DEVICE FOR DETECTING TERMINAL INFECTED BY MALWARE, METHOD FOR DETECTING TERMINAL INFECTED BY MALWARE, AND PROGRAM FOR DETECTING TERMINAL INFECTED BY MALWARE

摘要

A detection device (100, 200) generates a collection of events formed on the basis of a prescribed condition from events acquired for each identifier for discriminating malware or networks being monitored. The detection device (100, 200) retrieves an event appearing in common between the collections of events belonging to the same cluster, each of the clusters being formed by collections of events having a level of similarity to each other that is greater than or equal to a certain level, and extracts the retrieved events as a collection of events for detection in accordance with the prescribed condition. When it is determined that there is a match between the generated collection of events based on communication using the network being monitored and the extracted collection of events for detection, the detection device (100, 200) detects that a terminal infected by malware is present in the network being monitored.