DEVICE FOR DETECTING TERMINAL INFECTED BY MALWARE, SYSTEM FOR DETECTING TERMINAL INFECTED BY MALWARE, METHOD FOR DETECTING TERMINAL INFECTED BY MALWARE, AND PROGRAM FOR DETECTING TERMINAL INFECTED BY MALWARE

摘要

A detection device (100) generates an event sequence from events that are acquired for each of identifiers that distinguish among terminals in a monitoring target network or pieces of malware, by taking into account an order of occurrence of the events. The detection device (100) retrieves events that commonly occur in event sequences belonging to a same cluster among clusters including event sequences with similarities at a predetermined level or higher, and extracts, as a detection event sequence, a representative event sequence based on a relationship between events that have high occurrence rates in similar common event sequences. The detection device (100) detects a malware infected terminal in the monitoring target network based on whether the event sequence generated based on a communication in the monitoring target network and the extracted detection event sequence match each other.