JP5039066B2 - Data processing apparatus, data processing method, and program - Google Patents

Description

  The present invention relates to a data processing device, a data processing method, and a program.

  As for dynamic access control of a conventional publish / subscribe system, for example, Patent Document 1 discloses a publish / subscribe network (pub-sub network) ranging from a content publisher (publisher) to a subscriber (subscriber). ) Is disclosed. In this access control, an access control rule is described by a triple of a subscriber principal, an access form, and a filter in the Pub-Sub system. For example, a rule that allows a principal “John Doe” to request to subscribe to stock price information is described as [John Doe, subscription request, type = ‘’ stock price ’].

This technique has the following two problems.
(1) A content filter cannot be freely described (because access restrictions are strongly dependent on the content filter, a content filter other than the specified content filter cannot be used).

  (2) Relaxation of access authority by processing such as anonymization of data cannot be realized.

JP 2007-287148 A

  Conventionally, no method has been known that enables data protection and data processing and access restriction relaxation flexibly and safely.

  The present invention has been made in view of the above circumstances, and provides a data processing device, a data processing method, and a program that can flexibly and safely protect data and process data and relax access restrictions. With the goal.

  The present invention is a data processing device capable of receiving data from a transmission device, processing the data, and transmitting the data to the reception device, wherein the transmission is performed before receiving the data from the transmission device. Prior to transmitting the data to the receiving device by verifying that the owner information indicating the owner related to the device matches the owner information indicating the owner related to the data processing device. The first verification unit that verifies that the owner information indicating the owner according to the data matches the owner information indicating the owner according to the data, and only when the verification according to the transmission device is successful. A relay unit capable of receiving the data from the transmitting device and capable of transmitting the data to the receiving device only when the verification relating to the receiving device is successful; A first execution unit that executes a free flow function whose contents can be arbitrarily set, and owner information indicating an owner of data output by the free flow function when the free flow function is executed. The setting unit that is set based on owner information indicating the owner of the data input by the free flow function and the validity of the privileged flow function that can arbitrarily set the contents of the data processing are described in the privileged flow function. The privileged flow function can be executed only when the verification related to the privileged flow function is successfully performed, and the privileged flow function can be executed. Second execution for setting owner information indicating an owner of data output by the privileged flow function when the flow function is executed based on the second information described in the privileged flow function Characterized by comprising and.

  According to the present invention, it is possible to flexibly and safely realize data protection and data processing and relaxation of access restrictions.

It is a figure which shows the structural example of the information processing system which concerns on one Embodiment of this invention. It is a figure which shows the example of an internal structure of a Pub-Sub broker and a Pub-Sub verification part. It is a figure for demonstrating publish and subscribe. It is a figure for demonstrating an owner tag set. It is a figure which shows an example of the algorithm which verifies whether an owner tag satisfies an owner tag set. It is a figure which shows an example of the definition table of a privilege flow function. It is a figure which shows an example of the verification algorithm with respect to the subscribe request from the outside. It is a figure which shows an example of the algorithm of the setting of the owner tag set of the output channel in free FF execution environment. It is a figure which shows an example of the algorithm of the verification at the time of publish reception. It is a flowchart which shows an example of the operation | movement procedure of the request | requirement arrangement | positioning of the information processing system of the embodiment. It is a flowchart which shows an example of the operation | movement procedure in the case of verifying at the time of publish reception of the information processing system of the embodiment, request arrangement | positioning, and the subscription. It is a flowchart which shows an example of the operation | movement procedure at the time of publishing of the request processing apparatus of the embodiment. FIG. 10 is a diagram illustrating an example of pseudo code of a remaining paper threshold determination function. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment. It is a figure for demonstrating an example of operation | movement of this embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a configuration example of an information processing system according to an embodiment of the present invention.

  The information processing system according to the present embodiment will be described by taking as an example a case where a publish / subscribe model (Publish-Subscribe model) is assumed.

  Further, in the following description, using a specific example, a case where the information processing system of the present embodiment is provided in a building where a tenant occupies and is used for monitoring / control of facilities in the building, etc. Let's take an example.

  In FIG. 1, 1 is a request processing device (data processing device), 2 is a user device, 3 is a request allocation device, 4 is a flow function code repository (FF code repository), and 5 is an action device (transmitting device) serving as a publisher. Reference numeral 6 denotes a working device (receiving device) as a subscriber.

  Each device can communicate via, for example, a network (not shown).

  In FIG. 1, each device is shown one by one, but any number of each device may exist in the system.

  Each working device may operate only as a publisher, may operate only as a subscriber, or may operate as both a publisher and a subscriber.

  The outline of each device is shown below.

  The action device 5 is a device that transmits data to the request processing device 1.

  The action device 6 is a device that receives data from the request processing device 1.

  It is assumed that each action device 5 and 6 has unique identification information (ID) and can be identified.

  The user device 2 is a device that sends a user request described by a user to the request placement device 3.

  The request placement device 3 is a device that places a request received from the user device 2 in the request processing device 1.

  The request processing device 1 is a device that receives data from one or a plurality of operation devices 5 and transmits the received data or the processed data to the operation device 6. Moreover, it is an apparatus which mediates between the user apparatus 2 and the action apparatuses 5 and 6.

  The FF code repository 4 is a database that accumulates flow function codes (FF codes).

  As shown in FIG. 1, the request processing device 1 includes a request reception unit 11, a flow function code load unit (FF code load unit) 12, a publish / subscribe broker (hereinafter referred to as a “pub-sub broker”) (relay unit). 13. Free flow function execution environment (hereinafter referred to as free FF execution environment) (first execution unit) 14, privileged flow function execution environment (hereinafter referred to as privileged FF execution environment) (second execution unit) 15, Pub-Sub broker Publish / subscribe verification unit (hereinafter referred to as “Pub-Sub verification unit”) (first verification unit) 16, free flow function owner tag setting unit (hereinafter referred to as “free FF possession”) associated with free FF execution environment 14 User tag setting unit) (setting unit) 17, privileged flow function signature verification unit (hereinafter referred to as privileged FF signature verification unit) (second verification unit) 1 attached to the privileged FF execution environment 15 It is equipped with a.

  FIG. 2 shows an internal configuration example of the Pub-Sub broker 13 and the Pub-Sub verification unit 16. As shown in FIG. 2, the Pub-Sub broker 13 includes a publish / subscribe processing unit 131, a transmission / reception interface unit 132, and a channel information storage unit 133.

  In the present embodiment, an action device 5 that is a publisher, an action device 6 that is a subscriber, a free flow function execution environment 14 that executes a free flow function (which becomes a subscriber / publisher in this embodiment), and (this embodiment) Data is exchanged with a privileged flow function execution environment 15 that executes a privileged flow function (which becomes a subscriber / publisher in FIG. 1) via a channel that is a virtual communication path. The publish / subscribe processing unit 131 performs a process for relaying data between them. The channel information storage unit 133 stores information on each channel (for example, information such as which sender sends data to the channel and which receiver receives data from the channel). The transmission / reception interface unit 132 is for communicating with an external device, and communication via the transmission / reception interface unit 132 is required to exchange data with the operation devices 5 and 6 that are external devices. Become. On the other hand, data can be exchanged with the free flow function execution environment 14 or the privileged flow function execution environment 15 only through the channel. Note that the transmission / reception interface unit 132 may be outside the Pub-Sub verification unit 16.

  As shown in FIG. 2, the Pub-Sub verification unit 16 includes a publisher verification unit 161 that verifies the operation device 5 that is a publisher, and a subscriber verification unit 162 that verifies the operation device 6 that is a publisher. including.

  Hereinafter, this embodiment will be described in detail.

  First, the channel, publish, subscribe, and Pub-Sub broker 13 will be described.

