To detect an abnormal log by a malicious program without depending on a detection pattern based on attack pattern information as in the prior art. An abnormality log detection unit (101) extracts an abnormality log based on the feature amounts of each session extracted by the feature amount extraction unit (112). Since unsupervised learning is used in this abnormal log extraction, it becomes possible to detect an abnormal log due to a malicious program without depending on a detection pattern based on attack pattern information as in the prior art. Furthermore, since the false detection log is excluded using supervised learning, the possibility of false detection can be reduced. [Selected figure] Figure 2
展开▼
