There has been proposed a method that detects a predetermined event based on a set of records (often referred to as logs) including variables of multiple types acquired from a monitoring target.
The monitoring target is, for example, a web server, and the record is, for example, an access log of the web server. The access log includes, for example, time and date of access, an access source Internet Protocol (IP) address, and an access destination uniform resource locator (URL). The predetermined event is an abnormal event such as an unauthorized access.
Related technologies are disclosed in Japanese Laid-open Patent Publications No. 2006-48253 and No. 2006-107179.
Weng-Keen Wong, Andrew W. Moore, Gregory F. Cooper, Michael M. Wagner: Rule-Based Anomaly Pattern Detection for Detecting Disease Outbreaks. AAAI/IAAI 2002: 217-223 is also an example of related art.
The detection method mentioned above includes, for example, a method which detects a predetermined event as an event detection target based on a result of comparison between current and past records. However, such records include various records not related to the predetermined event of the detection target (referred to as a noise-induced record, as appropriate).
Accordingly, in the detection method described above, false detection may occur due to a noise-induced record. Here, records to be compared may be either or both of current records and past records, and comparison may be made between current records, for example.
An aspect of the present embodiment has an object to inhibit false detection when detecting a predetermined event based on records acquired from a monitoring target.