摘要 |
<P>PROBLEM TO BE SOLVED: To provide a security event monitoring device and the like, even when including an operation impossible to specify an operator, capable of estimating the operator by appropriately detecting a security event. <P>SOLUTION: A security event monitoring device 10 includes: storage means 12 which stores in advance a correlation rule; a log collection unit 101 which receives each log from each monitoring target device; a correlation analysis unit 103 which generates scenario candidates by associating each of the logs; a scenario candidate evaluation unit 104 which calculates an importance degrees of each scenario candidate; and a result display unit 105 which displays/outputs a scenario candidate of a high importance degree. The scenario candidate evaluation unit includes: a user association degree evaluation function 104a which calculates user association degrees; an operation association degree evaluation function 104b which calculates operation association degrees; and a scenario candidate importance reevaluation function 104c which recalculates an importance degree of each of the scenario candidates for every user according to the user association degrees and the operation association degrees. <P>COPYRIGHT: (C)2013,JPO&INPIT |