Abstract: An input unit receives an input of data, as learning purpose data and determination target data, in which requests made to a server by a user are represented in a time series. Then, a shaping unit shapes the received data. A classifying unit classifies the shaped data for each user who made the requests. Then, a learning unit extracts, from the classified learning purpose data, consecutive n requests as feature values of the learning purpose data, performs learning by using the feature values of the learning purpose data, and creates a profile for each user. A determination unit extracts, from the classified determination target data, consecutive n requests as feature values of the determination target data and performs determination of the determination target data based on the feature values of the determination target data and based on the profiles created by the learning unit.

Abstract: A generation method includes identifying, as paths that are abstraction candidates, dynamically generated paths among paths in a profile that is used to determine whether each request to a server is an attack, and counting numbers of path variations corresponding to the respective paths that are abstraction candidates, and abstracting paths contained in the profile when a number of variations counted at the counting satisfies a certain condition, by processing circuitry.

Abstract: A global profile generation unit acquires a profile including, as an entry, information on parameter values for a combination of path parts and parameter names included in a normal HTTP request to a web server. When entries, in which the path parts are different but the parameter names are the same, are present in the acquired profile, the global profile generation unit generates a global profile in which the entries of the parameter names are aggregated in the acquired profile.

Abstract: An attack pattern extraction device includes an extraction unit and an attack pattern generation unit. The extraction unit extracts a common character string of parameters included in an access log of communication that is determined as an attack. The attack pattern generation unit generates an attack pattern on the basis of a character string with a string length being equal to or longer than a predetermined length among extracted consecutive character strings.

Abstract: An extraction unit-extracts a specific request from among requests that do not match with a profile on the basis of a similarity to a request to a server, where the profile determines whether the request is an attack. Further, a determination unit determines whether the specific request extracted by the extraction unit meets a predetermined condition indicating that the specific request is continuously transmitted from a certain number or more of transmission sources. Furthermore, a control unit relearns the profile if the determination unit determines that the specific request meets the predetermined condition.

Abstract: A learning device generates a character class sequence abstracting a predetermined structure of a character string included in requests to a server. Also, the learning device saves an appearance frequency of each combination of predetermined identification information and character class sequence, which are included in requests for learning among the requests, as the profile. Also, the learning device collates combinations of predetermined identification information and character class sequence, which are included in requests for analysis among the requests, with the profile to detect abnormalities. Also, the learning device selects at least part of the requests, which are for analysis. Also, the learning device updates the profile based on the selected requests.

Abstract: A learning device generates a character class series abstracting a structure of a predetermined character string included in each of requests to the server which have been generated in a predetermined period. Also, for each of the combinations of the predetermined identification information and the character class series included in the requests, the learning device calculates a score for update which becomes higher as the number of times of appearance of the combination is increased and becomes higher as the appearance of the combination is continued. Based on the score for update, the learning device updates the profile of each combination for determining whether the request is an attack or not.

Abstract: A generation method includes identifying, as paths that are abstraction candidates, dynamically generated paths among paths in a profile that is used to determine whether each request to a server is an attack, and counting numbers of path variations corresponding to the respective paths that are abstraction candidates, and abstracting paths contained in the profile when a number of variations counted at the counting satisfies a certain condition, by processing circuitry.

Abstract: A user estimator includes an extractor extracting at least either order of page transitions on a website by a user or a time interval of transition to each page, as a feature amount of page browsing by the user, from data to be learned and representing a request by the user to the website, and extracting at least either order of page transitions on the website or a time interval of transition to each page, as a feature amount of page browsing by any user, from data to be estimated and representing requests by the users to the website, a learning unit creating a model indicating a feature of page browsing for each user, by learning the extracted feature amount, to be learned, of page browsing by each user, and an estimation unit referring to the feature amount, to be estimated, and the model, and estimating the user among users.

Abstract: In a security information management device (10), security information, which is information related to security, is collected. The security information management device (10) extracts, by referring to a security dictionary storing therein a keyword related to security for each attribute, a keyword from referrer security information that becomes a source to be compared with security information for relevance thereto, and calculates, by comparing the extracted keyword with a keyword included in the collected security information, relevance between the referrer security information and the security information. The security information management device (10) then output security information having higher calculated relevance more preferentially.

Abstract: An extraction unit-extracts a specific request from among requests that do not match with a profile on the basis of a similarity to a request to a server, where the profile determines whether the request is an attack. Further, a determination unit determines whether the specific request extracted by the extraction unit meets a predetermined condition indicating that the specific request is continuously transmitted from a certain number or more of transmission sources. Furthermore, a control unit relearns the profile if the determination unit determines that the specific request meets the predetermined condition.

