There have been known attacks through networks such as denial-of-service attacks (including distributed denial-of-service attacks) paralyzing networks and server machines (hereinafter, “communication device”) by sending great amounts of packets thereto. Because the denial-of-service attacks are difficult to be detected by a method focusing on feature amounts of packets, a system for detecting denial-of-service attacks by a method focusing on an abnormality of traffic (volume) is widely used.
In the system for detecting denial-of-service attacks, steady traffic, obtained by measuring traffic to a communication device that is a target of an attack over a predetermined period of time, is previously calculated by manually or automatically. If the traffic monitored deviates from the steady traffic, this is regarded as an attack, and the denial-of-service attack is detected in this manner (see, for example, Patent document 1).
Patent document 1: Japanese Patent Application Laid-Open No. 2003-283555.