摘要 |
A malicious communication pattern extraction device (10) accepts input of one or more malware traffic groups, and extracts the communication pattern of the inputted traffic group. With respect to a traffic group in which there is variation in the value of a prescribed field, the value of the field in which there is variation is replaced with a wild card. The malicious communication pattern extraction device (10) classifies malwares in which the traffic group communication patterns resemble each other into the same cluster, and extracts, as a malicious communication pattern for each of the clusters, a communication pattern group in which the occurrence ratio of each of the malwares in the traffic group within the cluster is greater than or equal to a prescribed value. Thereafter, the malicious communication pattern extraction device (10) removes a malicious communication pattern, among the extracted malicious communication patterns, in which the ratio of conformity with a traffic group that is not infected by malware is greater than or equal to a prescribed value. |