Recently, web applications are used in a lot of services and are becoming part of social infrastructure. At the same time, the number of attacks abusing the vulnerability of web applications is increasing. When such attacks cause defacing of the content or information leakage, serious damages occur to service providers and therefore it is necessary to detect the attacks.
A technology for correlating different types of events, such as an HTTP request event and another event occurring in the same web server, in order to detect an attack to a web application is known. For example, an HTTP request and a FireWall log are compared with each other and events occurring at times close to each other are correlated as events relevant to each other (see Non Patent Literature 1).