Despite their frequency, denial-of-service (DoS\blfootnote{Denial of Service (DoS), Distributed Denial of Service (DDoS), Probabilistic Packet Marking (PPM), coupon collector's problem (CCP)}) and distributed-denial-of-service (DDoS) attacks are difficult to prevent and trace, thus posing a constant threat. One of the main defense techniques is to identify the source of attack by reconstructing the attack graph, and then filter the messages arriving from this source. One of the most common methods for reconstructing the attack graph is Probabilistic Packet Marking (PPM). We focus on edge-sampling, which is the most common method. Here, we study the time, in terms of the number of packets, the victim needs to reconstruct the attack graph when there is a single attacker. This random variable plays an important role in the reconstruction algorithm. Our main result is a determination of the asymptotic distribution and expected value of this time. The process of reconstructing the attack graph is analogous to a version of the well-known coupon collector's problem (with coupons having distinct probabilities). Thus, the results may be used in other applications of this problem.

翻译：尽管拒绝服务（DoS）和分布式拒绝服务（DDoS）攻击频繁发生，但其难以预防和追踪，因此始终构成威胁。主要的防御技术之一是通过重构攻击图来识别攻击源，然后过滤来自该源的消息。重构攻击图最常见的方法之一是概率包标记（PPM）。我们聚焦于最常用的边缘采样方法。在此，我们从数据包数量的角度研究在单攻击者场景下受害者重构攻击图所需的时间。该随机变量在重构算法中起着重要作用。我们的主要结果是确定了该时间的渐近分布和期望值。重构攻击图的过程类似于著名的优惠券收集问题（具有不同概率的优惠券）的一个变体。因此，该结果也可应用于该问题的其他场景。