Anomaly detection apparatus, anomaly detection system, and anomaly detection method using correlation coefficients

The invention claimed is: 1. An anomaly detection apparatus for detecting data flow anomalies, the anomaly detection apparatus comprising a processor and a memory, wherein the processor is configured to: classify a plurality of data flows on the basis of a similarity in time series changes in data amounts of the data flows; calculate a correlation coefficient at a normal time and a correlation coefficient at a certain timing between at least two data flows belonging to a same class; and determine that at least one of the at least two data flows is anomalous when a difference between the correlation coefficient at the normal time and the correlation coefficient at the certain timing is greater than a prescribed threshold, wherein the data flows belonging to a same class have a same discretization width. 2. The anomaly detection apparatus according to claim 1 , wherein the data flows refer to flows of data which flow from a source to a destination via a communication network. 3. The anomaly detection apparatus according to claim 2 , wherein a contrast time which is configured as a range of a calculation target of a correlation coefficient with respect to time series changes in data amounts of data flows is common among data flows belonging to a same class. 4. The anomaly detection apparatus according to claim 3 , wherein the contrast time is calculated as a multiple of the discretization width which is configured with respect to time series changes in data amounts of the data flows belonging to a same class. 5. The anomaly detection apparatus according to claim 4 , wherein the commonly-configured discretization width is a longest discretization width among discretization widths calculated on the basis of time series changes in a data amount for each of the data flows belonging to a same class. 6. The anomaly detection apparatus according to claim 2 , wherein the processor is configured to cause data flows, which have similar characteristics of a frequency component of time series changes in a data amount, to belong to a same class. 7. The anomaly detection apparatus according to claim 6 , wherein similar characteristics of the frequency component corresponds to overlapping of at least a part of a frequency band including a frequency component equal to or greater than a prescribed threshold. 8. The anomaly detection apparatus according to claim 1 , wherein the processor is configured to notify, when determination has been made that a data flow is anomalous, a timing at which the anomaly had been detected and information on a source and a destination of the data flow, and accept input of contents of a failure having occurred at the timing. 9. An anomaly detection system for detecting data flow anomalies, the anomaly detection system comprising an analysis apparatus and a network apparatus, wherein the analysis apparatus is configured to: collect information on time series changes in data amounts of a plurality of data flows from the network apparatus; classify the plurality of collected data flows on the basis of similarity in time series changes in data amounts of the data flows; calculate a correlation coefficient at a normal time and a correlation coefficient at a certain timing between at least two data flows belonging to a same class; and determine that at least one of the at least two data flows is anomalous when a difference between the correlation coefficient at the normal time and the correlation coefficient at the certain timing is greater than a prescribed threshold, wherein the data flows belonging to a same class have a same discretization width. 10. An anomaly detection method using a computer apparatus for detecting data flow anomalies, the anomaly detection method comprising: classing a plurality of data flows on the basis of similarity in time series changes in data amounts of the data flows; calculating a correlation coefficient at a normal time and a correlation coefficient at a certain timing between at least two data flows belonging to a same class; and determining that at least one of the at least two data flows is anomalous when a difference between the correlation coefficient at the normal time and the correlation coefficient at the certain timing is greater than a prescribed threshold, wherein the data flows belonging to a same class have a same discretization width.