A multi-stage attack refers to an attack carried out by an attacker in a plurality of stages divisionally to attain one purpose. Conventionally, in order to detect this attack, a scheme is available (for example, Non-Patent Literature 1) in which for an individual event such as an IDS (Intrusion Detection System) alert, a necessary condition (called an event precondition in this case) for the event to be effected and a state change (called an event result in this case) caused by the event are defined, and whether an attack is underway or not is determined in accordance with whether an event sequence, being a connection of events where a result of an event serves as the precondition of another event, can be created.
More specifically, according to the scheme of Non-Patent Literature 1, the dependency between events detected in advance is defined. For example, the dependency is defined like “an actual attack event comes after a port scanning event”. In the definition of this dependency, a precondition and result (prerequisite and consequence respectively in the literature) are further defined for each of events. If a result satisfying the precondition of a certain event B is provided by another event A, B is treated as depending on A. By utilizing such dependencies of the individual events, the relations among the observed events are expressed in the form of a graph according to their dependencies, so that whether or not a multi-stage attack is underway can be determined.
A scheme has already been proposed (for example, Patent Literature 1) which determines the event dependencies even when there is an event that has passed through detection. According to this scheme, the relation among event management targets is prescribed in advance, and the event dependency of each management target is determined. More specifically, assume that there are the first, second, and third management targets. In the second management target, the second event occurs depending on the first event occurring in the first management target. In the third management target, the third event occurs depending on the second event occurring in the second management target. The difference between the time of occurrence of the first event and the time of occurrence of the third event is obtained. If the time difference falls within a predetermined time frame, it can be determined that there is a dependency between the first and third events even when the second event has passed through detection.