A more accurate completion condition for attack-graph reconstruction in Probabilistic Packet Marking algorithm

Probabilistic Packet Marking (PPM) is one of the most promising scheme for IP Traceback in case of DDoS attack. PPM reconstructs the attack graph in order to trace back to the attackers´ network. Finding precise completion condition (i.e. number of packets required to reconstruct the attack graph) is very important. Without correct completion condition, victim might reconstruct a wrong or incomplete attack-graph. On the other extreme if it waits too long (much more than required) to collect marked packets, the real attacker would get ample time to destroy logs, traces and records and easily evade detection. Our work gives a precise completion condition for PPM that guarantees that when attack graph is reconstructed, it is correct with high probability. The main contribution of our work is - it increases the reliability and correctness of PPM algorithm and improves the chances of exact attack origin detection instead of just tracing to the attackers´ network. Our results show that relying on upper bound of expected number of packets equation which is implicitly accepted as the completion condition for PPM is not very accurate as it reconstructs wrong attack graph for even upto 37% of cases whereas our algorithm has error rate of just around 7% with minimal increase in number of required packets.