公开(公告)号：US10244537B2

公开(公告)日：2019-03-26

申请号：US15131464

申请日：2016-04-18

Applicant: NEC Corporation

Inventor： Masaya Yamagata ,  Yoichiro Morita ,  Takayuki Sasaki ,  Masayuki Nakae ,  Kentaro Sonoda ,  Yoichi Hatano ,  Hideyuki Shimonishi

IPC: H04W24/02 ,  H04L29/06 ,  H04W72/04 ,  H04W72/02 ,  H04W40/12 ,  H04W72/00

Abstract: A communication system includes: a control apparatus setting control information in a forwarding node(s); a forwarding node(s); and an access control apparatus. The forwarding node(s) forwards packets by using first control information set by the control apparatus and second control information for forwarding packets that do not match a matching condition(s) in the first control information set by the control apparatus from a predetermined port of the forwarding node(s). The access control apparatus includes a determination unit determining whether to generate control information for the packets forwarded from the predetermined port of the forwarding node(s) and requesting the control apparatus to generate control information.

公开(公告)号：US09887920B2

公开(公告)日：2018-02-06

申请号：US14961547

申请日：2015-12-07

Applicant: NEC CORPORATION

Inventor： Kentaro Sonoda ,  Hideyuki Shimonishi ,  Masayuki Nakae ,  Masaya Yamagata ,  Yoichiro Morita

IPC: H04L12/801 ,  H04W28/02 ,  H04L12/725 ,  H04L12/721 ,  H04L12/803 ,  H04W48/04

CPC classification number: H04L47/12 ,  H04L45/308 ,  H04L45/38 ,  H04L47/125 ,  H04L47/33 ,  H04W28/0215 ,  H04W48/04

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes a communication unit that receives a processing rule indicating that a packet for communicating with a first destination is changed so as to communicate with a second destination, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, changes a destination of a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

公开(公告)号：US20150172129A1

公开(公告)日：2015-06-18

申请号：US14414542

申请日：2013-07-23

Applicant: NEC CORPORATION

Inventor： Masayuki Nakae

IPC: H04L12/24

CPC classification number: H04L41/12 ,  H04L41/0883 ,  H04L41/0893 ,  H04L41/142 ,  H04L63/0263

Abstract: In a filtering setting support device, a logical/physical mapping section generates mapping information that represents a path on the layout of a network by a combination of start nodes and end nodes, the path being, for each flow identifier, from a transmission source node to a destination node, based on node physical layout information and access policy information. The access policy information manages flow information including a combination of transmission source node and destination node, by attaching a flow identifier. A filtering point analysis section specifies as a filtering point a node where a plurality of flows are co-present. A common formal rule generating section generates common formal rules that are to be set at the filtering point. A common formal rule output section presents common formal rules to a network administrator.

Abstract translation: 在过滤设置支持设备中，逻辑/物理映射部分通过起始节点和终端节点的组合生成表示网络布局上的路径的映射信息，对于每个流标识符，该路径是来自发送源节点 基于节点物理布局信息和访问策略信息到目的地节点。 访问策略信息通过附加流标识符来管理包括传输源节点和目的地节点的组合的流信息。 过滤点分析部分将多个流共同存在的节点指定为过滤点。 通用形式规则生成部分生成将在过滤点设置的常规形式规则。 通用的正式规则输出部分向网络管理员呈现通用的正式规则。

公开(公告)号：US20150081755A1

公开(公告)日：2015-03-19

申请号：US14391169

申请日：2012-04-09

Applicant: NEC Corporation

Inventor： Yoichi Hatano ,  Hideyuki Shimonishi ,  Kentaro Sonoda ,  Masayuki Nakae ,  Masaya Yamagata ,  Yoichiro Morita ,  Takayuki Sasaki ,  Takeo Ohno

IPC: H04L29/08

CPC classification number: H04L67/10 ,  H04L41/12 ,  H04L41/22 ,  H04L69/40

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and includes an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