  The “channel” corresponds to a virtual communication path based on the publish / subscribe model.

  In the publish / subscribe model, unlike the normal request-response model, information on subscribers serving as data destinations (data receiving side) is registered in advance for a specific channel through which desired data flows. When the publisher on the data transmission side sends data to the specific channel at each timing, the data is sent to the specific channel in advance at the timing when the data flows to the specific channel. Sent to registered subscriber (s). In the publish / subscribe model, a server called a broker is used to mediate / relay communication between a publisher and a subscriber.

  In the present embodiment, the Pub-Sub broker 13 of the request processing apparatus 1 plays a role corresponding to the role of the broker in the publish / subscribe model. That is, the Pub-Sub broker 13 mediates and relays communication between the acting device 5 serving as a publisher and the acting device 6 serving as a subscriber.

  Hereinafter, sending data to a channel is referred to as “publishing”, and receiving data from a specific channel to register information on the receiving side with respect to the specific channel is referred to as “subscribing”. And

  By the way, in this embodiment, the request processing device 1 can transmit the data received from the action device 5 to the action device 6 after processing it with a flow function described later. For this reason, in the present embodiment, data is also exchanged for the flow function via the channel. That is, in this embodiment, the action device 5 that is a data generator, the action device 6 that is a data consumer, and a flow function (free flow function, privileged flow function) Replace.

  Here, the flow function will be described.

  The “flow function” subscribes to one or more specific channels, receives data related to the channels as input, and at an event (for example, triggered by an event in which data is output to a subscribed channel). ), A function that performs predetermined processing (predetermined calculation and / or determination, etc.) and publishes the data obtained as a result to one or more specific channels as necessary. Depending on the result of the predetermined processing, publishing may not be performed. The flow function can be basically processed in any way, such as processing channel information, extracting useful information from the sensor network, or controlling actuators acting on the environment from that information. It is also possible to do. The substance of the flow function is arranged on the request processing device 1.

  In the present embodiment, the flow functions include a “free flow function” and a “privileged flow function”. As for the free flow function, any user (for example, facility manager, facility user, or third party) can freely describe the processing content. On the other hand, regarding the privileged flow function, only a privileged person (for example, a facility manager) can define the processing content. In other words, only the processing contents specified by the privileged person can be executed (if a person other than the privileged person wants to execute the desired privileged flow function, for example, It is necessary to have a desired privilege flow function prepared). For the description of the flow function, for example, a programming language such as Java (registered trademark) can be used.

  The free flow function can be performed on any data input channel. That is, any of data received from the action device 5, data output by another free flow function, and data output by the privileged flow function can be input. The number and combination of input channels are arbitrary.

  Similarly, a privileged flow function can be performed on any data input channel. That is, any of data received from the action device 5, data output by the free flow function, and data output by another privileged flow function can be input. The number and combination of input channels are arbitrary.

  In the present embodiment, as illustrated in FIG. 3A, the request processing device 1 can transmit the data received from the publisher P to the subscriber S as it is through the channel X. A desired function can be realized by inserting one or a plurality (arbitrary number) of flow functions (free flow function and / or privileged flow function) in the middle of the flow. In FIG. 3, the solid line indicates the data flow, the alternate long and short dash line indicates the publish, and the broken line indicates the subscribe.

For example, (1) the free flow function F11 (or privileged flow function F21) is subscribed to the channel X, the action device S is subscribed to the channel Y, and the data from the action device P is flowed to the channel X. A processing flow in which the free flow function F11 (or privileged flow function F21) processes data from the channel X, flows the resulting data to the channel Y, and transmits the data of the channel Y to the action device S (FIG. 3). (B), see FIGS. 15 and 16),
(2) The free flow function F11 subscribes to the channel X, the privileged flow function F21 subscribes to the channel Y, the action device S subscribes to the channel Z, and the data from the action device P is sent to the channel X. The free flow function F11 processes the data from channel X and flows the resulting data to channel Y, and the privileged flow function F21 processes the data from channel Y and passes the resulting data to the channel A processing flow (refer to FIG. 3 (c) and FIG. 1) for sending the data of channel Z to the action device S,
(3) The privileged flow function F21 subscribes to the channel X, the free flow function F11 subscribes to the channel Y, the action device S subscribes to the channel Z, and the data from the action device P is sent to the channel X. The privileged flow function F21 processes the data from channel X and flows the resulting data to channel Y, and the free flow function F11 processes the data from channel Y and passes the resulting data to the channel Z is a flow of processing to send data of channel Y to the action device S (see FIG. 19),
(4) Free flow function F11 (or privileged flow function F21) subscribes to channel X1 and channel X2, action device S subscribes to channel Y, and data from action device P1 flows to channel X1. , The data from the action device P2 is flowed to the channel X2, and the free flow function F11 (or the privileged flow function F21) processes the data from the channels X1 and X2 as input, and the resulting data is sent to the channel Y. , And a process flow for transmitting the data of channel Y to the action device S (see FIG. 3D),
(5) Free flow function F11 subscribes to channel X1 and channel X2, privileged flow function F21 subscribes to channel Y, action device S subscribes to channel Z, and data from action device P1 Flow to channel X1, flow data from action device P2 to channel X2, free flow function F11 processes with data from channel X1 and channel X2 as input and flows the resulting data to channel Y, privileged The flow function F21 processes the data from the channel Y, flows the resulting data to the channel Z, and transmits the data of the channel Z to the working device S (see FIG. 3 (e)).
Various processing flows such as these can be realized.

  The channel is, for example, channel information in which a “channel identifier”, “data destination (data receiver) list (recipient list)” and “allowed data sender list (sender list)” are paired. It is managed by. Such information is held in the channel information storage unit 133 of the Pub-Sub broker 13 of the request processing apparatus 1.

  The channel information may include “owner tag (owner tag set)” information. Alternatively, the correspondence between “channel identifier” and “owner tag (owner tag set)” may be managed.

  For example, when data arrives at a certain channel, the Pub-Sub broker 13 (publish / subscribe processing unit 131) sends the received data to all recipients registered in the recipient list corresponding to the channel identifier of the channel. Send to. For example, when data arrives on a certain channel, a procedure for checking whether the arrived data is from a data sender authorized for the channel based on a sender list corresponding to the channel identifier of the channel. Is also possible. In this procedure, the arrived data is sent to all the recipients registered in the recipient list corresponding to the channel identifier of the channel only when the result of the inspection is correct.

  However, as will be described later, in the present embodiment, the action devices 5 and 6 are verified based on the owner tag, and only when the verification is successful, publishing and subscribing (or action device 5 data And transmission of data to the action device 6).

  Next, the owner tag will be described.

  In the access control technology of the present embodiment, the concept of the owner is used for the operation devices 5 and 6, the request processing device 1, and the channel related to the data handled in the request processing device 1.

  In this embodiment, an owner tag is used as information indicating the owner.

  The “owner tag” is configured by a list of identifiers (owner IDs) indicating an arbitrary number of owners.

  The owner tag is the owner of the device (the request processing device 1 or the operation devices 5 and 6 in this embodiment), the owner of the channel related to the input data from the operation device 5, or a specific type of program (this implementation In the form, it is information indicating the owner of the channel related to the output data of the privileged flow function or the free flow function.

  The owner tag is basically used by the request processing device 1 before the input of data from the acting device 5 serving as a publisher or the transmission of data to the acting device 6 serving as a subscriber. Used for verification.

  For example, for an owner tag consisting of the union of “building manager owner ID”, “building user 1 owner ID”, and “building user 2 owner ID”, “building management Owner tag consisting of all or part of “owner ID of building owner”, “owner ID of building user 1”, and “owner ID of building user 2” is matched, and “owner of building manager” Those including at least one owner ID other than “ID”, “owner ID of building user 1”, and “owner ID of building user 2” are not suitable. Only when the verification of the compatibility is successful, the data can be used (subscribe is possible), or the data can be transmitted to the request processing device 1 (can be published).