Abstract: A global profile generation unit acquires a profile including, as an entry, information on parameter values for a combination of path parts and parameter names included in a normal HTTP request to a web server. When entries, in which the path parts are different but the parameter names are the same, are present in the acquired profile, the global profile generation unit generates a global profile in which the entries of the parameter names are aggregated in the acquired profile.

Abstract: An attack pattern extraction device includes an extraction unit and an attack pattern generation unit. The extraction unit extracts a common character string of parameters included in an access log of communication that is determined as an attack. The attack pattern generation unit generates an attack pattern on the basis of a character string with a string length being equal to or longer than a predetermined length among extracted consecutive character strings.

Abstract: A log analysis apparatus (10) extracts a parameter from an access log pertaining to a request issued from a user terminal to a server, learns the appearance frequency of the parameter, and stores the learning result in a profile storage unit (14a) as a profile. The log analysis apparatus (10) extracts a parameter from an access log under analysis, acquires a similarity by comparing the parameter with the parameter included in the profile stored in the profile storage unit (14a), and determines an access in the access log under analysis as an attack when the similarity is lower than a threshold. The log analysis apparatus (10) takes a tally of the number of different requesting user terminals, for each parameter, among the access logs under analysis including a parameter not found in the profile, or having a similarity lower than the threshold, and determines, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter.

Abstract: A malware determination device, in which, upon input of an attribute name and an attribute value of an attribute of an executable file, a feature-selection setting unit registers the attribute with the attribute name in an attribute table as an attribute to be extracted, and registers the attribute value as an attribute value to be deleted in an attribute value table. Upon input of an executable file to be learned or to be determined, a feature extraction unit extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file, to generate a feature vector including the extracted attribute value as a feature. A feature selection unit performs deletion of an attribute value registered as an attribute value to be deleted in the attribute value table from the feature vector.

Abstract: An analysis apparatus analyzes access logs including authentication results and authentication information of users, and includes: a calculation unit that calculates a similarity between pieces of authentication information in two consecutive access logs when access logs of the same access source, from the access logs, are chronologically arranged, and presumes that a piece of authentication information of the access logs of the user has been input by a human if the calculated similarity is equal to or greater than a predetermined value; and a risk determination unit that determines that there is a possibility that the access source in the access logs is being an attack source if an authentication result of any of the two access logs is authentication failure and the calculation unit presumes that any piece of authentication information of the two access logs has not been input by a human.

Abstract: A device including: a parameter extracting unit that extracts each parameter from an access request, a character-string class converting unit that, with regard to each parameter, compares each part of a parameter value with a previously defined character string class, replaces the part with a longest matching character string class, and conducting conversion for a class sequence that is sequentially arranged in order of replacement, a profile storing unit that stores, as a profile in a storage unit, a class sequence with the appearance frequency of equal to or more than a predetermined value in the above-described group of class sequences with regard to the access request of the normal data as learning data, and a failure detecting unit that determines the presence or absence of an attack in accordance with the degree of similarity between the above-described class sequence and the profile with regard to the access request.

Abstract: An input unit receives an input of data, as learning purpose data and determination target data, in which requests made to a server by a user are represented in a time series. Then, a shaping unit shapes the received data. A classifying unit classifies the shaped data for each user who made the requests. Then, a learning unit extracts, from the classified learning purpose data, consecutive n requests as feature values of the learning purpose data, performs learning by using the feature values of the learning purpose data, and creates a profile for each user. A determination unit extracts, from the classified determination target data, consecutive n requests as feature values of the determination target data and performs determination of the determination target data based on the feature values of the determination target data and based on the profiles created by the learning unit.

Abstract: A user estimation apparatus according to the present invention includes an extraction unit (11) that extracts at least either order of page transitions on a website by a user or a time interval of a transition to each page, as a feature amount of page browsing by the user, from data which is to be learned and represents a request by the user to the website, and the extraction unit extracts at least either order of page transitions on the website or a time interval of a transition to each page, as a feature amount of page browsing by any user, from data which is to be estimated and represents requests by the users to the website, a learning unit (12) that creates a model indicating a feature of page browsing for each user, by learning the extracted feature amount, which is to be learned, of page browsing by each user, and an estimation unit (14) that refers to the feature amount, which is to be estimated, of page browsing by the user, and the model, and estimates who the user is among users.

Abstract: An information analysis system includes a remark analysis unit, a thread analysis unit, and a storing unit. The remark analysis unit analyzes importance of a remark included in a thread serving as a group of remarks posted on a network, based on remark data serving as data relating to the remark, for each of the remarks. The thread analysis unit analyzes which of a plurality of preset categories the thread belongs to, based on thread data serving as data relating to the thread. The storing unit stores the remark, the importance of the remark, and a category of the thread including the remark in association with each other for each of the remarks, in a predetermined storage unit.