Abstract: A determination device includes processing circuitry configured to extract a series of communication logs of a same session from a communication log in which an attack is to be detected, detect a communication log of a blind attack using a URL of a request destination of the communication log and specify an attack target location of the blind attack and content of the attack from the communication log in which the blind attack has been detected, and extract communication logs in which attack target locations of the blind attack match among the extracted series of communication logs of the same session and determine that the blind attack has succeeded by communication indicated by the series of communication logs in a case where it is determined that there are a plurality of types of the content of the attack and a plurality of response status codes and response sizes.

Abstract: An information processing device includes an element extraction unit that extracts elements relating to actions of an attacker from each input log, a generation unit that generates a parser based on definition information defining the actions of the attacker in a formal grammar, the parser detecting, from a log, a log string having a feature corresponding to an action defined by the definition information, a parsing unit that detects, from a log consisting of the elements extracted by the element extraction unit, log strings having features corresponding to the actions defined by the definition information by using the parser, and a reconstruction unit that reconstructs the log strings detected by the parsing unit, adds a label indicating an action defined by the definition information to each of the reconstructed log strings, and outputs the labeled log strings as a log corresponding to a series of actions of the attacker.

Abstract: A regularization unit standardizes similar expressions across a plurality of URIs in access logs of requests made to a plurality of web servers, thereby changing the URIs into regularized URIs. A calculation unit calculates, among the access logs that are from the same source, the relative frequency of certain access logs to all access logs, the certain access logs corresponding to requests made to different destinations for the same regularized URI and also corresponding to certain response codes. If the largest of all the relative frequencies calculated for the regularized URIs is at least a certain threshold, a determination unit determines the regularized URIs to be scanning targets.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on the server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extracting a feature appearing in a response from the server, and examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded, by a processor.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on a server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, extracting a feature related to a backdoor operation appearing in an attack code on the server in a case of succeeding in an attack on the server as a result of the emulation, and determining that an attack by the attack code has succeeded in a case where a communication log of the server has the extracted feature, by a processor.

Abstract: A graph association system includes processing circuitry configured to construct a plurality of dependency graphs in which input logs are associated with each other, assign a tag to each of the dependency graphs constructed, and associate the dependency graphs with each other based on tags assigned.

Abstract: A signature generation device includes processing circuitry configured to generate a PoC code candidate group of respectively different code contents using a PoC code, respectively execute the PoC code candidate group generated and acquire communication data regarding communication generated during execution, and generate a signature using the communication data acquired.

Abstract: A generation method includes identifying, as paths that are abstraction candidates, dynamically generated paths among paths in a profile that is used to determine whether each request to a server is an attack, and counting numbers of path variations corresponding to the respective paths that are abstraction candidates, and abstracting paths contained in the profile when a number of variations counted at the counting satisfies a certain condition, by processing circuitry.

Abstract: An estimation unit (136) retrieves a subtree that matches a query to be estimated, from subtrees included in a syntax tree created from a query inserted into a Web request. In addition, the estimation unit (136) presents information for specifying the type of damage of an attack and an attack target, the information being associated in advance with the subtree obtained by the retrieval of the retrieval unit. An estimation unit retrieves a subtree that matches a query to be estimated, from subtrees included in a syntax tree created from a query inserted into a Web request. In addition, the estimation unit presents information for specifying the type of damage of an attack and an attack target, the information being associated in advance with the subtree obtained by the retrieval of the retrieval unit.

Abstract: A communication device is installed in between a client terminal and a web server which performs communication with the client terminal. The communication device includes a memory, and processing circuitry coupled to the memory and configured to of information included in communication between the web server and the client terminal, perform obfuscation with respect to information related to web application, and send communication, which includes information obfuscated at the performing, to destination.

Abstract: A determining apparatus performs emulation of an attack code included in an attack request that is addressed to a web application (web server), based on the attack type of the attack code, and extracts a feature that appears in a response issued by the web application when the emulation results in a successful attack. The determining apparatus determines that the attack has succeeded if the feature is included in a response from the web application, and determines that the attack has failed if the feature is not included.

Abstract: An information processing device includes an element extraction unit that extracts elements relating to actions of an attacker from each input log, a generation unit that generates a parser based on definition information defining the actions of the attacker in a formal grammar, the parser detecting, from a log, a log string having a feature corresponding to an action defined by the definition information, a parsing unit that detects, from a log consisting of the elements extracted by the element extraction unit, log strings having features corresponding to the actions defined by the definition information by using the parser, and a reconstruction unit that reconstructs the log strings detected by the parsing unit, adds a label indicating an action defined by the definition information to each of the reconstructed log strings, and outputs the labeled log strings as a log corresponding to a series of actions of the attacker.

Abstract: A regularization unit standardizes similar expressions across a plurality of URIs in access logs of requests made to a plurality of web servers, thereby changing the URIs into regularized URIs. A calculation unit calculates, among the access logs that are from the same source, the relative frequency of certain access logs to all access logs, the certain access logs corresponding to requests made to different destinations for the same regularized URI and also corresponding to certain response codes. If the largest of all the relative frequencies calculated for the regularized URIs is at least a certain threshold, a determination unit determines the regularized URIs to be scanning targets.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on the server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extracting a feature appearing in a response from the server, and examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded, by a processor.

Abstract: A learning device generates a character class sequence abstracting a predetermined structure of a character string included in requests to a server. Also, the learning device saves an appearance frequency of each combination of predetermined identification information and character class sequence, which are included in requests for learning among the requests, as the profile. Also, the learning device collates combinations of predetermined identification information and character class sequence, which are included in requests for analysis among the requests, with the profile to detect abnormalities. Also, the learning device selects at least part of the requests, which are for analysis. Also, the learning device updates the profile based on the selected requests.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on a server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, extracting a feature related to a backdoor operation appearing in an attack code on the server in a case of succeeding in an attack on the server as a result of the emulation, and determining that an attack by the attack code has succeeded in a case where a communication log of the server has the extracted feature, by a processor.

Abstract: A learning device generates a character class series abstracting a structure of a predetermined character string included in each of requests to the server which have been generated in a predetermined period. Also, for each of the combinations of the predetermined identification information and the character class series included in the requests, the learning device calculates a score for update which becomes higher as the number of times of appearance of the combination is increased and becomes higher as the appearance of the combination is continued. Based on the score for update, the learning device updates the profile of each combination for determining whether the request is an attack or not.

Abstract: A generation method includes identifying, as paths that are abstraction candidates, dynamically generated paths among paths in a profile that is used to determine whether each request to a server is an attack, and counting numbers of path variations corresponding to the respective paths that are abstraction candidates, and abstracting paths contained in the profile when a number of variations counted at the counting satisfies a certain condition, by processing circuitry.

Abstract: A communication device is installed in between a client terminal and a web server which performs communication with the client terminal. The communication device includes a memory, and processing circuitry coupled to the memory and configured to of information included in communication between the web server and the client terminal, perform obfuscation with respect to information related to web application, and send communication, which includes information obfuscated at the performing, to destination.

Abstract: A determining apparatus performs emulation of an attack code included in an attack request that is addressed to a web application (web server), based on the attack type of the attack code, and extracts a feature that appears in a response issued by the web application when the emulation results in a successful attack. The determining apparatus determines that the attack has succeeded if the feature is included in a response from the web application, and determines that the attack has failed if the feature is not included.