  For an apparatus, for example, an authorized administrator or the like sets an owner tag including an owner (one or more) in advance for the apparatus. In addition, the owner tag of the action devices 5 and 6 may be set to the action devices 5 and 6 and transmitted from the action devices 5 and 6 to the Pub-Sub broker 1 of the request processing device 1. In the request processing device 1 (for example, in the Pub-Sub broker 13), the identification information of the working devices 5 and 6 and the owner tag are stored in association with each other, and the working devices 5 and 6 transfer the request processing device 1 to the request processing device 1. By transmitting the identification information, the request processing device 1 may obtain the owner tag of the operation device 5 or 6 from the transmitted identification information.

  It is assumed that the owner tag of the action device 5 that is the input is given as it is to the channel through which the data (data from the outside) inputted from one action device 5 flows.

  The channel related to the data output by the free flow function that receives one data (subscribe to one channel), the owner tag of the channel related to the data that it inputs (the channel to which it subscribes) Is given as is.

  As will be described in detail later, an owner tag is set for a channel related to data output by the privileged flow function based on information described in the privileged flow function.

  However, for the output data channel of the free flow function and the channel of the data input from the outside, there may actually be multiple owner tags related to the input data (when subscribing to multiple channels) , Multiple owner tags). Therefore, in order to indicate this, information indicating the owner given to the channel of the output data of the free flow function and the channel of the data data from the outside is called an “owner tag set”.

  The owner tag set is a form in which the owner tag and / or the owner tag set are combined in parallel. In this embodiment, the product of the owner identifiers included in each owner tag and / or the owner tag set. Shall be defined as

  For example, when the administrator and the user are in different environments (for example, in the case of a relationship between a building administrator and a tenant in a rental office), the equipment occupied by each user An owner tag including only the user is set, and an owner tag including the administrator and the user is set for the facilities shared by the administrator and each user. For example, as shown in FIG. 4, data of “owner tag 1” composed of “building user 1” and “building administrator”, and “building user 2” and “building administrator”. Considering the data that is the result of the computation by the free flow function using both the data of the owner tag 2 ”, the owner tag given to the channel related to the data is the product of the set that forms those tags. In this case, it becomes a “building manager” common to “owner tag 1” and “owner tag 2”. Therefore, this calculation result data can be used only when it has an “owner tag” including “building manager”, that is, it can be subscribed to the channel related to the data (owner ID of the building manager) If you have an owner tag that contains at least one other owner ID, it will not fit).

  FIG. 5 shows an example of an algorithm (common subroutine) for verifying whether the owner tag satisfies the owner tag set.

  The action device 5 is a device having a communication function and transmitting data to the request processing device 1. The action device 6 is a device that has a communication function and receives data from the request processing device 1. In this embodiment, the action device 5 has a function of interacting with an environment such as a sensor, and the action device 6 has a function of interacting with an environment such as an actuator.

  The action device 5 serving as a publisher outputs data (for example, sensor observation values) to a channel, and the action device 6 serving as a subscriber is provided with data (for example, an actuator command) from the channel.

  Each of the action devices 5 and 6 is set with an owner tag including an arbitrary number of owner groups. The owner tag constitutes an owner tag set in a channel through which data published by the working device 5 flows, and only the working device 6 to which all the owners are concerned can receive (subscribe) data. Specify (since the owner tag set is specified by the intersection of each input). On the other hand, in a subscribe request for receiving data of a certain channel, if the owner tag set set for the channel includes the owner tag of the operation device 6, it can be subscribed.

  The request processing device 1 mediates between the user device 2 and the action devices 5 and 6. The request processing device 1 manages the channels used by the action devices 5 and 6, and performs destination management of data transmission / reception. At the same time, the flow function given by the user device 2 is materialized and data processing is performed.

  As described above, the Pub-Sub broker 13 of the request processing apparatus 1 plays a role corresponding to the role of the broker in the publish / subscribe model. That is, it is a unit that receives data from the working device 5 and transmits data to the working device 6. The Pub-Sub broker 13 is protected by the Pub-Sub verification unit 16 with respect to, for example, publish and subscribe operations. As described above, an owner tag based on the input data source (publisher) is defined for each channel.

  Prior to receiving data from the action device 5 (for example, at the time of publishing reception), the Pub-Sub verification unit 16 matches the owner tag of the action processing device 1 with the owner tag of the request processing apparatus 1. And verify that the owner tag of the action device 6 matches the owner tag of the request processing device 1 prior to sending data to the action device 6 (eg, when subscribing). This is the unit to be verified. The Pub-Sub broker 13 can receive data from the working device 5 only when the former verification is successful (or the working device 5 can be published). Also, data can be transmitted to the working device 6 only when the latter verification is successful (or the working device 6 can be subscribed).

  The free FF execution environment 14 and the privileged FF execution environment 15 are execution environments for executing the free flow function and the privileged flow function, respectively. Both can be constructed using, for example, a Java sandbox virtual machine (that is, a program execution environment in which operations that can be executed are restricted).

  The free FF execution environment 14 is a unit that executes a free flow function. The free flow function can arbitrarily set the contents of data processing. Further, unlike the privileged flow function, verification of the validity of the free flow function is not necessary. The free FF execution environment 14 is protected by the free FF owner tag setting unit 17.

  Unlike the privileged flow function, the free flow function itself is not allowed to operate on the owner tag, and an owner tag set synthesized from all input channels must be set as an output channel. The protection mechanism forcing the setting of the tag set is the free FF owner tag setting unit 17.

  The free FF owner tag setting unit 17 is a unit that sets the channel owner tag set related to the data output by the executed free flow function based on the channel owner tag related to the data input by the free flow function It is. For example, when there is a single channel that the free flow function inputs, the same owner tag (one or more owners) is set for the channel, and there are multiple channels that the free flow function inputs. Are set to only those owners (one or a plurality of owners) that are commonly owned by all of the plurality of channels (that is, logical AND is performed on the owner tags of all the channels).

  The privileged FF execution environment 15 is a unit that executes a privileged flow function. The privileged flow function can arbitrarily set the contents of data processing. Also, the privileged flow function can manipulate the owner tag of the channel through which the output data flows. The privileged FF execution environment 15 is protected by the privileged FF signature verification unit 18.

  Since the privileged flow function can manipulate the owner tag of the output channel as described above, if anything is loaded into the privileged flow function, there is a risk of data leakage, etc. Need to be verified. A privileged FF signature verification unit 18 is a protection mechanism that performs this verification and forces only the code that has been successfully verified to be executed as a privileged flow function.

  The privileged FF signature verification unit 18 is a unit that verifies the validity of the privileged flow function. The privileged FF execution environment 15 can execute the privileged flow function only when this verification is successful.

  For example, the privileged flow function is digitally signed by an administrator's electronic key (the electronic key may be a public key or a shared key, for example) set in the request processing device 1 in advance. (Only code that has successfully verified this signature can be executed as a privileged flow function).

  For example, when a privileged flow function (including information for operating the owner tag set of the output channel) is to be given an electronic signature with the electronic key of the facility manager X, a certain privileged flow function is It is verified by, for example, the electronic key of the administrator X set in the privileged FF execution environment 15 and the electronic signature obtained accompanying the privileged flow function to be defined by the administrator X Can do. This verification may be the same as the verification by general public key cryptography, for example.

  On the other hand, when a privileged flow function is executed in the privileged FF execution environment 15, the owner tag related to the channel through which the data output by the executed privileged flow function flows (unlike the case of the free flow function) It is set by the privileged FF execution environment 15 based on information (information specifying the owner) described in the privileged flow function.

