtual tunnel and a virtual network; and management of the connection. A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.

Abstract: A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.