Issue No. 01 - January-March (2008 vol. 5)
The probabilistic packet marking (PPM in short) algorithm is a promising way to discover the Internet map, or an attack graph, that the attack packets traversed during a distributed denial-of-service attack. Yet, the PPM algorithm is not prefect as its termination condition is not well-defined in the literature. More importantly, without a proper termination condition, the attack graph constructed by the PPM algorithm would be wrong with a very high probability. In this work, we provide a precise termination condition for the PPM algorithm and name the new algorithm the rectified probabilistic packet marking (RPPM in short) algorithm. The most significant merit of the RPPM algorithm is that when the algorithm terminates, the algorithm guarantees that the constructed attack graph is correct with a specified level of confidence. We carry out simulations on the RPPM algorithm and show that the RPPM algorithm can guarantee the correctness of the constructed attack graph under 1) different probabilities that a router marks the attack packets, and 2) different structures of the network graph. The RPPM algorithm provides an autonomous way for the original PPM algorithm to determine its termination, and it is a promising mean to enhance the reliability of the PPM algorithm.
Network-level security and protection, Probabilistic computation
Man Hon Wong, John C. S. Lui, T.Y. Wong, "A Precise Termination Condition of the Probabilistic Packet Marking Algorithm", IEEE Transactions on Dependable and Secure Computing, vol. 5, no. , pp. 6-21, January-March 2008, doi:10.1109/TDSC.2007.70229