  Several methods are possible for manipulating the output channel owner tag. For example, regardless of the owner tag associated with the channel of data input by the privileged flow function, the owner tag of the output channel is forced to include only the owner indicated by the information described in the privileged flow function. There is a way to set it. Further, for example, the information described in the privileged flow function indicates the owner tag obtained in the same manner as the above free flow function based on the owner of the data channel input by the privileged flow function. A method in which an owner tag is added to the output channel can be set as the owner tag of the output channel (in addition to addition, operations such as deletion and change can be added).

  FIG. 6 shows an example of the contents (definition table) of the privileged flow function. In this example, the definition of the privileged flow function is: (a) the code of the privileged flow function, (b) the owner tag set that the input channel should satisfy, (c) the owner tag set on the output channel, (d) This is performed based on the set of signer X ID, (e) signature time, and (f) expiration date.

  In the verification, a set of information including the definition information of the privileged flow function is converted into a bit string by a predetermined method (for example, by combining each bit string expression), and the signer X is converted to the bit string. The secret key of the signer X is set and the public key of the signer X is set in the privileged FF execution environment 15 for verification.

  Among the above six items, for the owner tag set of (b), for example, when the owner tag of the target channel is included in the owner tag set of (b), the channel can be accepted. In addition to the method that can be performed, for example, a method that can accept the channel only when the owner tag of the target channel matches the owner tag set in (b) is also possible. . The owner tag set to be satisfied by the input channel (b) may be empty. When (b) is empty, this privileged flow function can accept any channel as input (any data can be accepted as input). A predetermined value may be described instead of emptying the field (b).

  The owner tag set for the output channel in (c) may be empty. When (c) is empty, any subscriber can subscribe to the channel through which the output data of this privileged flow function flows. In this case, the channel owner tag may be, for example, an empty method or a method of describing a predetermined value (that is, a state indicating the logical sum of all owners or all owners). It is sufficient that information indicating the logical sum of is written). A predetermined value may be described instead of emptying the field (c).

  Note that it is possible to execute a privileged flow function by simply operating the owner tag of the output channel without performing any processing. In this case, a code that does nothing (or a code that outputs the input as it is) may be written in the code of the privileged flow function in (a).

  It should be noted that any configuration or procedure for generating an electronic signature or authenticating it may be adopted. At that time, the (d) signer X ID, (e) signing time, and (f) expiration date may be appropriately modified according to the configuration and procedure to be adopted.

  For execution of a privileged flow function, it is necessary to verify its validity. For this purpose, for example, a person who has authority by a system administrator or the like to give information such as an electronic signature to a privileged flow function. Therefore, only an administrator or the like can (a) code of the privileged flow function, (b) an owner tag set to be satisfied by the input channel, and (c) an owner tag set in the output channel. Can be defined.

  Now, the user can realize a desired data processing function by using one or more flow functions (free flow function and / or privileged flow function). However, unless the owner tag of the working device 6 desired by the user matches the owner tag associated with the data channel to be transmitted, the working device 6 cannot receive the data. For example, with the permission of the administrator or the like, the user sets the owner tag related to the channel of the data so that the owner tag of the operation device 6 desired by the user matches with the privileged flow function. As a result, the working device 6 can receive the data.

  The FF code load unit 12 corresponds to, for example, a class loader in Java, and executes execution images of individual free flow functions and privileged flow functions executed in the free FF execution environment 14 and the privileged FF execution environment 15, respectively. The file is loaded from the FF code repository 4 which is an appropriately set file or a server connected to the network. “Appropriate setting” here means that the location of the execution image to be loaded can be known from the name of the flow function. It may be set statically, or the flow function may be identified by the identifier of the execution image. (I.e., specifying the flow function is equivalent to specifying the execution image).

  The request receiving unit 11 receives a flow function materialization request for requesting the materialization of a flow function from the request placement device 3. The flow function instantiation request from the request allocation device 3 includes at least a set of {an identifier of a flow function to be instantiated, a subscribe destination of the flow function}. It is desirable that an appropriate security setting is performed between the request placement device 3 and the request processing device 1. This can be implemented, for example, by performing mutual authentication using well-known methods such as pre-shared key and public key authentication.

  The user device 2 is a device in which a user of a system such as a sensor network describes a user request for this and sends it to the request placement device 3. The user request described by the user is defined by selecting a flow function and a link (graph) of channels associated with the input / output.

  The request placement device 3 places the user request described by the user device 2 in the request processing device 1. The request placement device 3 manages the request processing device 1 and its owner tag included in the information processing system, and applies the flow function included in the request of the user device 2 to the request processing device 1 that satisfies the conditions of the owner tag. Generate.

  Since each flow function is a subscriber, an input owner tag set is determined by the owner tag of the subscribe destination.

  The input owner tag set can be verified by a verification algorithm for a subscribe request from the outside in the Pub-Sub broker 13. FIG. 7 shows an example of the algorithm. In the example of FIG. 7, when the owner tag set of the subscriber-destination channel includes the owner tag of the subscriber, it is satisfied (conforming).

  In the case of a privileged flow function, the output owner tag set is determined by the definition of the privileged flow function. In the case of a free flow function, it is determined by an algorithm for setting a set of output channel owner tags in the free FF execution environment 14. FIG. 8 shows an example of the algorithm.

  The output owner tag set can be verified by a verification algorithm at the time of publish reception in the Pub-Sub verification unit 16 of the Pub-Sub broker 13. FIG. 9 shows an example of the algorithm.

  The individual flow functions received by the request placement device 3 are sequentially placed in the request processing device 1 that satisfies the two input / output verifications. Since the owner tag set of the output cannot be determined unless the input is determined, the arrangement starts from the input side (closer to the action device 5 such as the sensor), and sequentially toward the output (closer to the action device 6 such as the actuator). Place towards the.

  FIG. 10 shows an example of an operation procedure for request arrangement of the information processing system of this embodiment.

  The user request described by the user is transmitted from the user device 2 to the request placement device 3 (step S1).

  The request placement device 3 transfers the received user request to the appropriate request processing device 1 (step S2). In the request processing apparatus 1 that has received the request, the request receiving unit 11 receives the user request.

  The request receiving unit 11 sends the received user request to the FF code loading unit 12 (step S3).

  The FF code loading unit 12 loads an appropriate execution image from the FF code repository 4 based on the given user request, and gives it to the free FF execution environment 14 and / or the privileged FF execution environment 15 (step S4).

  FIG. 11 shows an example of an operation procedure when verification is performed at the time of publishing of the working device 4, at the time of request placement of the request processing device 1, and at the time of subscribing of the working device 5. Here, a case where a free flow function and a privileged flow function are executed will be described as an example.

  First, the Pub-Sub verification unit 16 performs verification based on the owner tag for the action device 5 that is a publisher (step S11). If the verification fails (step S12), an error occurs at this point (step S14).

  When the verification is successful (step S12), the Pub-Sub broker 13 gives the same owner tag as the operation device 5 to the channel through which the data flows (step S13).

  Next, the free FF owner tag setting unit 17 sets an owner tag in a channel that carries output data of a free flow function that subscribes to the channel (step S15).

  Next, the privileged FF signature verification unit 18 performs signature verification on the privileged flow function that subscribes to the channel (step S16). If the verification fails (step S17), an error occurs at this point (step S19).

  When the verification is successful (step S17), the privileged FF execution environment 15 sets an owner tag in the channel through which the output data of the privileged flow function is sent (step S18).

  Next, the Pub-Sub verification unit 16 performs verification based on the owner tag for the action device 6 that is a subscriber (step S20). If the verification fails (step S21), an error occurs at this point (step S22).

  This flow is possible when the verification is successful (step S21).

