There is a growing trend to automatically perform control, maintenance, and monitoring of devices operating in power plants, water supply and sewerage systems, automobile manufacturing plants, chemical plants, and the like via a network. In a control network used in an automobile manufacturing plant or a chemical plant, for example, when an abnormality occurs in the network or the network is stopped, production is stopped and damages are caused. Therefore, the control network is required to have higher availability as compared in an information network used for communication between PCs, a mail server, a Web server, a file server, and the like in a general office. Moreover, when abnormal communication such as writing of an unauthorized program into a device is overlooked in a control network used in a power plant, a water supply and sewerage system, or the like, a serious accident may be caused. Thus, the control network is required to have high reliability.
It was considered to be difficult to intrude the control network and perform an illegal operation or the like, because the control network conventionally used a unique communication protocol of each vendor. Moreover, the control network was conventionally operated while being separated from the Internet, and this made intrusion by an outside person to the network difficult. However, also in the control network, the use of an open communication protocol such as TCP/IP (Transmission Control Protocol/Internet Protocol) has been increasing these days. In addition, an operation form in which the control network is operated while connected with the Internet has widely spread for achieving a remote maintenance of a device in the control network through the Internet. Because of the use of an open communication protocol for the control network and connection of the control network with the Internet, illegal intrusion to the control network is possible and therefore attack cases to a control system are increasing.
An exemplary technique for detecting an abnormality such as intrusion and attack to a network is IDS (Intrusion Detection System). In Patent Literature 1 related to IDS, for example, a list of normal patterns of communication performed in a network is defined, and it is determined that an abnormality occurs when communication not matching the list has been performed.