摘要 |
PROBLEM TO BE SOLVED: To detect such an attack that information to be exchanged in communication is used for a malicious action while employing a forms of a DNS (Domain Name System).SOLUTION: In this attack detection apparatus 40, a DNS data extraction part 41 extracts a DNS query or a DNS response from a network traffic, a domain data extraction part 42 extracts the one regarding a specific domain from the extracted DNS query or the DNS response, a blacklist collation part 44 excludes the one regarding a domain included in a blacklist to perform narrowing down, and a domain data inspection part 46 inspects the DNS query or the DNS response after the narrowing down based on the appearance number in fixed time and difference of returned IP addresses, etc. Then, when it is determined that there is the possibility that the attack by abusing the DNS is performed as a result of the inspection, a blacklist update part 48 adds a domain this time to the blacklist, and an alert transmitting part 49 outputs alert. |