  In addition, the said procedure is suitably changed according to the presence or absence of a free flow function or a privileged flow function. First, the part of step S15 is performed according to each free flow function. If the free flow function is not executed, the step S15 is omitted. Further, steps S16 to S19 are executed according to each privileged flow function. When the privileged flow function is not executed, the steps S16 to S19 are omitted. Further, the step S15 corresponding to the free flow function and the steps S16 to S19 corresponding to the privileged flow function are executed in the order in which the flow functions are executed.

  By the way, in addition to (or instead of) the above timing, the owner tag is set and verified by actually receiving data from the action device 5 and processing it with a flow function. It can also be done when sending to.

  FIG. 12 shows an example of the operation procedure in this case. Here, a case where a free flow function and a privileged flow function are executed will be described as an example.

  First, the operating device 5 which is a publisher transmits data to the request processing device 1 at a predetermined timing. When the request processing apparatus 1 receives the data (step S31), the Pub-Sub verification unit 16 performs verification based on the owner tag for the acting apparatus 5 that is the publisher (step S32). If the verification fails (step S33), an error occurs at this point (step S35).

  When the verification is successful (step S33), the Pub-Sub broker 13 sets an owner tag for the channel through which this data flows (step S34).

  Next, the free FF execution environment 14 executes the free flow function with the data received from the channel as an input (step S36). The free FF owner tag setting unit 17 sets an owner tag in the channel through which the output data of the free flow function flows (step S37).

  Next, the privileged FF signature verification unit 18 performs signature verification on the privileged flow function that subscribes to the channel (step S38). If the verification fails (step S39), an error occurs at this point (step S41).

  When the verification is successful (step S39), the privileged FF execution environment 15 receives the data received from the channel as an input, executes the privileged flow function, and sets an owner tag for the channel through which the output data flows (step S39). Step S40).

  Next, the Pub-Sub verification unit 16 performs verification based on the owner tag for the action device 6 that is a subscriber (step S42). If the verification fails (step S43), an error occurs at this point (step S45).

  When the verification is successful (step S43), the Pub-Sub broker 13 transmits the data of this channel to the working device 6 (step S44).

  In addition, the point which the said procedure changes suitably according to the presence or absence and number of free flow functions or privileged flow functions is the same as in the case of FIG.

  According to the present embodiment, for example, in an environment where an administrator and a plurality of owners / users exist, one user defines a flow function that operates in a state where data (contents) by a plurality of owners are mixed, The result can be viewed anonymously via a privileged flow function. For example, when there is a building containing multiple tenants, a program such as synthesizing the number of people in each tenant and operating the building in a power-saving mode when it falls below a certain threshold can be used as an external ESCO business. Can run on the building. At this time, the resident list, which is originally confidential information for each tenant, is written in a program operated by an external business operator, and only the result of that program is obtained by a privilege FF that deletes this confidentiality (such as dropping it into information on the number of people only). Will be able to receive.

  Hereinafter, the information processing system of this embodiment will be described using some specific examples in which the information processing system is applied to a building management system.

<First specific example>
First, an example of cooperation with a service company will be described as a first specific example with reference to FIGS. FIG. 14 is an example in which subscribing to a channel that does not match the owner tag is not successful (when the flow function is not used). FIG. 15 is because the free flow function does not change the owner tag of the output channel. FIG. 16 is an example in which the owner tag is matched by a properly signed privileged flow function changing the owner tag of the output channel.

  This specific example is a simplified example for explaining the operation of the present embodiment.

  Suppose that company X is in a certain building B. For simplicity, it is assumed here that the building B is a building owned by the company X and the company X is a building manager. Company X has one printer (the printer is P1), and there is a service company S for replenishing the printer paper of printer P1. The company X entrusts the printer paper management to the service company S so that the printer paper is not cut and an excessive stock is not set. However, notifying the service company S of information on when and how many printouts have been made, or information on the remaining amount of paper at an arbitrary point of time, for example, for the company X, indicates the degree of business activity. This is not desirable because it is equivalent to informing.

  Therefore, according to the present embodiment, the following configuration is possible.

  Assume that the printer P1 operates as the action device 5, and the owner ID of the company X is set as the owner tag. The company X has one request processing device 1. The request processing device 1 is set with an owner tag consisting of the owner ID of the company X and the owner ID of the service company S. These are connected to one request allocation device 3 managed by the company X, and the service company S can input an arbitrary program via the user device 2.

  The service company S has an out-of-paper alarm A with the owner tag of the service company S set as the action device 6. The out-of-paper alarm A may be, for example, a rotating lamp or a device that notifies the person in charge of out-of-paper by e-mail or the like. Further, a device that delivers paper to the company X semi-automatically using a robot, a parcel delivery service, a regional logistics service, or the like may be used.

  The printer P1 outputs the remaining amount of paper as a numerical value every time the paper is used. Here, for example, the company X registers, as a privileged flow function, a paper remaining amount threshold value determination function fth “returns True when the remaining amount of paper falls below 100 sheets”. The output owner tag of this privileged flow function is the owner ID of the service company S. However, the privileged flow function needs to be signed by the company X at the time of registration. This privileged flow function is created, for example, in pseudo code. FIG. 13 shows an example of pseudo code (threshold function) of the remaining sheet threshold value determination function fth.

  Here, consider the case where the service company S acquires the output of the remaining amount of paper of the printer P1 and the case of acquiring the result of processing the output of the remaining amount of paper of the printer P1 by a free function.

  If the remaining amount of paper is given to the out-of-paper alarm device A as it is, as shown in FIG. 14, the output of the remaining amount of paper of the printer P1 is given the owner tag of the company X. The owner tag of company X is given to the channel, whereas the owner tag of service company S is given to out-of-paper alarm A, so that out-of-paper alarm A is the output channel of printer P1. Even if an attempt is made to subscribe, the Pub-Sub verification unit 16 will block.

  In addition, as shown in FIG. 15, even if data is to be given to the out-of-paper alarm A via the free flow function introduced by the service company S, the free flow function is similarly set by the free FF owner tag setting unit 17. When the output tag is given the owner tag set of company X, and the out-of-paper alarm A tries to subscribe to this output channel, it is blocked by the Pub-Sub verification unit 16.

  Therefore, in order for the service company S to provide information for service to the out-of-paper alarm A, as shown in FIG. 16, it is only necessary to pass through a remaining paper threshold determination function fth (privileged flow function). . This privileged flow function is signed by the company X, and the service company S cannot manipulate its contents. However, it is possible to introduce a privileged flow function in the middle of a program that the service company S gives to the request allocation device 3 from the user device 2. Since only the service company S is given to the owner tag set of the output by the privileged FF execution environment 15, the result can be received by the out-of-paper alarm device A.

  A simple example of the program for the service company S to execute the service obtained from the above is that the output channel of the printer P1 is used as an input of the remaining sheet threshold value determination function fth (privileged flow function), and the output is used as an out-of-paper warning. When machine A subscribes, it detects that there are less than 100 sheets of paper.

  Here, it is assumed that the service company S wants to dynamically predict how the remaining amount of paper in the printer P1 will decrease in order to improve the service. For example, when there is a large demand, it may not be in time to arrange replenishment after the remaining amount is 100 sheets. Therefore, the service company S takes a history of the remaining amount of paper for several hours, defines a function fli for obtaining the remaining amount of paper after 3 hours by linear interpolation as a new free flow function, and registers it in the FF code repository 4. The output channel of the printer P1 is set as an input of the function fli, and this output is set as an input of the function fth. At this time, since the function fli is a free flow function, the company X is set as the owner tag set, and the output of the function fli cannot be directly received by the paper out alarm device A. Therefore, as in the previous example, by passing through the function fth, the information output approved by the company X to the service company S is obtained. Can do.

