BLACK LIST SETTING APPARATUS, BLACK LIST SETTING METHOD, AND BLACK LIST SETTING PROGRAM

摘要

To generate a black list with reduced number of rules without significantly lowering the detection rate when the number of rules that can be set for a device is limited.SOLUTION: An acquisition unit 141 acquires the attack type and the number of attacks for each IP address of the attack source with respect to a cyber attack observed on the Internet. Further, a calculation unit 142 calculates a parameter of a distribution function when the distribution of the number of attacks for each of the IP addresses of the attack source is represented by a predetermined distribution function for each of the attack types. In addition, under a constraint condition in which the number of selectable IP addresses is equal to or less than a predetermined upper limit value, a selection unit 143 selects the IP address to be set in a black list from the IP address of the attack source such that the detection rate for the cyber attack predicted on the basis of the distribution function and the distribution parameter is maximized.SELECTED DRAWING: Figure 1