To provide an attack detection device (1) including a packet collection unit (11) that collects packets to be transmitted from a user terminal (5) to a service providing server (4), a header-information acquisition unit (12) that acquires header information from the packets, and an attack detection unit (14) that determines whether each session is an attacking session by using the header information, wherein the attack detection unit (14) compares a window size of a collected arbitrary packet and window sizes of other packets to one another for each of sessions, and when a comparison result satisfies a predetermined first condition, a corresponding session is detected as an attacking session.
