CPC G06F 21/55 (2013.01) [G06F 40/205 (2020.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); G06F 2221/034 (2013.01)] | 4 Claims |
1. An information processing device comprising:
a memory; and
a processor coupled to the memory and programmed to execute a process comprising:
extracting elements relating to actions of an attacker from each input log;
generating a parser based on definition information that defines the actions of the attacker in a formal grammar, the parser being configured to detect, from a log, a log string having a feature corresponding to an action defined by the definition information;
detecting, from a log consisting of the elements extracted by the extracting, log strings having features corresponding to the actions defined by the definition information by using the parser; and
reconstructing the log strings detected by the detecting, add a label indicating an action defined by the definition information to each of the reconstructed log strings, and output the labeled log strings as a log corresponding to a series of actions of the attacker.
|