<Second specific example>
Next, an example of access control for in-building equipment will be described as a second specific example with reference to FIGS. 17 is an example of equipment shared by two tenants, and FIG. 18 is an example of using a privileged flow function as an accounting window.

  As an example similar to the first specific example, an example will be described in which access control to a device in a building and accounting are performed simultaneously. In this specific example, the building has “individual floor air conditioning equipment”, “common air conditioning equipment”, “hot water supply equipment”, “elevator equipment”, “lighting equipment”, “floor sharing copier”, “floor sharing printer”. ”And the like exist. Each facility / device can be accessed from the facility device network by communication means using a known protocol or the like. The building includes a plurality of tenants. In this specific example, it is assumed that “tenant T1” is in 1F and “tenant T2a” and “tenant T2b” are in 2F. In addition, there is an administrator in the building, and this is “building administrator BA”.

  Here, in this specific example, it is assumed that there is a building administrator or tenant user device 2. Further, it is assumed that the request processing device 1 of the tenant T1 and the request processing device 1 shared by the tenant T2a and the tenant T2b exist as the request processing device 1 that is lent and managed by the tenant. In addition, the tenant T1 request processing device 1 is set with “tenant T1 and owner tag of building administrator BA”, and the tenant T2a and tenant T2b share the request processing device 1 with “tenant T2a and tenant T2b”. And the owner tag of the building manager BA ”are set. These request processing devices 1 may be individual devices that are physically independent, or are virtually constructed in respective areas protected by software in shared hardware. Also good.

  There are also controlled devices in the building. These include floor shared equipment (floor air conditioning equipment, lighting equipment, etc.) and shared equipment (elevator etc.) for the entire equipment. These controlled devices are directly managed by the building administrator and cannot be freely controlled by the tenant. Therefore, the “building owner BA owner tag” is set in these devices. It is assumed that the “tenant owner tag” is set in the device corresponding to the control panel for tenants.

  In this specific example, an air conditioner installed on 2F will be described as a representative example. The 2F air conditioning equipment is assumed to be “AC”. Regarding the control panel installed in the tenth floor of 2F, the one in tenant T2a is referred to as “control panel CT2a”, and the one in tenant T2b is referred to as “control panel CT2b”. The “building owner BA owner tag” is set in the air conditioning facility AC, the “tenant T2a owner tag” is set in the control panel CT2a, and the “tenant T2b owner” is set in the control panel CT2b. It is assumed that “Tag” is set.

  Here, it is assumed that each tenant can freely set air conditioning. However, the tenant employee inputs the specified room temperature and the operation request (ON / OFF) to the control panel CT2a or the control panel CT2b, and the control panel CT2a and the control panel CT2b are respectively supplied from the room temperature meter to the air conditioning facility AC. The operation / non-operation of is input.

  The above program can be described in a simplified form as shown in FIG.

  The control panel CT2a and the control panel CT2b operate according to the following principle. Input is specified room temperature (degrees), operation request (on / off), and room temperature meter (degrees). The output is an air conditioning control request (on / off). When the operation request is off, the output is off. If the operation request is on, the specified room temperature is compared with the room temperature meter, and if the room temperature input is higher than the specified room temperature, on is output, and if not, off is output.

  Now, the control panel CT2a and the control panel CT2b have a tenant T2a and a tenant T2b as owner tags, respectively. This cannot be directly input to the air conditioning equipment AC. This is because the air conditioning facility AC cannot subscribe to a channel having the owner tag of the building manager BA and having the tenant T2a and the tenant T2b as outputs.

  On the other hand, the building manager wants to know which tenant is using how much air conditioning equipment. This is because, for example, there is a case where a separate pay-as-you-go system is charged, and there is a case where it is necessary to place restrictions on excessive use in order to save power, for example. is there.

  Therefore, the building manager prepares an accounting privileged flow function fac that receives the input from each control panel and uses the output owner tag as the building manager BA. This has a paired accounting database, and when a control command of on, that is, a command for operating air conditioning is passed to the function fac, the accumulated time is measured and recorded in the accounting database. Further, when the usage amount is remarkably higher than the planned amount, a function for stopping the on control command may be provided.

  Here, the function fac is prepared for each tenant. For example, in the fac for the tenant T2a, the tenant T2a is set as an owner tag set that the input channel should have, and the tenant T2b cannot operate the air conditioning by charging the tenant T2a by mistake or intentionally. Of course, an accounting database is also prepared for each tenant. On the other hand, the output owner tag set is that of the building administrator BA. By passing through this privileged flow function, the aforementioned pseudo program becomes as shown in FIG. Here, the fac for the tenant T2a is described as FAC_T2a, and the fac for the tenant T2b is described as FAC_T2b.

  With the above configuration, an example of realizing accounting by access management while receiving a request from a tenant was shown. Each tenant may independently incorporate an overtime application system or a workflow system for permitting the overtime operation of the air conditioning in the output part of the control panel.

<Third specific example>
Next, as a third specific example, an example of interlocking between building device control and occupancy management will be described with reference to FIG. FIG. 19 is an example of air conditioning control.

  An example in which the second specific example is expanded to link in-building device control and occupancy management will be described. Building equipment and tenants are the same as in the second specific example unless otherwise specified.

  Tenant occupants have an entrance / exit management system connected to the building security system, and tenant employees or contracted contractors (cleaners, etc.) employees are locked with card keys. It is assumed that it passes through the gate (the gate of 1F is G1, and the gate of 1F is G2). However, regarding the tenant's employees, it is a contract that the building manager cannot obtain directly because it is a confidential matter of each company about who passed the gate and when. To do.

  Since the information coming out from the gate is secret, the building manager cannot directly acquire data. Therefore, only the “owner tag of tenant T1” is set in the gate G1, and only “the owner tag of tenant T2a and tenant T2b” is set in the gate G2, and the output device ( In “the owner tag of the building administrator BA” is set, the information of the gates G1 / G2 cannot be received.

  Here, it is assumed that the building manager can know the number of people entering the room by agreement between the tenant and the building manager. This agreement can be achieved, for example, when the tenant introduces a privileged flow function whose length is obtained from the list of IDs and whose owner tag of the output is the building manager BA. For example, the building manager can adjust the power plan based on the number of people in the room. This is shown in FIG.

  In FIG. 20, the privileged flow function C1F reads the output (entrance, card key ID) or (exit, card key ID) column of the gate G1, and converts it into the current number of people in the 1F. At the same time, the privileged flow function C2F reads the output of the gate G2 and converts it into 2F.

These can operate with the following algorithm.
1. The occupant set is initialized to empty.
2. Wait for input from the gate and do one of the following depending on the input:
Register the card key ID in the room entrance event set.
The card key ID is deleted from the room exit event resident set.
3. Count the number of occupant sets and output this.
4). Return to step 2.

  The set referred to here is a data structure that realizes a set that does not allow duplication.

  The building manager BA can receive this output by the request processing device 1 managed by the building manager BA.

  The output of the 1F air conditioner AC1 and the output of the 2F air conditioner AC2 can be controlled from the service level agreement exchanged between the number of people in the room and individual tenants. Here, the free flow function for controlling the 1F air conditioner AC1 and the free flow function for controlling the 2F air conditioner AC2 are represented by ACM1 and ACM2, respectively.

In this example, it is assumed that the service level agreement is exchanged in the following list of combinations of two items. The air conditioning output is limited by the current number of people in the room. As a result, energy saving operation is performed as the number of people in the room decreases, and comfortable operation can be performed when the number of people in the room is large.
・ T: Minimum occupancy threshold (integer)
・ M: Maximum air conditioning output (0-100)
Both ACM1 and ACM2 perform the following operations.
1. Initialize temporary maximum output value o to 0
2. Wait for input and record the number in p
3. Take the elements in order from the list of service level agreements, and for each t and p,
・ When p is equal to or greater than t
o = max (o, m)
4). Output the result o
5. Return to step 2 <Fourth example>
Next, referring to FIG. 20, an example of interlocking the ESCO business and occupancy management will be described as a fourth specific example. FIG. 20 shows an example of interlocking between power control of the entire building and occupancy management.

