In recent years, there has been a problem of increase of damages caused by DoS (Denial of Service) that causes public services on the Internet to be in a service suspended state with improper communication.
The DoS can be generally classified into two attacking forms. One of the attacking forms is an attacking form in which, as a malicious attacker transmits improper data or abnormal packets to a service provider, software of the service provider is caused to behave abnormally. The other one of the attacking forms is an attack of transmitting a large amount of traffic to a service provider to use up the bandwidth of communication lines of the service provider or the processing capabilities of a communication device.
As a technique of handling the first attacking form, there is a technique of finding abnormal behaviors of a server caused by improper communication by counting the number of packets flowing into the server for each type of these packets (see Patent Literature 1).
As a technique of handling the second attacking form, there is a technique of detecting a large amount of traffic based on, for example, a change of flow statistical information (see Patent Literature 2).
There is also a problem of a new type of attack referred to as “Slow READ DoS” in which, by reducing the size (a window size) of its own reception buffer to be notified to a communication counterpart to be a considerably small size, the information amount that the communication counterpart can transmit at a time is limited and the time required for communication is elongated to improperly occupy a session (see Non Patent Literature 1).