公开(公告)号：JP2013012018A

公开(公告)日：2013-01-17

申请号：JP2011143993

申请日：2011-06-29

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： FURUICHI SANEHIRO ,  ARATSU TAKU ,  TADA MASAMI

IPC: G06F21/12 ,  G06F9/46

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2221/2141

Abstract: PROBLEM TO BE SOLVED: To provide a method and program for constructing safely managed virtual machine execution environment.SOLUTION: After a program into which means for selectively masking a window screen of a virtual machine and a security function are integrated is installed onto a host OS of a user terminal under the authority of an administrator, a program into which a security function that the administrator wants to introduce into the virtual machine and means for releasing the mask are integrated is provided to a user. Once such a situation is created by the administrator, the user who wants to use a virtualized environment cannot but accept installation of a security function desired by the administrator onto the virtual machine.

Abstract translation: 要解决的问题：提供一种构建安全管理的虚拟机执行环境的方法和程序。 解决方案：在将用于选择性地屏蔽虚拟机和安全功能的窗口屏幕的程序的程序集成到用户终端的主机OS之后，在管理员的权限下，将安全性 向用户提供将管理员想要引入虚拟机的功能和用于释放掩码的装置的功能。 一旦管理员创建了这种情况，那么想要使用虚拟化环境的用户不得不接受将管理员所需的安全功能安装到虚拟机上。 版权所有（C）2013，JPO＆INPIT

公开(公告)号：JP2012068833A

公开(公告)日：2012-04-05

申请号：JP2010212392

申请日：2010-09-22

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： ARATSU TAKU ,  KIRIYAMA HAYATO ,  FURUICHI SANEHIRO ,  TADA MASAMI ,  ICHINOMIYA HIDEO

IPC: G06F21/24

CPC classification number: G06F21/6218 ,  G06F21/604 ,  G06F21/6245 ,  H04L63/105 ,  H04L63/107

Abstract: PROBLEM TO BE SOLVED: To provide a method, a computer program, an apparatus and a system capable of determining a confidential label of document information in real time.SOLUTION: A label determination apparatus 3 includes: an operation detection section 341 for detecting a predetermined operation on document information; a content extraction section 342 for extracting contents contained in the document information in response to the detection of the predetermined operation; a policy information acquisition section 343 for acquiring policy information indicating a relation between the contents and the confidential label from a policy server 1; and a determination section 344 for determining the confidential label of the document information by determining the confidential label corresponding to the contents on the basis of the policy information acquired by the policy information acquisition section 343 in response to the extraction of the contents by the content extraction section 342.

Abstract translation: 要解决的问题：提供能够实时确定文档信息的机密标签的方法，计算机程序，装置和系统。 标签确定装置3包括：检测对文档信息的预定操作的操作检测部分341; 内容提取部分342，用于响应于预定操作的检测来提取包含在文档信息中的内容; 策略信息获取部分343，用于从策略服务器1获取指示内容与机密标签之间关系的策略信息; 以及确定部分344，用于通过基于由策略信息获取部分343获取的策略信息来响应于通过内容提取来提取内容来确定对应于内容的机密标签来确定文档信息的机密标签 版权所有（C）2012，JPO＆INPIT

公开(公告)号：JP2012137973A

公开(公告)日：2012-07-19

申请号：JP2010290465

申请日：2010-12-27

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： KIRIYAMA HAYATO ,  FURUICHI SANEHIRO ,  TADA MASAMI ,  ARATSU TAKU ,  ICHINOMIYA HIDEO

IPC: G06F21/24 ,  G06F21/20

CPC classification number: G06F17/30707 ,  G06F21/6227

Abstract: PROBLEM TO BE SOLVED: To prevent reduction of usability and inhibition of user convenience due to data analysis processing in access control.SOLUTION: Technique for classifying data to perform access control. A first piece of data as a reference for classification is extracted from data to be classified or attributes thereof and is analyzed to determine whether a predetermined first part including data to be classified or the first data belongs to a first classification category. When it is determined that the first part belongs to the category, first access control set is applied to an action to the data to be classified or the first data. When the first access control set is applied and the access control to the action to the data to be classified or the first data is suspended, a second piece of data as a reference for classification is extracted from the data to be classified or attributes thereof and analyzed to determine whether the second data belongs to a second classification category. When it is determined that the second piece of data belongs to a second classification category, a second access control set is applied to the suspended first action.

Abstract translation: 要解决的问题：为了防止由于访问控制中的数据分析处理而降低可用性和抑制用户便利性。

解决方案：用于对数据进行分类以执行访问控制的技术。 从要分类的数据或其属性中提取作为分类的参考的第一数据片段，并且被分析以确定包括待分类数据或第一数据的预定第一部分是否属于第一分类类别。 当确定第一部分属于类别时，将第一访问控制集合应用于要分类的数据或第一数据的动作。 当应用第一访问控制集合并且对要分类的数据或第一数据的动作的访问控制被暂停时，从要分类的数据或其属性中提取作为分类的参考的第二数据片段， 分析以确定第二数据是否属于第二分类类别。 当确定第二数据属于第二分类类别时，第二访问控制集合被应用于暂停的第一动作。 版权所有（C）2012，JPO＆INPIT

公开(公告)号：JP2012137938A

公开(公告)日：2012-07-19

申请号：JP2010289876

申请日：2010-12-27

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： ARATSU TAKU ,  NISHIMURA YASUTAKA ,  FURUICHI SANEHIRO

IPC: G06F21/24 ,  G06F21/22

CPC classification number: G06F21/6218 ,  G06F2221/2133

Abstract: PROBLEM TO BE SOLVED: To provide a resource protection processing program for protecting resources processed by a computer.SOLUTION: In place of a conventional resource protection processing program, a resource protection processing program realizes following functions in a computer: a preparation function which is a function to prepare multiple definition state transition histories and multiple definition actions associated with each other, and in which each of the definition state transition histories defines state transition histories of the computer for when it executes prescribed access to prescribed resources, and each of the definition actions is defined to be executed when a definition state transits to the next definition state; and an action execution function to select the definition action associated with the corresponding definition state transition history from among the single or multiple definition actions when executing the actual access to the real resources, and executing the selected definition actions.

