Traditional countermeasures against cyber-attacks include inlet measures using antivirus software and the like. However, such countermeasures cannot completely prevent infection, and the importance of outlet measures that prevents the damage of malware infection from spreading has been increasing. An effective way to detect an infected terminal is to analyze the log of the terminal or the network device. In recent years, an increasing number of enterprises take outlet measures by implementing a security information and event management (SIEM).
In the outlet measures, an infected terminal is detected and the malware infected terminal is separated from the network. A method of specifying the malware infected terminal includes a method of extracting a specific uniform resource locator (URL) as a blacklist by analyzing the behavior of malware, and matching the blacklist with the network log. For example, in a method of specifying a terminal communicating with an Internet Protocol (IP) address in a blacklist as the destination, the terminal is specified using the blacklist relating to IP addresses of communication destinations specific to malware.