In recent years, an accident where a malware leaks confidential information outside an organization has become a problem. A ciberattack using the malware is increasingly being sophisticated. To take an example, there is an attack referred to as an APT (advanced and persistent threat: Advanced•Persistent•Threat) disclosed in Non Patent Literature 1, or the like.
In the APT, a malware that has intruded into an organization using an attached mail infects a computer. Further, the malware communicates with a C & C (Command & Control) server on the Internet to be operated by an attacker, and downloads a new malware or an attack tool or updates itself. Then, the malware spies into the organization, finds a file server, and leaks a confidential file to the C & C server. When each of these activities is regarded as an attack, respective attacks are carried out in stages, over a long period of time. To take an example, the malware that has infected the computer hides itself after the infection without being active for one month, and then starts to communicate with the C & C server after the one month.
In the APT, a plurality of attacks are carried out at intervals in this manner.
There are various countermeasure methods against the APT. As countermeasure products against the APT, a product for preventing intrusion by a mail, a product for preventing information leakage, and so forth are provided.
Further, there is a method of automatically performing log analysis, as one of the countermeasure methods against the APT. In the method of automatically performing log analysis, logs of network devices such as a computer, a server, and a router, security devices such as a firewall and an intrusion detection system, and so forth are analyzed to examine mutual correlation. Alternatively, an abnormal record is found from a log. The method of automatically performing log analysis is a method of detecting the APT or observing the progress of the APT attack by carrying out such analysis.
As an example of a product for automatically detecting an abnormality by examining a correlation between logs of a security device such as a firewall or an intrusion detection system, there is provided a SIEM (security information and event management: Security•Information•and•Event•Management) system (refer to Patent Literature 1). The SIEM system may also be referred to as an integrated log monitoring system.
There is also a log analysis system in which various logs are drilled down using various keywords, or a status change is displayed chronologically, thereby discovering an abnormality by a human.
Patent Literature 1 proposes a method of introducing a relay server in addition to a business system server to perform user authentication by the relay server and collect a log that has been used.