Analyzing packets to determine anomaly according to a packet counter has conventionally been performed as a countermeasure against network attacks by means of denial-of-service attacks. However, denial-of-service attacks are not limited to attacks that use a large amount of packets; some may be conducted by an attack method that, despite using a small amount of packets, occupies Transmission Control Protocol (TCP) connections of a server. The packet-count-based countermeasure fails to prevent such a connection occupying attack, which is a problem.
Against this problem, a countermeasure using existing Web Application Firewall (WAF) is taken. For instance, as a countermeasure against connection-occupying anomalous traffic, a technique based on connection duration timeout has been proposed (see, for example, Non Patent Literature 1).