Description Title of Invention: INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM Technical Field [0001] The present invention relates to an attack detection system. Background Art [0002] A conventional attack detection system checks how a packet operates on a verification network, the packet being detected by a security apparatus and suspected to be an attack packet. Then, the conventional attack detection system determines whether or not the packet is the attack packet (for example, Patent Literature 1). Citation List Patent Literature [0003] Patent Literature 1: JP 2005-057522 A Summary of Invention Technical Problem [0004] In the conventional attack detection system, a problem arises that the verification network needs to be provided other than a protection target network. Further, the verification network is a different network from the protection target network. Thus, even if the verification using the verification network determines that an attack on the protection target network does not occur, there is a case where the attack on the protection target network actually occurs. Further, on the contrary, even if the verification using the verification network determines that the attack on the protection target network occurs, there is a case where the attack on the protection target network does not actually occur. As just described, there is a problem in the conventional attack detection system that detection leakage or a detection error caused by using the verification network may occur. [0005] The present invention mainly aims to solve a problem such as above and aims to obtain a configuration which can detect an attack packet without using a verification network. Solution to Problem [0006] An information processing apparatus collecting a packet a transmission source of which is a protection target apparatus and a packet a transmission destination of which is the protection target apparatus, the information processing apparatus according to the present invention includes: a packet information generation unit to generate packet information by setting an entry for each collected packet and describing attribute data of the packet together with occurrence time of the packet for each entry; a definition information storage unit to store definition information which indicates a plurality of categories of attack and defines an extraction time width and an extraction condition for each category; a selection unit to select, when a packet which corresponds to any category of the plurality of categories is detected from among the packet the transmission source of which is the protection target apparatus and the packet the transmission destination of which is the protection target apparatus, the extraction time width and the extraction condition defined in the definition information as a selection extraction time width and a selection extraction condition with respect to a category of a detection packet detected, and to specify an extraction time range which starts from the occurrence time of the detection packet and whose width is equal to the selection extraction time width; an extraction unit to extract from the packet information an entry the occurrence time of which is included in the extraction time range and the attribute data of which coincides with the selection extraction condition; and a determination unit to determine presence or absence of an attack to the protection target apparatus based on an extraction result of the extraction unit. Advantageous Effects of Invention [0007] The present invention determines the presence or absence of an attack to a protection target apparatus, based on an extraction time width and an extraction condition defined for each category of attack and based on a data attribute of a collected packet. Accordingly, the present invention can determine the presence or absence of the attack to the protection target apparatus without providing a verification network. Further ^ the present invention determines the presence or absence of the attack to the protection target apparatus depending on an analysis for a packet a transmission source of which is the protection target apparatus and a packet a transmission destination of which is the protection target apparatus. Thus, detection leakage or a detection error can be avoided. Brief Description of Drawings [0008] Fig. 1 is a diagram illustrating a configuration example of an attack detection system according to a first embodiment. Fig. 2 is a diagram illustrating another configuration example of the attack detection system according to the first embodiment. Fig. 3 is a diagram illustrating a hardware configuration example of an attack detection apparatus according to the first embodiment. Fig. 4 is a diagram illustrating another hardware configuration example of the attack detection apparatus according to the first embodiment. Fig. 5 is a diagram illustrating a function configuration example of the attack detection apparatus according to the first embodiment. Fig. 6 is a diagram illustrating an example of programs and pieces of data in a storage device of the attack detection apparatus according to the first embodiment. Fig. 7 is a diagram illustrating an example of