With respect to detecting an injustice access to an information system which is carried out by a handler who has an access right, various related techniques are known. Here, the handler includes a person, a computer or another apparatus. Hereinafter, the handler is called a person having access right.
A patent document 1 discloses a log analyzing server which detects a specific user, who carries out a peculiar operation, in a group including a plurality of users in comparison with another user in the group.
The log analyzing server operates as follows.
First, the log analyzing server collects a log of a computer operation or the like carried out by users belonging to the same group.
Next, the log analyzing server generates a model of operation, which a specific user who belongs to the group carries out as a specific time elapses, on the basis of a log of the operation carried out by the specific user. At the same time, the log analyzing server generates models of operations, which a plurality of general users carry out as the specific time (same as the specific time corresponding the model of operation carried out by the specific use) elapse, on the basis of logs of the operations carried out by a plurality of the general users. Here, the general users are different from the specific user who belongs to the group, but belongs to the same group.
Next, the log analyzing server carries out analysis by comparing a general tendency of the models of operations carried out by the general users, and the model of operation carried out by the specific users.
The log analyzing server, which is disclosed in the patent document 1, operates as mentioned above, and consequently detects the specific user, who carries out the peculiar operation in the group, in comparison with the general user.
A patent document 2 discloses an abnormal operation detecting device which detects an abnormal operation on the basis of a regular operation which can be judged to be an usual operation, and a current operation.
The abnormal operation detecting device includes a log collecting means, a current operation defining means, a regular operation database and an operation comparing means.
The log collecting means acquires operation contents of a user terminal.
The current operation defining means defines operation contents, which the log collecting means acquires and which are carried out during a short time in a specific user terminal, as the current operation.
The regular operation database stores contents corresponding to the regular operation, which can be judged to be the usual operation, in advance.
The operation comparing means finds a ratio of number of the regular operations to number of the current operations, which are different from the regular operation, as a degree of abnormal operation, and judges that the current operation is abnormal if the degree of abnormal operation is larger than a predetermined threshold value.
The abnormal operation detecting device disclosed in the patent document 2 detects the current operation, which is abnormal in comparison with the regular operations, by having the above-mentioned configuration.