The present invention reduces the time required for inspecting packets and detecting unauthorized commands. An intrusion prevention device (3) is connected to a communication network (9-1) in which a packet including a command for a device to be controlled is transmitted according to a predetermined rule. An analysis table storage part (34) stores an analysis table comprised of a predetermined number of slots for storing a predetermined number of commands together with time information. An input part (31) extracts the command from the packet detected from the communication network (9-1). A parse part (32) inserts the command into the analysis table. An analysis part (33) analyzes whether or not the plurality of commands stored in the respective slots of the analysis table follow the predetermined rule. A notification part (35) outputs an alarm when an analysis result indicates an abnormality. An output part (36) determines whether to pass or discard the packet according to the analysis result.