Computer-readable storage medium, abnormality detection device, and abnormality detection method

What is claimed is: 1 . A computer-readable storage medium which stores an abnormality detection program causes a computer to execute processes comprising: detecting, when a work corresponding to a process on the computer has been executed, at least one event that is associated with the process on the computer, the at least one event including at least one first event which respectively occurs in response to at least one input for the process by using the input device; and determining whether the work is abnormal or not based on whether the at least one detected event matches at least one stored event in a storage unit or not. 2 . The computer-readable storage medium according to claim 1 , wherein the processes further comprises: generating, when a worker executes the work, correspondence information that associates the at least one process with the at least one event based on access information relating to system resources of the computer, the worker being permitted to execute works on the computer; generating identification information for the determining based on the correspondence information, the identification information including a process identifier that identifies at least one process corresponding to the work and event identifier that identifies at least one event corresponding to the at least one process corresponding to the work; and storing the generated identification information in the storage unit. 3 . The computer-readable storage medium according to claim 2 , wherein the processes further comprises: generating another identification information based on the at least one detected event; and determining, in the determining, that the work is abnormal in a case in which the another identification information is different from the identification information that are stored in the storage unit and that corresponds to the work. 4 . The computer-readable storage medium according to claim 2 , wherein wherein the system resources include an input device, an application which operates on the computer, and an operating system which operates on the computer, wherein the at least one event further includes a second event which respectively occurs in response to an occurrence of access to the application and a third event which respectively occurs in response to an occurrence of access to the operating system, and wherein the identification information includes first work identification information which is generated based on the first event, second work identification information which is generated based on the second event, and third work identification information which is generated based on the third event. 5 . The computer-readable storage medium according to claim 2 , wherein the processes further comprising: calculating a first value which indicates a coincidence between a combination of the another identification information and the identification information stored in the storage unit; and determining that the first work is abnormal when the calculated first value indicates less coincidence than a first predetermined threshold. 6 . The computer-readable storage medium according to claim 5 , wherein the processes comprising: calculating a second value, the second value being calculated by multiplying the first value by a correction coefficient corresponding to a number of times that the combination has been specified in past times, and determining that the work is abnormal when the calculated second value indicates less coincidence than a second predetermined threshold. 7 . The computer-readable storage medium according to claim 5 , wherein the processes comprising: determining, in a case in which a first timestamp at which same combination as the combination is previously specified is earlier than a predetermined timestamp, a lower value than in a case in which the first timestamp is later than the predetermined timestamp as the first predetermined threshold. 8 . The computer-readable storage medium according to claim 2 , wherein the information contained in the identification information is a bit string which is converted based on predetermined rules. 9 . An abnormality detection device, comprising: a memory; and a processor configured to: detect, when a work corresponding to a process on the computer has been executed, at least one event that is associated with the process on the computer, the at least one event including at least one first event which respectively occurs in response to at least one input for the process by using the input device; and determine whether the work is abnormal or not based on whether the at least one detected event matches at least one stored event in a storage unit or not. 10 . An abnormality detection method in which processes are executed by a computer, the method comprising: detecting, when a work corresponding to a process on the computer has been executed, at least one event that is associated with the process on the computer, the at least one event including at least one first event which respectively occurs in response to at least one input for the process by using the input device; and determining whether the work is abnormal or not based on whether the at least one detected event matches at least one stored event in a storage unit or not.