DoS and DDoS attacks are widely used and pose a constant threat. Here we explore Probability Packet Marking (PPM), one of the important methods for reconstructing the attack-graph and detect the attackers. We present two algorithms. Differently from others, their stopping time is not fixed a priori. It rather depends on the actual distance of the attacker from the victim. Our first algorithm returns the graph at the earliest feasible time, and turns out to guarantee high success probability. The second algorithm enables attaining any predetermined success probability at the expense of a longer runtime. We study the performance of the two algorithms theoretically, and compare them to other algorithms by simulation. Finally, we consider the order in which the marks corresponding to the various edges of the attack graph are obtained by the victim. We show that, although edges closer to the victim tend to be discovered earlier in the process than farther edges, the differences are much smaller than previously thought.

翻译：DoS和DDoS攻击被广泛使用，构成持续威胁。本文探究概率包标记（PPM）——重构攻击图并检测攻击者的重要方法之一。我们提出两种算法。与其他算法不同，其停止时间并非预先固定，而是取决于攻击者与受害者的实际距离。第一种算法在最早可行时间返回攻击图，并具有高成功概率。第二种算法能以更长的运行时间为代价，实现任意预设的成功概率。我们从理论上研究这两种算法的性能，并通过仿真将其与其他算法进行比较。最后，我们考虑受害者获取攻击图各边对应标记的顺序。结果表明，尽管靠近受害者的边倾向于比远距离边更早被发现，但差异远小于先前的认知。