Services that use the Internet include services that use authentication based on user ID and a password. In this type of services, brute force attacks (also referred to below as “BF attacks”) in which the user ID and password of another person are illegally gained are viewed as a problem.
A BF attack is an attack to access a communication apparatus such as a server that provides services and attempt an authentication (login) by using combinations of imaginable user IDs and passwords. This attempt is continued until the authentication succeeds. Therefore, if a communication apparatus has a BF attack, not only the user ID and password of a normal user are illegally gained but also a problem such as the occurrence of a failure due to an increase in a processing load of a server or the like arises.
As one countermeasure against BF attacks, there is a method of detecting communication (access) that is highly likely to be a BF attack by applying an intrusion detection system (IDS).
In the detection of a BF attack by using the IDS, in a case in which, for example, an access pattern from a first IP address to a communication apparatus with a second IP address is similar to a pattern at the time of a BF attack, the presence or absence of similar accesses from the first IP address to communication apparatuses with other IP addresses is checked. Then, if it is detected that accesses in patterns similar to the pattern at the time of a BF attack were performed from the first IP address to a plurality of communication apparatuses with different IP addresses at times of the day that are almost the same, it is decided that a BF attack in which the first IP address is a transmission source (attack source) was performed.
As for this type of BF attack, the advent of a BF attack in a new form was reported in a recent year in which false detection by an IDS is disguised. For example, a form was reported in which the number of login attempts from one IP address and the frequency of attacks is reduced and login attempts (BF attack) are performed while the IP address is changed (see Satomi Honda, Yuki Unno, Koji Maruhashi, Masahiko Takenaka, Satoru Torii, “Detection of Novel-Type Brute Force Attacks Used Expendable Springboard IPs as Camouflage”, “Computer Security Symposium (CSS2013), 2013, for example).