When obtained communication data corresponds to an external communication from the outside of the network to the inside, external communication data is stored. When the obtained communication data corresponds to a service start, external communication data associated with the service start is extracted, and service start data is stored in correlation with the extracted external communication data. When the obtained communication data corresponds to an operation end, operation end data is stored. When the obtained communication data corresponds to a communication from the inside to the outside of the network, operation end data associated with the obtained communication data is extracted. Then, it is determined that a condition is satisfied that external communication data associated with the obtained communication data is stored in correlation with the service start data associated with the extracted operation end data. When the condition is satisfied, an attack for the system is detected.