摘要 |
In the present invention, when malware (11a) is executed a command server identification device (10) assigns to data received by the malware (11a) a tag capable of uniquely identifying identification information of the data transmission source, and tracks the propagation of the tagged data. In addition, the command server identification device (10) acquires, among the tracked data, the tag of data referenced by a branch command executed by the malware (11a). Furthermore, the command server identification device (10) analyzes information pertaining to the commands of branch destinations not executed by the malware (11a) after the branch command. Then, on the basis of the analysis result, the command server identification device (10) identifies, from the identification information of the transmission source corresponding to the acquired tag, the identification information of the command server issuing commands to the malware (11a). |