In recent years, methods of attacks via networks have advanced and become difficult to be dealt with by conventional security measures through prior defense. These methods of attacks have been attempted to be dealt with by high performance and high functioning security devices, but when cost of the devices and labor of the operation and management are considered, the devices are difficult to be introduced into general user homes and small-to-medium-sized enterprises. Therefore, advanced security measures are desirably realized by introduction of inexpensive devices, but with such devices, performance and functions are limited.
For example, realization of an advanced security measure by introduction of only inexpensive devices having minimum functions into a user network (NW), such as a home NW or a small-to-medium-sized enterprise NW, and cooperation between these devices and functions outside the user NW, that is, outsourcing of security of the user NW, is hoped for.
For example, conceivable as the security measure is a technique of fully monitoring communication traffic in a user NW with outside functions by causing all of communication traffic (including communication packets and communication flows) between the user NW and an external NW to go through the outside functions arranged in a data center or the like on the Internet or to be subjected to mirroring. Further, for example, there is a technique of sampling traffic in a user NW, transmitting the sampled traffic to outside functions arranged in a data center or the like, and performing abnormality detection.
Further, for example, there is a technique of sending, outside a user NW, communication traffic flowing from the user NW to an intrusion detection system (IDS), determining whether or not the communication traffic is unauthorized communication to a destination application server (AP server), and notifying an administrator of the determination (for example, see Patent Literature 1). Specifically, communication suspected to be unauthorized access to a particular AP server is allocated to a packet transfer device including an IDS in an internet services provider (IPS) in charge of the AP server, and if the communication is determined to be malicious in the packet transfer device, the administrator is notified of the determination. Thereby, the transfer device is able to realize the IDS processing exclusively to the communication to the particular server, rather than to communication to an arbitrary AP server, and thus the processing load is reduced.