An attack detection device including a packet collection unit that collects packets to be transmitted from a user terminal to a service providing server, a header-information acquisition unit that acquires header information from the packets, and an attack detection unit that determines whether each session is an attacking session by using the header information, wherein the attack detection unit compares a window size of a collected arbitrary packet and window sizes of other packets to one another for each of sessions, and when a comparison result satisfies a predetermined first condition, a corresponding session is detected as an attacking session.
