A detection apparatus 30 stores a determination list (A1601) for determining whether there is unauthorized communication, receives a communication packet (A1501) flowing in a control system, determines whether a valid data pattern in the determination list (A1601) and a data pattern relating to the communication packet (A1501) match each other. When the valid data pattern in the determination list (A1601) and the data pattern relating to the communication packet do not match each other, the detection apparatus 30 calculates a similarity degree between the valid data pattern in the determination list and the data pattern relating to the communication packet, and determines whether the similarity degree satisfies a predetermined condition. When the similarity degree is determined not to satisfy the predetermined condition, the detection apparatus 30 determines that the communication packet (A1501) is an unauthorized communication packet.