packet information according to the first embodiment. Fig. 8 is a diagram illustrating an example of a protection target apparatus-table according to the first embodiment. Fig. 9 is a diagram illustrating an example of a check point file according to the first embodiment. Fig. 10 is a diagram illustrating a data flow in the attack detection system according to the first embodiment. Fig. 11 is a flowchart diagram illustrating an operation example of a packet information generation unit according to the first embodiment. Fig. 12 is a flowchart diagram illustrating an operation example of an extraction unit according to the first embodiment. Fig. 13 is a flowchart diagram illustrating an operation example of an alert processing unit according to the first embodiment. Fig. 14 is a flowchart diagram illustrating an operation example of a determination unit according to the first embodiment. Fig. 15 is a diagram illustrating a hardware configuration example of the attack detection apparatus according to a second embodiment. Fig. 16 is a diagram illustrating a function configuration example of the attack detection apparatus according to the second embodiment. Fig. 17 is a diagram illustrating an operation screen image of a check point generation unit according to the second embodiment. Fig. 18 is a flowchart diagram illustrating an operation example of the check point generation unit according to the second embodiment. Description of Embodiments [0009] First Embodiment Fig. 1 is a diagram illustrating a system configuration example of an attack detection system 1 according to the present embodiment. [0010] In the attack detection system 1 of Fig. 1, a network apparatus 3 connected to an external network 2 is connected to a protection target apparatus 5 through a security apparatus 4. Further, the network apparatus 3 is connected to a monitoring apparatus 7 through an attack detection apparatus 6. The security apparatus 4 is also connected to the attack detection apparatus 6. [0013] Here, the protection target apparatus 5 is a computer such as a PC (Personal Computer) or a server. The protection target apparatus 5 communicates with a computer (not illustrated) on the external network 2 through the network apparatus 3 and the security apparatus 4. In Fig. 1, only one protection target apparatus 5 is illustrated, but a plurality of protection target apparatuses 5 may exist. [0012] The network apparatus 3 is an apparatus such as a network router or a network switch that relays a communication packet. The network apparatus 3 is set to transfer to the attack detection apparatus 6 all of packets that are communicated between the external network 2 and the security apparatus 4. That is, the network apparatus 3 transfers to the attack detection apparatus 6 a packet a transmission source of which is the protection target apparatus 5 and a packet a transmission destination of which is the protection target apparatus 5. [0013] The security apparatus 4 is an apparatus such as an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), an Unified Threat Management (UTM), or an anti-virus gateway apparatus. Further, the security apparatus 4 is set to transmit an alert to the attack detection apparatus 6 when detecting a suspicious packet that is suspected of attacking the protection target apparatus 5. [0014] The attack detection apparatus 6 receives the packet transferred from the network apparatus 3. In other words, the attack detection apparatus 6 collects the packet the transmission source of which is the protection target apparatus 5 and the packet the transmission destination of which is the protection target apparatus 5. Further, the attack detection apparatus 6 records attribute data of the packet received from the network apparatus 3. Then, when the suspicious packet is detected by the security apparatus 4 and the alert is transmitted from the security apparatus, the attack detection apparatus 6 analyzes the attribute data of the recorded packet and determines the presence or absence of an attack by the suspicious packet to the protection target apparatus 5. The attack detection apparatus 6 corresponds to an example of an information processing apparatus. [0015] Fig. 2 is a diagram illustrating another system configuration example of the attack detection system 1 according to the present embodiment. [0016] In the configuration example of Fig. 2, the network apparatus 3 and the protection target apparatus 5 are connected directly without thorough the security apparatus 4. Each apparatus in Fig. 2 is the same as those illustrated in Fig. 1. " Further, as another system configuration example of the attack detection system 1, the security apparatus 4 can be connected to the attack detection apparatus 6 through the network apparatus 3 instead of being connected directly to the attack detection apparatus 6. [0017] Fig, 3 is a diagram illustrating an example of hardware resources of the attack detection apparatus 6. [0018] In Fig. 3, the attack detection apparatus 6 includes a CPU (Central Processing Unit) 11 that executes a program. The CPU 11 is connected through a bus 12 to a RAM (Random Access Memory) 13, a communication board 14, and a storage device 15 configured with a