Abstract translation: 可视化装置可与一个或多个主机服务器通信，用于托管虚拟系统，并且包括用于收集虚拟系统和主机服务器上的配置信息的信息获取单元，用于存储配置信息的存储单元，以及 绘制单元，用于基于存储在存储单元中的配置信息来表示虚拟机和虚拟网络来配置具有不同轴的虚拟系统，通过链接从各个轴延伸的线来表示虚拟机与虚拟网络之间的连接关系 并且以虚拟机所在的服务器为单位对虚拟机进行分组，以生成用于表示虚拟系统和主机服务器的配置的绘图信息。

公开(公告)号：US20150049766A1

公开(公告)日：2015-02-19

申请号：US14383621

申请日：2013-03-07

Applicant: NEC CORPORATION

Inventor： Masayuki Nakae ,  Masaya Yamagata ,  Takayuki Sasaki ,  Yoichiro Morita ,  Hideyuki Shimonishi ,  Kentaro Sonoda ,  Yoichi Hatano

IPC: H04L12/717 ,  H04L12/947

CPC classification number: H04L45/42 ,  H04L41/5006 ,  H04L47/748 ,  H04L47/783 ,  H04L49/25 ,  H04L67/327

Abstract: A route request mediation apparatus comprises a resource management unit that manages a resource of a network to be managed; a request receiving unit that receives a route request with an added service level condition from a user or another route request mediation apparatus; a negotiation status management unit that forwards the route request to a destination specified by the route request, and manages a negotiation status based on a response from the destination; an acceptance assessment unit that assesses whether or not to accept the route request by referring to the negotiation status managed by the negotiation status management unit and to the resource management unit; and a response sending unit that responds with an assessment result that indicates whether or not the route request is accepted to the request source of the route request.

Abstract translation: 路由请求中介装置包括管理要管理的网络的资源的资源管理单元; 从用户或另一路由请求中介装置接收具有附加业务等级条件的路由请求的请求接收单元; 协商状态管理单元，将路由请求转发到由路由请求指定的目的地，并且基于来自目的地的响应来管理协商状态; 接受评估单元，其通过参照由协商状态管理单元管理的协商状态和资源管理单元来评估是否接受路由请求; 以及响应发送单元，其响应于指示路由请求是否被接受到路由请求的请求源的评估结果。

公开(公告)号：US20140075510A1

公开(公告)日：2014-03-13

申请号：US14119827

申请日：2012-05-22

Applicant: Yoichiro MORITA ,  Masayuki NAKAE ,  Hideyuki SHIMONISHI ,  Kentaro SONODA ,  Masaya YAMAGATA ,  NEC Corporation

Inventor： Kentaro Sonoda ,  Hideyuki Shimonishi ,  Masayuki Nakae ,  Masaya Yamagata ,  Yoichiro Morita

IPC: H04L29/06

CPC classification number: H04L63/105 ,  H04L63/0236 ,  H04L63/20

Abstract: A communication system includes an information acquisition unit that acquires information for determining an isolation level to which a user terminal belongs, from the user terminal; an isolation level determination unit that determines an isolation level to which the user terminal belongs, based on the acquired information; an isolation level information storage unit that defines whether or not access is possible to respective access destinations for each isolation level; an access control unit that causes a forwarding node(s) to implement forwarding or dropping of a packet, in accordance with whether or not access is possible to the respective access destinations; and a forwarding node(s) that forwards a packet in accordance with control of the access control unit. Stepwise access control is realized using isolation levels.

Abstract translation: 通信系统包括从用户终端获取用于确定用户终端所属的隔离级别的信息的信息获取单元; 隔离级别确定单元，基于获取的信息确定用户终端所属的隔离级别; 隔离级别信息存储单元，其定义对于每个隔离级别是否可以访问相应的访问目的地; 访问控制单元，其使得转发节点根据是否可以访问相应的访问目的地来实现分组的转发或丢弃; 以及根据访问控制单元的控制转发分组的转发节点。 使用隔离级别实现逐步访问控制。

