Conventionally, in a simulation network system where a malicious program such as malware created by an attacker is run, the malicious network system being built for observing the behavior and attack scheme of the malicious program, a scheme (to be referred to as simulation environment hereinafter) of simulating a terminal or server which functions in the network system is known. For example, a scheme as described in Patent Literature 1 is known. According to this scheme, simulation is performed by a simulation program which receives communication data as input transmitted from a malware-infected terminal, determines response data in accordance with the contents of the communication data, and sends back the response data. Such a simulation environment will be called a low-interactive honeypot (an example of a low-interactive simulation environment) hereinafter.
A scheme as described in Patent Literature 2 and Non-Patent Literature 1 is also known. According to this scheme, a virtual machine is operated in a virtualized environment that uses a commercially available product, and this virtualized environment is used as a simulation environment. Such a simulation environment will be referred to as a high-interactive honeypot (an example of a high-interactive simulation environment) hereinafter.