The “trail log” in an information system is a record of all operations and actions in the information system, and refers to the information as a record of all system actions such as a user authentication record, a user operation record, a system administrator operation record, a record of the operations of an application program, etc.
In an information system, there has conventionally been the well-known technology of detecting a fraudulent operation etc. from a collected trail log. The technology is to extract the user information (by determination from a login ID) and error information (for example, an unsuccessful login operation etc.) in a system from a latest collected trail log and add up the number of errors to detect a fraudulent operation. There has been the following problem with the technology of detecting a fraudulent operation only from the latest collected trail log.                Since the contents of an application change every day, a fraudulent operation is not easily detected only from the latest collected trail log.        Since a correct operation depends on each date, each day of week, each time zone, etc, a fraudulent operation is not easily detected only from the latest collected trail log.        
Thus, it is difficult to determine a fraudulent operation only from the latest collected trail log, and only a limited fraudulent operation is detected.
On the other hand, there is also a following fraudulent operation detecting technique. That is, a specified fraudulent operation pattern or a specified correct operation is entered in a system to detect a fraudulent operation by performing pattern matching with the latest collected trail log.
A trail log is a large volume of data including a number of information items. The trail log is a large volume of various types of information with the background of the use situation of an information system which changes every day. With the above-mentioned large volume of data, there is a restriction on the number of patterns entered corresponding to fraudulent operations for the large volume of data. Therefore, a pattern of a fraudulent operation has been entered by restricting the entry to the types of operations only on the access to important information (file), or a pattern of a fraudulent operation has been entered by roughly restricting the entry to the copy of a file, the transmission of mail, etc. In addition, in the systems above, it is also important to re-enter a pattern depending on the use situation of an information system which varies every day.