Determination method, determination device and recording medium

The invention claimed is: 1. A determination method comprising: determining an attack type of an attack code included in an attack request on a server; carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extracting a feature appearing in a response from the server; and examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded, by a processor. 2. The determination method according to claim 1 , wherein the examining includes examining whether a plurality of responses respectively corresponding to a plurality of requests transmitted to the server within a predetermined amount of time from the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded. 3. The determination method according to claim 1 , wherein the examining includes examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request, the requests having the same source IP address as that of the attack request, each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded. 4. The determination method according to claim 1 , further including: setting, as an input URL, a URL path portion of a request including a predetermined keyword, setting, as an output URL, a URL path portion of a request corresponding to a response including a predetermined keyword from past requests and responses, and creating a set of the input URL and the output URL as an input/output URL rule for searching an examination target request, wherein the examining includes examining, in a case where a URL path portion of the attack request coincides with an input URL of the input/output URL rule, whether a response corresponding to a request coinciding with an output URL corresponding to the input URL among requests to the server after the attack request has the extracted feature, and when the response has the extracted feature, to determine that an attack by the attack code has succeeded. 5. The determination method according to claim 1 , further including: extracting a file name created from the attack code, and creating the extracted file name as a file name rule for searching an examination target request, wherein the examining includes examining whether a response corresponding to a request including a file name of the file name rule among requests to the server after the attack request has the extracted feature, and when the response has the extracted feature, to determine that an attack by the attack code has succeeded. 6. A determination device comprising: a memory; and processing circuitry coupled to the memory and configured to: determine an attack type of an attack code included in an attack request on a server, carry out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extract a feature appearing in a response from the server, and examine whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determine that an attack by the attack code has succeeded. 7. A non-transitory computer-readable recording medium storing therein a determination program that causes a computer to execute a process comprising: determining an attack type of an attack code included in an attack request on a server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, and in a case of succeeding in an attack on the server as a result of the emulation, extracting a feature appearing in a response from the server, and examining whether a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request each have the extracted feature, and in a case where at least any one of the plurality of responses has the extracted feature, determining that an attack by the attack code has succeeded.