摘要 |
<p><P>PROBLEM TO BE SOLVED: To solve the following problem: analysis cannot be performed because the difference in abnormal traffic amount between a normal time and an abnormal time is buried in the change of the total traffic amount when the ratio of the abnormal traffic to the total traffic amount is small, in an abnormal traffic analysis technique which analyses an attack by use of the difference in traffic amount between the normal time and the abnormal time. <P>SOLUTION: A system 300 for cause specification of change in traffic amount, in corporation with an abnormality detection external function part 200, uses the attack type (protocol) and the traffic information (an IP address, an AS number, etc.) of a detected abnormal traffic as filters to extract a flow to be analyzed, retains information which can be used or can be targets as a compound attack on the basis of each attack type and each traffic information, and uses the information to extract the flow to be analyzed. Accordingly, when the difference in abnormal traffic amount between the normal time and the abnormal time is buried in the change in the total traffic amount, the difference can be extracted and the compound attack can simultaneously be detected and analyzed. <P>COPYRIGHT: (C)2011,JPO&INPIT</p> |