Determining means determines block encryption method and an encryption block

The present invention relates to encryption logic utilized in hidden malware communications for analysis is determined in the program stored malware encryption block cipher encryption logic block determination means. Encrypted block determining means having: a block candidate extracting unit which analyzes recorded malware step execution trace, according to the execution step contains encrypted aspect operational categories having characteristics, calculates a commentary step of encryption of value, the extraction step L to the evaluation value exceeds the threshold value as a candidate encryption block, i.e. block candidates; and an encryption block determination unit, which performs block region candidate locus continuously exceeds the threshold value M is determined to be encrypted blocks.