The probabilistic packet marking (PPM) algorithm is a promising way to discover the Internet map or an attack graph that the attack packets traversed during a distributed denial-of-service attack. However, the PPM algorithm is not perfect, as its termination condition is not well defined in the literature. More importantly, without a proper termination condition, the attack graph constructed by the PPM algorithmwould be wrong.In this work, we provide a precise terminationconditionfor the PPM algorithm and name the newalgorithm the rectified PPM (RPPM) algorithm. The most significant merit of the RPPM algorithm is that when the algorithm terminates, the algorithm guarantees that the constructed attack graph is correct, with a specified level of confidence. We carry out simulations on the RPPM algorithmand show that the RPPM algorithmcan guaranteethe correctnessof the constructed attack graph under1) different probabilities that a router marks the attack packets and 2) different structur...
T. Y. Wong, Man Hon Wong, John C. S. Lui