A log acquirer acquires a communication log to be analyzed obtained from communications in a predetermined network. A log analyzer detects a terminal conforming to an analysis rule using a signature generated based on the characteristics of a communication log generated by a terminal infected with malware. A primary scorer and a secondary scorer calculate a score indicating the degree of threat for a detection result including the information on the terminal detected by the log analyzer and an analysis rule to which the terminal conforms using the information on the analysis rule and the information on the detection result. A detection result display unit outputs the detection result and the score calculated by the primary scorer and the secondary scorer.