Detection device and detection program

The invention claimed is: 1. A detection method, comprising: standardizing similar expressions across a plurality of Uniform Resource Identifiers (URIs) in access logs of requests made to a plurality of web servers to change the URIs into regularized URIs; calculating, among the access logs that are from a same source, a relative frequency of certain access logs to all access logs; the certain access logs corresponding to requests made to different destinations for a same one of the regularized URIs and also corresponding to certain response codes; and determining, when largest of all the relative frequencies calculated for the regularized URIs is at least a certain threshold, the regularized URIs to be scanning target URIs. 2. The detection method according to claim 1 , further comprising excluding known scanning target URIs from URIs determined to be scanning targets by the determining. 3. The detection method according to claim 1 , further comprising outputting, when a URI determined to be a scanning target by the determining has a known web application name therein, the web application name. 4. The detection method according to claim 1 , further comprising outputting, when a URI determined to be a scanning target by the determination unit has a directory structure that is identical to a directory structure for resources of a known web application, a web application name of the web application. 5. The detection method according to claim 1 , further comprising placing, with sets each being formed of the regularized URIs in the access logs from a corresponding source, when a degree of similarity between any two of the sets is at least a certain threshold, the different sources corresponding to the sets into a same group, wherein the calculating calculates the relative frequencies while assuming that the sources placed in the same group are one same source. 6. A non-transitory computer-readable storage medium having stored thereon executable instructions, which when executed by circuitry, cause the circuitry to perform a method, the method comprising: standardizing similar expressions across a plurality of Uniform Resource Identifiers (URIs) in access logs of requests made to a plurality of web servers to change the URIs into regularized URIs; calculating, among the access logs that are from a same source, a relative frequency of certain access logs to all access logs, the certain access logs corresponding to requests made to different destinations for a same one of the regularized URIs and also corresponding to certain response codes; and determining, when largest of all the relative frequencies calculated for the regularized URIs is at least a certain threshold, the regularized URIs to be scanning target URIs. 7. A detection device, comprising: regularization circuitry configured to standardize similar expressions across a plurality of Uniform Resource Identifiers (URIs) in access logs of requests made to a plurality of web servers to change the URIs into regularized URIs; calculation circuitry configured to calculate, among the access logs that are from a same source, a relative frequency of certain access logs to all access logs, the certain access logs corresponding to requests made to different destinations for a same one of the regularized URIs and also corresponding to certain response codes; and determination circuitry configured to, when largest of all the relative frequencies calculated for the regularized URIs is at least a certain threshold, determine the regularized URIs to be scanning target URIs. 8. The detection device according to claim 7 , further comprising: exclusion circuitry configured to exclude known scanning target URIs from URIs determined to be scanning targets by the determination circuitry. 9. The detection device according to claim 7 , further comprising: application name verification circuitry configured to, when a URI determined to be a scanning target by the determination circuitry has a known web application name therein, output the web application name. 10. The detection device according to claim 7 , further comprising: structure verification circuitry configured to, when a URI determined to be a scanning target by the determination circuitry has a directory structure that is identical to a directory structure for resources of a known web application, output a web application name of the web application. 11. The detection device according to claim 7 , further comprising: source grouping circuitry configured to, with sets each being formed of the regularized URIs in the access logs from a corresponding source, when a degree of similarity between any two of the sets is at least a certain threshold, place the different sources corresponding to the sets into a same group, wherein the calculation circuitry calculates the relative frequencies while assuming that the sources placed in the same group are one same source.