A log analysis device that classifies, based on a log collected from a network device, a plurality of attack target communication devices receiving attacks from an attack source communication device includes a correlation coefficient calculation unit that calculates, based on the log, a correlation coefficient relating to the number of the attacks in a time period during which the attacks were carried out for a combination of the plurality of attack target communication devices, the time period including a detection time at which and the detection period of time during which the network device detected the attack, and an extraction unit that extracts, as a high-correlation communication device group, a combination of the plurality of attack target communication devices, for which the correlation coefficient is equal to or greater than a prescribed threshold and of which the attack source communication device is identical in the time period.