Abstract translation: 要解决的问题：提供一种用于保护由计算机处理的资源的资源保护处理程序。 解决方案：代替传统的资源保护处理程序，资源保护处理程序在计算机中实现以下功能：准备功能，其是准备多个定义状态转换历史和相互关联的多个定义动作的功能， 并且其中每个定义状态转换历史定义当计算机执行对规定资源的规定访问时的计算机的状态转换历史，并且当定义状态转换到下一个定义状态时，每个定义动作被定义为执行; 以及动作执行功能，用于当执行对真实资源的实际访问时，从单个或多个定义动作中选择与对应的定义状态转换历史相关联的定义动作，以及执行所选择的定义动作。 版权所有（C）2012，JPO＆INPIT

公开(公告)号：JP2012068837A

公开(公告)日：2012-04-05

申请号：JP2010212404

申请日：2010-09-22

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： KIRIYAMA HAYATO ,  FURUICHI SANEHIRO ,  TADA MASAMI ,  ARATSU TAKU ,  ICHINOMIYA HIDEO

IPC: G06F21/24

CPC classification number: G06Q10/10

Abstract: PROBLEM TO BE SOLVED: To provide a method, program and apparatus capable of determining priorities for efficiently classifying a plurality of documents.SOLUTION: A computer acquires contexts relating to each of a plurality of documents, calculates scan priorities of each of the plurality of documents on the basis of a priority calculation policy determining calculation rules of scan priorities in accordance with a combination of acquired contexts, and stores the plurality of documents into any one of plurality of queues with different timing to process classification in accordance with the scan priorities.

Abstract translation: 要解决的问题：提供一种能够确定对多个文档进行有效分类的优先级的方法，程序和装置。 解决方案：计算机获取与多个文档中的每一个文档相关的上下文，根据优先级计算策略来计算每个文档的扫描优先级，根据获取的上下文的组合来确定扫描优先级的计算规则 并且将多个文档存储到具有不同定时的多个队列中的任一个中，以根据扫描优先级来处理分类。 版权所有（C）2012，JPO＆INPIT

公开(公告)号：DE112011103164T5

公开(公告)日：2013-08-14

申请号：DE112011103164

申请日：2011-07-01

Applicant: IBM

Inventor： FURUICHI SANEHIRO ,  ARATSU TAKU ,  TADA MASAMI

IPC: G06F21/10 ,  G06F21/55

Abstract: Es wird ein Mittel bereitgestellt, um Informationslecks von einem Datenverteilungsziel zu verhindern. Ein Datenverteilungsserver 20 umfasst eine Datenbank 130, die Zugriffskontroll-Ausführungsmodule 132 bis 138 speichert, um auf einem Client einen Zugriffskontrollmechanismus und eine Ladeeinheit zu realisieren, wobei der Zugriffskontroll-Ausführungsmechanismus an eine Umgebung des Clients anpasst, wobei der Zugriffskontrollmechanismus den Zugriff auf eine Ressource aus einem Prozess auf eine Weise kontrolliert, die von einer gegebenen Richtlinie abhängt, wobei die Ladeeinheit in einem Verteilungspaket enthaltene Verteilungsdaten in einen geschützten Speicherbereich lädt, eine Datenbank 120, um die Verteilungsdaten 124 und eine für die Verteilungsdaten 124 spezifizierte Sicherheitsrichtlinie 122 zu speichern, einen Umgebungserkennungsabschnitt 144, um eine Umgebung eines Clients 30B, der den Empfang von Verteilungsdaten anfordert, zu erkennen, und einen Übertragungsverarbeitungsabschnitt 150, um ein Verteilungspaket 160 zu übertragen, das Verteilungsdaten 162, eine Sicherheitsrichtlinie 164 und ein der Umgebung des Clients 30B entsprechendes Zugriffskontroll-Ausführungsmodul 166 enthält.

公开(公告)号：GB2498142A

公开(公告)日：2013-07-03

申请号：GB201306470

申请日：2011-07-01

Applicant: IBM

Inventor： FURUICHI SANEHIRO ,  ARATSU TAKU ,  TADA MASAMI

IPC: G06F21/55 ,  G06F21/10

Abstract: Provided is means for preventing information leakage from a data distribution destination. A data distribution server (20) of the present invention includes: a database (130) which stores access control implementation modules (132 to 138), which implement, upon a client, an access control mechanism which controls access to a resource by a process according to an imparted policy corresponding to the environment of the client and a deployment unit for deployment into a storage area in which distributed data included in a distributed package is protected; a database (120), which stores distributed data (124) and a security policy (122) specified for the distributed data (124); an environment detection unit (144) for detecting the environment of a client (30B) which requests receipt of the distributed data; and a transmission unit (150) for transmitting a distributed package (160) which includes distributed data (162), a security policy (164), and an access control-implemented module (166) corresponding to the environment of the client (30B).