A malicious URL candidate extraction device (40) extracts, from an access log including URLs accessed from a managed network, a known malicious URL excluded access log obtained by excluding an access log to known malicious URLs. The malicious URL candidate extraction device (40) creates a minor URL list obtained by preferentially extracting, from URLs indicated in the known malicious URL excluded access log, URLs having a small number of times of access from the managed network. The malicious URL candidate extraction device (40) also creates a popular URL excluded list obtained by preferentially excluding URLs having a large number of times of access from the managed network during a predetermined period of time. The malicious URL candidate extraction device (40) outputs these lists as a malicious URL candidate list.
展开▼