公开(公告)号：US10462214B2

公开(公告)日：2019-10-29

申请号：US15860712

申请日：2018-01-03

Applicant: NEC Corporation

Inventor： Yoichi Hatano ,  Hideyuki Shimonishi ,  Kentaro Sonoda ,  Masayuki Nakae ,  Masaya Yamagata ,  Yoichiro Morita ,  Takayuki Sasaki ,  Takeo Ohno

IPC: H04L29/08 ,  H04L29/14 ,  H04L12/24

Abstract: A visualization device is communicable with one or a plurality of host servers for hosting a virtual system, and includes an information acquisition unit for collecting configuration information on the virtual system and the host server, a storage unit for storing the configuration information therein, and a drawing unit for expressing a virtual machine and a virtual network configuring the virtual system with different axes based on the configuration information stored in the storage unit, expressing a connection relationship between a virtual machine and a virtual network by linking the lines extending from the respective axes, and grouping virtual machines in units of server on which the virtual machines operate thereby to generate drawing information for expressing the configuration of the virtual system and the host server.

公开(公告)号：US20190166144A1

公开(公告)日：2019-05-30

申请号：US16203681

申请日：2018-11-29

Applicant: NEC Corporation Of America ,  B.G. Negev Technologies & Applications Ltd., at Ben-Gurion University

Inventor： Yisroel Avraham Mirsky ,  Oleg Brodt ,  Asaf Shabtai ,  Yuval Elovici ,  Masayuki Nakae

IPC: H04L29/06 ,  G06N20/00

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions. A corresponding device and system are also described.

公开(公告)号：US09450863B2

公开(公告)日：2016-09-20

申请号：US14383621

申请日：2013-03-07

Applicant: NEC Corporation

Inventor： Masayuki Nakae ,  Masaya Yamagata ,  Takayuki Sasaki ,  Yoichiro Morita ,  Hideyuki Shimonishi ,  Kentaro Sonoda ,  Yoichi Hatano

IPC: H04L12/28 ,  H04L12/717 ,  H04L12/947 ,  H04L29/08 ,  H04L12/911 ,  H04L12/24

CPC classification number: H04L45/42 ,  H04L41/5006 ,  H04L47/748 ,  H04L47/783 ,  H04L49/25 ,  H04L67/327

Abstract: A route request mediation apparatus comprises a resource management unit that manages a resource of a network to be managed; a request receiving unit that receives a route request with an added service level condition from a user or another route request mediation apparatus; a negotiation status management unit that forwards the route request to a destination specified by the route request, and manages a negotiation status based on a response from the destination; an acceptance assessment unit that assesses whether or not to accept the route request by referring to the negotiation status managed by the negotiation status management unit and to the resource management unit; and a response sending unit that responds with an assessment result that indicates whether or not the route request is accepted to the request source of the route request.

Abstract translation: 路由请求中介装置包括管理要管理的网络的资源的资源管理单元; 从用户或另一路由请求中介装置接收具有附加业务等级条件的路由请求的请求接收单元; 协商状态管理单元，将路由请求转发到由路由请求指定的目的地，并且基于来自目的地的响应来管理协商状态; 接受评估单元，其通过参照由协商状态管理单元管理的协商状态和资源管理单元来评估是否接受路由请求; 以及响应发送单元，其响应于指示路由请求是否被接受到路由请求的请求源的评估结果。

公开(公告)号：US11201882B2

公开(公告)日：2021-12-14

申请号：US16203681

申请日：2018-11-29

Applicant: NEC Corporation Of America ,  B.G. Negev Technologies & Applications Ltd., at Ben-Gurion University

Inventor： Yisroel Avraham Mirsky ,  Oleg Brodt ,  Asaf Shabtai ,  Yuval Elovici ,  Masayuki Nakae

IPC: H04L29/06 ,  G06N20/00 ,  H04L29/08 ,  H04W4/70 ,  H04W12/122

Abstract: A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity is described. A gateway sentinel module receives network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network. Malicious activity in the local distribution is detected based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and a global machine-learning model. The global machine-learning model models network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes. The computing nodes respectively receive network traffic from the plurality of location distributions. A corresponding device and system are also described.