PROBLEM TO BE SOLVED: To reliably detect an unauthorized communication using a protocol allowing communication.;SOLUTION: An access destination extraction part 106 extracts, when a currently extracted session is determined to be an unauthorized session candidate, an access destination designated by control data of a packet in the session. A conversion part 107 converts the extracted access destination with a plurality of patterns, and generates a plurality of access destinations including the periphery of the original access destination. A Web access part 108 actually executes Web access to the plurality of generated access destinations. An incorrect word storage part 109 preliminarily stores an incorrect word characteristic as a character string contained in page information of the access destination in tunneling. A tunneling determination part 110 determines whether the page information obtained by the Web access part 108 contains the incorrect word.;COPYRIGHT: (C)2010,JPO&INPIT
展开▼