Search International and National Patent Collections
|1. (WO2017018377) ANALYSIS METHOD, ANALYSIS DEVICE, AND ANALYSIS PROGRAM|
|Applicants:||NIPPON TELEGRAPH AND TELEPHONE CORPORATION
|Title:||ANALYSIS METHOD, ANALYSIS DEVICE, AND ANALYSIS PROGRAM|
The purpose of the invention is to accurately correlate a plurality of different types of events that have occurred in a single Web server, and to accurately detect an attack against a Web application. An event acquisition unit (151) acquires a log of events including an HTTP request to a Web server. An event correlation unit (152) creates, as an event block, a set of events including the HTTP request and events correlated therewith by employing process IDs of processes that processed the respective events included in the log. An attack detection unit (155) compares an event block created from a log of events to be subjected to attack detection with profiles in a profile list (143) created from normal events, and finds the degree of similarity, and if the degree of similarity is below or equal to a predetermined threshold, detects the event block as an event block including an abnormal event caused by an attack. The event correlation unit (152) also creates event blocks by employing transmission-source port numbers included in the respective events.