  A business form called ESCO (Energy Service COmpany) is undertaken as a business to optimize (conserve electricity) the energy consumption of a specific office.

  Here, the example which implements this invention with respect to the optimal ESCO business with respect to a certain building is demonstrated. Unless otherwise specified, it is assumed that this specific example is in an environment similar to the environment of the specific examples so far.

  Here, it is assumed that the ESCO operator contracts with a building manager and performs power control of facilities and equipment in the building based on the contract. On the other hand, information on who entered and when each tenant entered each tenant is information that can be used to infer the business behavior of each tenant depending on how it is used. Do not give. On the other hand, the ESCO business is a business model that gains benefits from improving the power efficiency of the building by performing optimal power control in the building, so knowing the activities of people in the building and the usage status of equipment, It is beneficial to control in detail.

  Therefore, according to the present embodiment, it is ensured that only the data based on the contract between the ESCO operator and the building manager (control result index) is passed to the ESCO operator, and the actual control and control result index A program for calculation can be freely developed by an ESCO operator. The present embodiment achieves both free programming by an external business operator and prevention of information leakage by boundary control of data distribution.

  As a result, in this specific example, it can be expected that the ESCO provider will exhibit higher capabilities and contribute to energy consumption / cost reduction.

  Hereinafter, a specific example will be described with reference to FIG.

  In the building, there are various controlled devices such as entrance / exit leaders, elevators, air conditioners, lighting, and hot water supply. In addition, there are several request processing apparatuses 1 (not shown), and one of them is an entrance / exit for an external service including an ESCO operator.

  The ESCO center describes a flow program necessary for building control from the equipment configuration in the building obtained from the building manager by a separate contract. The described program is given to the request allocation device 3 from the user device 2 assigned to the ESCO center. Here, if necessary, the ESCO center describes a free flow function for performing data processing in the building, and registers it in the FF code repository 4 prior to inputting the program into the request allocation device 3.

  The request placement device 3 disassembles the program as necessary. For example, the part that receives the input of the entrance / exit leader is to the request processing device 1 near the entrance / exit leader, and the part that controls the output to the ESCO center is: Each flow function is arranged in the request processing apparatus 1 in such a manner as to the request processing apparatus 1 for the outside. At this time, a flow function is arranged so as to satisfy the constraint condition of the owner tag set in each request processing device 1, and the request processing devices 1 are connected.

  Specifically, it is assumed that the tenant owner tag T is installed in the entrance / exit gate G, and the owner tag BA of the building manager is installed on the input (control) side of the air conditioning equipment and on the output (monitoring) side of the air conditioning equipment. At this time, air conditioning can be monitored and controlled by the same mechanism as described in the third specific example. The difference from the above-mentioned specific example is that the ESCO center is outside the building, and the building manager can switch between a plurality of ESCO operators by contract.

<Fifth example>
Next, an example of a power infrastructure business will be described as a fifth specific example.

  When the power supply cannot keep up with demand, supply and demand adjustments (for example, supply and demand adjustment contracts, etc.) to customers who make a contract for normal power supply discounts and power cut requests when supply and demand are tight Currently, this supply and demand adjustment is performed manually, but we will consider automating it except for emergency responses.

  At this time, a single supplier S and a plurality of consumers D1, D2,. . . think of. It is assumed that each consumer knows the power consumption in the customer's office and can describe each load setting by a flow program. The specific description is equivalent to the above-described device control example (third specific example). Here, the flow program for supply and demand adjustment is described inside the office.

  The supply and demand adjustment contract prepares a privileged flow function in the input part of the program based on the contents of each contract. S is set in the owner tag set to be satisfied by the input channel, and the customer Dn is set in the output. As an input, a combination (tuple) of the level of supply / demand adjustment request (how many watts to suppress demand) and the deadline and duration of the request (how many hours later the adjustment will be completed and how long the state will be continued) The privileged flow function has a function of verifying whether the contract contents and the supply and demand adjustment request match, and if the verification result is correct, has a function of transferring the supply and demand adjustment request to the supply and demand adjustment flow program set by the consumer.

  When power supply and demand is tight, the supplier S issues a demand and supply adjustment request to the privileged flow function of each individual customer Dn. Since individual customers have different contract scales and demands at that time, they issue a supply and demand adjustment request tailored to individual customers. It is also possible to introduce a mechanism for automatically generating a supply and demand adjustment request in accordance with the contract size of each customer and the demand at that time.

It is also conceivable to switch from the two steps of adjusting supply and demand to a method of gradually narrowing the upper limit of consumable power by automation. In this case, when supply and demand adjustment begins
1) Air conditioning is weak and server devices operate in energy saving mode.
2) Loads that can be stopped (multi-line elevators, office printers, etc.) can be stopped
3) Air conditioning can be stopped (not equipment maintenance)
4) Production facility shutdown plans are executed in order of priority
By executing the power consumption reduction in the order as described above, it is possible to continuously and automatically respond to the demand and supply adjustments that have been sought.

  However, because the production facility stoppage plan naturally leads to delays in delivery, the priority and adjustment of production capacity in the process management system and the supply and demand adjustment system described in this example are interconnected. Need to be. For example, a system is introduced in which a line to be stopped in order to realize power reduction is estimated from the loss amount due to the stop, and the line is stopped in order from the smallest loss amount.

<Sixth specific example>
Next, an example of traffic control will be described as a sixth specific example.

  The traffic situation in the city center changes from moment to moment, and can be a source of information affecting various economic activities. For example, if the congestion situation can be grasped in real time, the distribution dispatch plan can be adjusted accordingly. In addition, with the development of sensing technology and the emergence of network / ITS-linked GPS navigation systems, it has become possible to even know who is running for which, especially in vehicles.

  However, grasping individual vehicle movement information also creates privacy concerns. Clearly, this information is not of a nature that anyone can use it freely. However, it is also difficult to consider in advance what form of information will generate more profit.

  Therefore, for example, in the elemental technology of each traffic system (for example, the result of the license plate recognition device or traffic situation image processing), a function corresponding to the request processing device 1 in the present embodiment is implemented and the information is processed or processed. It can also be said that anonymization and verification of data using a privileged flow function is performed at the stage of providing the aggregated result outside the traffic system. With this method, raw data including privacy information can be handled as it is to be used inside the traffic system, while information is provided to outside users with little concern about leakage of privacy information. Effective utilization becomes possible.

  As a specific privileged flow function, there is a privileged flow function in which safe and meaningful information is first limited to a (tuple / time, count) tuple sequence and no other information is output. This will output only how many cars have passed at each time or time, and leave the decision of when / what to the free idea of the data user and the processing result by the free flow function. It can be said. When output in a new data format is required due to increasing needs in the future, a new privileged flow function may be introduced. Of course, in order to use a privileged flow function that can obtain higher-definition information, it is possible to use a mechanism in which consideration is paid by some kind of contract. In that case, a privileged flow function with the owner tag of each consumer set as output Is registered in the FF code repository 4.

  The reason why the execution environment for the privileged flow function and the free flow function is divided will be described here. For example, a raw image obtained from a sensor, license plate information, or the like is re-encoded into another format that is permitted to be output (for example, bit 0 if the time difference from the previous event is 1, bit 1 if it is 2, , It is possible to encode arbitrary data into time-series data, etc.). In order not to allow this, a dedicated privileged flow function is prepared only at the stage of manipulating the contents of data (for example, acquiring and comparing numerical values of license plates, or converting images and checking them against DB). The output is the owner tag of the transportation system owner. On the other hand, in an execution environment in which a free flow function is executed, calling of a method that directly accesses data is prohibited (for example, in the case of Java, it is prohibited by an appropriate setting of a sandbox).

