ABNORMAL COMMUNICATION DETECTION APPARATUS, ABNORMAL COMMUNICATION DETECTION METHOD AND PROGRAM

摘要

There is provided an abnormal communication detection apparatus capable of reducing over-detection. The abnormal communication detection apparatus includes: a receiving part receiving communication data for learning that includes an identifier and communication data for detection that includes the identifier; a knowledge information acquiring part acquiring knowledge information that is information about at least either temporal characteristics or payload characteristics of the communication data for learning; an allocation rule generating part generating allocation rules that are rules for specifying which communication data having which identifier is to be allocated to which detector among a plurality of detectors, based on the knowledge information; an allocating part allocating the communication data to any of the detectors based on the allocation rules; and the plurality of detectors each of which learns, when the communication data for learning is allocated, a model for detecting whether the communication data allocated to the detector is normal or abnormal, and detects, when the communication data for detection is allocated, whether the communication data for detection is normal or abnormal based on the learned model.