Devices disclosed in PTLs 1 to 3 are examples of devices for detecting an abnormality having occurred in an information processing system.
An abnormality detection device disclosed in PTL 1 detects a piece of abnormal information out of a plurality of pieces of information at an information source. The abnormality detection device applies each of a plurality of algorithms to each piece of information, calculates weights of the respective calculated results, aggregates all results based on the weights and, thereby, detects a piece of abnormal information.
A diagnosis device disclosed in PTL 2 receives measurement data that were measured with respect to a plurality of measurement targets in an information processing system, and applies an operation algorithm to the measurement data based on classification information in which the plurality of measurement targets are classified. The diagnosis device calculates an abnormality value relating to the measurement data through the above-described processing. The diagnosis device applies a predetermined determination algorithm to the calculated abnormality value and, thereby, determines whether or not the information processing system is abnormal.
A malware detection device disclosed in PTL 3 specifies a communication different from a predetermined communication out of communications performed between an internal terminal communicably connected to a certain communication network and an external terminal communicably connected to a communication network different from the certain communication network. When the number of times of the specified communications is more than or equal to a predetermined number, the malware detection device detects an internal terminal having performed the communications to be a suspicious terminal. When the number of times of communications performed among a plurality of suspicious terminals exceeds a predetermined number, the malware detection device detects the suspicious terminals to be infected with malware.