Each of the above functions can be realized even if it is described as software and processed by a computer having an appropriate mechanism.
The present embodiment can also be implemented as a program for causing a computer to execute a predetermined procedure, causing a computer to function as a predetermined means, or causing a computer to realize a predetermined function. In addition, the present invention can be implemented as a computer-readable recording medium on which the program is recorded.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

  DESCRIPTION OF SYMBOLS 1 ... Request processing apparatus, 2 ... User apparatus, 3 ... Request arrangement | positioning apparatus, 4 ... Flow function code repository, 5 ... Action apparatus, 11 ... Request reception part, 12 ... Flow function code load part, 13 ... Publish / subscribe- Broker, 14 ... Free flow function execution environment, 15 ... Privileged flow function execution environment, 16 ... Publish / subscribe verification unit, 17 ... Free flow function owner tag setting unit, 18 ... Privileged flow function signature verification unit, 131 ... Publish Subscribing processing unit, 132 ... transmission / reception interface unit, 133 ... channel information storage unit, 161 ... publisher verification unit, 162 ... subscriber verification unit

Claims (14)

A data processing device capable of receiving data from a transmission device, processing the data and transmitting the data to the reception device,
Prior to receiving the data from the transmitting device, the owner information indicating the owner related to the transmitting device is verified to match the owner information indicating the owner related to the data processing device, Prior to transmitting the data to the receiving device, a first verification unit that verifies that owner information indicating an owner related to the receiving device matches owner information indicating the owner related to the data When,
The data can be received from the transmission device only when the verification related to the transmission device is successful, and the data is sent to the reception device only when the verification related to the reception device is successful. A relay unit capable of transmitting;
A first execution unit for executing a free flow function capable of arbitrarily setting the content of data processing;
When the free flow function is executed, owner information indicating the owner related to the data output by the free flow function is set based on the owner information indicating the owner related to the data input by the free flow function A setting section to
A second verification unit that verifies the validity of the privileged flow function that can arbitrarily set the contents of the data processing based on the first information described in the privileged flow function;
Only when the verification related to the privileged flow function is successful, the privileged flow function can be executed, and when the privileged flow function is executed, ownership of the data output by the privileged flow function A data processing apparatus comprising: a second execution unit that sets owner information indicating a person based on second information described in the privileged flow function.   The first verification unit succeeds in the verification when the set of owners indicated by the owner information related to the transmission device is included in the set of owners indicated by the owner information related to the data processing device. The data processing apparatus according to claim 1, wherein:   The first verification unit, when a set of owners indicated by owner information related to the receiving device is included in a set of owners indicated by owner information related to data to be transmitted to the receiving device, The data processing apparatus according to claim 1, wherein the verification is successful.   2. The relay unit sets owner information indicating an owner related to the data received from the transmitting device to be the same as owner information indicating an owner related to the transmitting device. 4. The data processing device according to any one of items 3 to 3.   When the free flow function receives one piece of data, the setting unit shows owner information indicating an owner related to the data output by the free flow function, and indicates an owner related to the one data When the same as the owner information is set and the free flow function receives a plurality of data, the owner information indicating the owner of the data output by the free flow function is set to each of the plurality of data. 5. The data processing apparatus according to claim 1, wherein the owner information is set to a logical product of a set of owners indicated by the owner information. The first information described in the privileged flow function is information related to an electronic signature generated using an electronic key related to an authorized person,
6. The data processing apparatus according to claim 1, wherein the second verification unit verifies the validity of the privileged flow function based on the first information. The second information described in the privileged flow function is information specifying an owner;
The second execution unit sets the owner information indicating the owner related to the data output by the privileged flow function, regardless of the owner information indicating the owner related to the data input by the privileged flow function. 7. The data processing apparatus according to claim 1, wherein the second information is set to owner information indicating an owner designated by the second information.   The free flow function receives at least one of the data received from the communication device, data output from another free flow function, and data output from the privileged flow function, The data processing apparatus according to any one of claims 1 to 7.   The privileged flow function receives at least one of the data received from the communication device, data output from the free flow function, and data output from another privileged flow function, The data processing apparatus according to any one of claims 1 to 8.   The data to be transmitted to the receiving device is the data received from the communication device, the data output from the free flow function, or the data output from the privileged flow function. The data processing device according to any one of claims.   The system further comprises means for acquiring an execution image of the free flow function and / or the privileged flow function based on a request from the outside and giving the execution image to the free flow function execution unit and / or the privileged flow function execution unit. The data processing device according to claim 1. The relay unit, when receiving data from the transmission device, gives the data to a predetermined first channel;
When the first execution unit is given data from a predetermined second channel, the first execution unit executes the free flow function using the data as an input, and determines the data output by the free flow function. The third channel given,
When the second execution unit is supplied with data from a predetermined fourth channel, the second execution unit executes the privileged flow function with the data as input, and the data output by the privileged flow function is determined in advance. To the fifth channel,
12. The relay unit according to claim 1, wherein when receiving data from a predetermined sixth channel, the relay unit transmits the data to a predetermined receiving device. The data processing apparatus according to item 1. In order to receive data from the transmission device, process the data and transmit the data to the reception device, the first verification unit, the setting unit, the second verification unit, and the data from the transmission device, A relay unit that transmits the data to the receiving device; a first execution unit that executes a free flow function that can arbitrarily set the content of data processing; and a privileged flow function that can arbitrarily set the content of data processing. A data processing method of a data processing apparatus comprising a second execution unit to execute,
Prior to the first verification unit receiving the data from the transmission device, the owner information indicating the owner related to the transmission device is changed to the owner information indicating the owner related to the data processing device. Verifying conformance; and
When the setting unit executes a free flow function that can arbitrarily set the contents of data processing, the free flow function inputs owner information indicating an owner related to data output by the free flow function. Setting based on owner information indicating the owner of the data;
The second verification unit verifies the validity of the privileged flow function that can arbitrarily set the content of data processing based on the first information described in the privileged flow function;
In the privileged flow function, the second execution unit describes owner information indicating an owner related to data output by the privileged flow function when the privileged flow function that has been successfully verified is executed. Setting based on the second information being
Prior to the first verification unit transmitting the data to the receiving device, the owner information indicating the owner related to the receiving device matches the owner information indicating the owner related to the data. And a step of verifying the data. In order to receive data from the transmission device, process the data and transmit the data to the reception device, the first verification unit, the setting unit, the second verification unit, and the data from the transmission device, A relay unit that transmits the data to the receiving device; a first execution unit that executes a free flow function that can arbitrarily set the content of data processing; and a privileged flow function that can arbitrarily set the content of data processing. A program for causing a computer to function as a data processing device including a second execution unit to be executed,
Prior to the first verification unit receiving the data from the transmission device, the owner information indicating the owner related to the transmission device is changed to the owner information indicating the owner related to the data processing device. Verifying conformance; and
When the setting unit executes a free flow function that can arbitrarily set the contents of data processing, the free flow function inputs owner information indicating an owner related to data output by the free flow function. Setting based on owner information indicating the owner of the data;
The second verification unit verifies the validity of the privileged flow function that can arbitrarily set the content of data processing based on the first information described in the privileged flow function;
In the privileged flow function, the second execution unit describes owner information indicating an owner related to data output by the privileged flow function when the privileged flow function that has been successfully verified is executed. Setting based on the second information being
Prior to the first verification unit transmitting the data to the receiving device, the owner information indicating the owner related to the receiving device matches the owner information indicating the owner related to the data. A program for causing a computer to execute the step of verifying the above.

Images