MALICIOUS COMMUNICATION PATTERN EXTRACTION DEVICE, MALICIOUS COMMUNICATION PATTERN EXTRACTION SYSTEM, MALICIOUS COMMUNICATION PATTERN EXTRACTION METHOD AND MALICIOUS COMMUNICATION PATTERN EXTRACTION PROGRAM

摘要

A malicious communication pattern extraction device (10) includes a statistical value calculation unit (132) that calculates a statistical value for an appearance frequency of each of a plurality of communication patterns that is a combination of a field and a value, from a traffic log (31) obtained from the traffic caused by malware, and a traffic log (21) obtained from traffic in a predetermined communication environment; a malicious list candidate extraction unit (134) that compares between the appearance frequency of the traffic log (21) and the appearance frequency of the traffic log (31) for each of the communication patterns, based on the statistical value calculated by the statistical value calculation unit (132), and extracts the communication pattern as the malicious communication pattern when a difference between both of the appearance frequencies is equal to or more than a predetermined threshold; and a threshold setting unit (135) that sets a threshold so that an erroneous detection rate being probability of erroneously detecting the traffic caused by malware is equal to or less than a certain value as well as a detection rate that is probability of detecting the traffic caused by malware is equal to or more than a certain value.