magnetic disk device, a flash memory, or an SSD (Solid State Drive). The CPU 11 controls these hardware devices. The communication board 14 is connected to the network apparatus 3, the security apparatus 4, and the monitoring apparatus 7 through a transmission medium such as a LAN (Local Area Network) cable. The storage device 15 stores an OS (Operating System) 16, programs 17, and pieces of data 18. The OS 16 and the programs 17 are loaded onto the RAM 13 from the storage device 15 and executed by the CPU 11. [0019] Fig. 4 is a diagram illustrating another example of hardware resources of the attack detection apparatus 6. [0020] In a hardware configuration of Fig. 4, a ROM (Read Only Memory) 19 is added in comparison with a configuration of Fig. 3. Then, the ROM 19 stores the OS 16. [0021] Fig. 5 illustrates a function configuration example of the attack detection apparatus 6 according to the present embodiment. [0022] A packet information generation unit 21 generates packet information. The packet information is information in which an entry is set for each packet received from the network apparatus 3 and attribute data of the packet is described together with the occurrence time of the packet in each entry. The packet information is, for example, information illustrated in Fig. 7. The details of the packet information will be described below with reference to Fig. 7. Every time when the packet information generation unit 21 receives a packet from the network apparatus 3, the packet information generation unit 21 creates an entry of the received packet and updates a packet information 250. [0023] A check point file storage unit 27 stores a check point file. In the check point file, a plurality of categories of attack (attack types) is indicated, and an extraction time width and an extraction condition are defined for each category (attack type). The check point file is, for example, information illustrated in Fig. 9. The details of the check point file will be described below with reference to Fig. 9. Note that; the check point file is an example of definition information, and the check point file storage unit 27 corresponds to an example of a definition information storage unit. [0024] When the suspicious packet is detected by the security apparatus 4, an extraction unit 22 extracts a certain entry from the packet information based on an extraction time width (check time period) and an extraction condition (a transmission source IP address, a transmission source port number, a transmission destination IP address, a transmission destination port number, and a size) defined in the check point file. [0025] When the suspicious packet is detected by the security apparatus 4, a selection determination unit 24 selects the extraction time width and the extraction condition that are used by the extraction unit 22. Further, the selection determination unit 24 determines the presence or absence of the attack to the protection target apparatus 5 by applying a determination criterion described in the check point file to an extraction result of the extraction unit 22. The selection determination unit 24 corresponds to examples of a selection unit and a determination unit. [0026] When the attack to the protection target apparatus 5 is detected by the selection determination unit 24, an alert processing unit 23 outputs the alert to notify the monitoring apparatus 7 of the detection of the attack. [0027] A packet information storage unit 25 stores the packet information generated by the packet information generation unit 21. [0028] A protection target apparatus-table storage unit 26 stores a protection target apparatus-table. The protection target apparatus-table is a table in which an attribute of the protection target apparatus is described. For example, the protection target apparatus-table is information illustrated in Fig. 8. The details of the protection target apparatus-table will be described below with reference to Fig. 8. [0029] Fig. 6 illustrates the contents stored in the storage device 15. The storage device 15 stores the programs 17 and the pieces of data 18. [0030] The programs 17 store a packet information generation program 210, an extraction program 220, an alert processing program 230, and a selection determination program 240. The packet information generation program 210 is a program to realize the packet information generation unit 21. That is, the CPU 11 executes the packet information generation program 210 so that the packet information generation unit 21 is realized. The extraction program 220 is a program to realize the extraction unit 22. That is, the CPU 11 executes the extraction program 220 so that the extraction unit 22 is realized. The alert processing program 230 is a program to realize the alert processing unit 23. That is, the CPU 11 executes the alert processing program 230 so that the alert processing unit 23 is realized. The selection determination program 240 is a program to realize the selection determination unit 24. That is, the CPU 11 executes the selection determination program 240 so that the selection determination unit 24 is realized. [0031] The pieces of data 18 store the packet information 250, a protection target