Systems using the Web have been used in various fields of the society, such as EC (Electronic Commerce). However, as such a system is the infrastructure that is used by general users, Web servers are always exposed to risks of attacks. There have been considerations on various methods of detecting access for conducting attacks on Web servers.
Typically, the methods of detecting attacks include the method of analyzing the details of access with WAF (Web Application Firewall) and the method of analyzing logs that remain in a Web server or an application server. As the attack detection method, there are known two types of detection methods of the signature type and the anomaly type.
FIG. 17 is a diagram that illustrates conventional attack detection methods. FIG. 17(a) is a diagram that illustrates a signature-type attack detection method, and FIG. 17(b) is a diagram that illustrates an anomaly-type attack detection method.
As illustrated in FIG. 17(a), the signature type extracts part of an attack code, with which an attack may be determined, and it detects a request, which matches a pattern, as an attack. Because of an increase in the vulnerability that exists in a Web AP (Web Application), it is difficult to prevent attacks with the signature-type detection, which provide measures against individual vulnerability. Therefore, studies have been made on anomaly detection, during which a profile is generated from a normal request with regard to the Web AP so that a failure is detected.
As illustrated in FIG. 17(b), with the anomaly type, a profile is generated from the normal request, the degree of similarity to the profile is calculated, and a dissimilar request is detected as a failure (see Non Patent Literatures 1 and 2). Hereinafter, the process to generate a profile is referred to as a learning process, and the process to determine whether the analysis target request is an attack by using a profile is referred to as a detection process.
According to the method disclosed in Non Patent Literatures 1 and 2, based on the path section of a Web AP, the profile, which has several sets of feature data, is generated for a parameter included in the path section. The method of generating a profile is explained.
Here, considerations are given to only the feature data on the structure of a character string and the class of a character string, which are considered to largely affect detection results. FIG. 18 is a diagram that illustrates the feature data of a profile.
A conventional technology 1 is the case where the structure of a character string is the feature data, a conventional technology 2 is the case where the class of a character string is the feature data, and a brief explanation is given of the technologies.
First, an explanation is given of the method of generating a profile by using the structure of a character string as feature data according to the conventional technology 1. FIG. 19 is a diagram that illustrates the method of generating a state transition model according to the conventional technology 1.
The steps of the learning process are as follows.    (Step 1) The appearing character is a state, and a state transition model, which enumerates every parameter value, is generated.    (Step 2) From the initial state (s), the same state is connected repeatedly until it cannot be connected, and the finished state transition model is set as a profile (see Non Patent Literature 3 for the way of generating the state transition model).
Furthermore, when a model is generated, consideration needs to be given to the probability of state transition; however, according to the conventional technology 1, as the probability is not considered during detection, it is considered to be equivalent to generation of the model that does not consider the transition probability.
During the detection process, if a character string cannot be output from the profile (state transition model), it is determined to be a failure.
Next, an explanation is given of the method of generating a profile by using the character string format as feature data according to the conventional technology 2. FIG. 20 is a diagram that illustrates the faulty determination method according to the conventional technology 2.
The steps of the learning process are as follows.    (Step 1) A character string class is previously defined (see Non Patent Literature 4 for an example of the definition method).    (Step 2) It is determined whether the entire parameter value fits into the class, and the class name of the fitted class is stored as the profile for the parameter.
During the detection process, the entire parameter value is converted into a class and, if it does not match the class of the profile, a failure is determined.