ATTACK DETECTION DEVICE, ATTACK DETECTION METHOD, AND ATTACK DETECTION PROGRAM

摘要

In a process in which an information system is attacked, event-stage information in which an event observed in the information system, a pre-event stage, and a post-event stage are written is stored for a plurality of events. Observed event notification information for notifying about an observed event observed by the information system is received. A search is made for the event-stage information in which the observed event notified by the observed event notification information is written, and a search is made for the event-stage information in which the post-event stage that matches the pre-event stage in the searched event-stage information or a pre-event stage that matches the post-event stage in the searched event-stage information is written; when the event in the searched event-stage information is an unobservable event, it is assumed that an unobservable event was observed, and the observed event and the unobservable event are connected by a dependency relationship to generate an event sequence.