[Problems] The long-term log analysis as well as carried out in real time, it determines the continuity of attack for efficient security operations by preventing duplicate detection of events. A attack detection unit 10 uses the collected logs, every predetermined short time period, and counts the number of times the communication destination IP address of the user terminal matches the destination IP address of the blacklist. Also, the attack detection unit 10, using the number of times that is counted in a predetermined period among the counted number of times per a predetermined long time to detect the unauthorized communication conforming to the predetermined detection rule of the communication user terminal . Then, the attack detecting device 10, among the sensed unauthorized communications, it is determined whether the communication source IP address and destination IP address as the illegal communication is detected within a predetermined time period there is a bad communication are the same, is the same If there is bad communication, detects that said non positive communication is continuing state. .BACKGROUND 2
展开▼