US Patent 12028356 Detection device, detection method, and detection program

A detection device includes processing circuitry configured to collect communication information in a network including clients and servers, generate a matrix representing states of access from the clients to the servers using the communication information collected, aggregate a plurality of the clients accessing a target server and generate statistical information of similarities between the aggregated clients in the matrix as a feature amount of the target server, learn, with regard to the target server which is a server for which it is known whether the server is a malicious server, a model for determining whether a server is a malicious server using the feature amount generated, and determine, with regard to the target server which is a server for which it is unknown whether the server is a malicious server, whether the target server is a malicious server using the feature amount generated and the model.