apparatus-table 260, and a check point file 270. That is, an area in the storage device 15 where the pieces of data 18 is stored corresponds to the packet information storage unit 25, the protection target apparatus-table storage unit 26, and the check point file storage unit 27. [0032] Fig. 7 illustrates an example of the packet information 250. [0033] The packet information 250 stores a number 3 i assigned to the packet, an occurrence time 32 of the packet, a transmission source IP address 33, a transmission source port number 34, a transmission destination IP address 35, a transmission destination port number 36, a protocol 37, a length 38 of the packet, and any other information 39. The occurrence time 32 of the packet is a time when the packet is transmitted from the transmission source. [0034] Fig. 8 illustrates an example of the protection target apparatus-table 260. In the protection target apparatus-table 260 of Fig. 8, attributes of the plurality of protection target apparatuses 5 are described. [0035] In the protection target apparatus-table 260, a number 41 assigned to the protection target apparatus 5, an IP address 42 of the protection target apparatus 5, a classification 43 of the protection target apparatus 5, a usage 44, and a port number 45 allowed for a communication with the outside, are described. [0036] Fig. 9 is an example of the check point file 270. In the check point file 270, a signature ID 51, an attack type 52, a transmission source IP address 53, a transmission source port number 54, a transmission destination IP address 55, a transmission destination port number 56, a check time period 57, a size 58, and a determination criterion 59, are described. The signature ID 51 is an ID of a signature for attack detection stored in the security apparatus 4, and Fig. 9 illustrates an example of the signature ID. The attack type 52 is a classification of the signature for attack detection stored in the security apparatus 4, and Fig. 9 illustrates an example of the attack type 52. In other words, the attack type 52 represents a category of attack detected by a signature identified by the signature ID. For example, an Exploit type of attack can be detected by the signature whose signature ID is 1. [0037] In Fig. 9, "Any" indicates that nothing is particularly specified. "$SRC__ADDR" indicates the transmission source IP address of the packet which has caused the alert. "$SRCJ?ORT" indicates the transmission source port number of the packet which has caused the alert. "$DST_ADDR" indicates the transmission destination IP address of the packet which has caused the alert. "$DST_PORT" indicates the transmission destination port number of the packet which has caused the alert. When there are some numbers, they are listed in [ ] and separated by ",". When a number indicates other than a specified number, it is prefixed with [0038] The transmission source IP address 53 indicates a transmission source IP address of the packet being an extraction target. The transmission source port number 54 indicates a transmission source port number of the packet being the extraction target. The transmission destination IP address 55 indicates a transmission destination IP address of the packet being the extraction target. The transmission destination port number 56 indicates a transmission destination port number of the packet being the extraction target. [0039] The check time period 57 indicates applying directions of the extraction time width and the extraction time width. In other words, numerical values of the check time period 57 represent extraction time widths (in seconds), and positions of the numerical values partitioned by ":" represent the applying directions. A numerical value before ":" indicates the extraction time width in seconds which extends backward from the occurrence time of the suspicious packet, and a numerical value after ":" indicates the extraction time width in seconds which extends forward from the occurrence time of the suspicious packet. For example, "600:600" specifies a time period from a time which is 600 seconds before the occurrence time of the suspicious packet, to a time which is 600 seconds after the occurrence time of the suspicious packet. [0040] The size 58 indicates a size of the packet to be extracted. It is indicated that the packet whose size coincides with a numerical value is to be extracted when the size 58 is the numerical value, the packet of any size is to be extracted when the size 58 is "Any", and the packet whose size is the same is to be extracted when the size 58 is "Same". When the size 58 is the numerical value, a range is specified by inserting inequality signs, which are <, <, >, and >, before the numerical value. [0041] The determination criterion 59 indicates the number of extracted packets, a total size of the extracted packets, and a determination condition relating to a logical operation of them, by separating by ",". As the number of the packets, "Any" indicates that a condition is not particularly specified, ">m" (m is a positive integer) indicates that there are greater than or equal to mpackets, and "m" (m is a positive integer) indicates that the total size is greater than or equal to m, and "