--- id: BTAA-DEF-012 title: 'Resource Exhaustion Detection: Preventing Computational DoS in LLM Applications' slug: resource-exhaustion-detection-prevention type: lesson code: BTAA-DEF-012 aliases: - resource exhaustion detection - computational DoS prevention - cost prediction defense author: Herb Hermes date: '2026-04-11' last_updated: '2026-04-11' description: Learn how encoder models can predict LLM output length and computational cost before generation, enabling proactive defense against resource exhaustion attacks. category: defense difficulty: intermediate platform: Universal challenge: Design detection rules that identify potentially expensive requests before they consume excessive resources read_time: 10 minutes tags: - prompt-injection - resource-exhaustion - unbounded-consumption - runtime-defense - cost-protection - encoder-models - denial-of-service - blue-bucket status: published test_type: defensive model_compatibility: - Kimi K2.5 - MiniMax M2.5 responsible_use: Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. prerequisites: - BTAA-FUN-025 — Unbounded Consumption Resource Exhaustion follow_up: - BTAA-FUN-029 — AI Security Observability and Runtime Threat Detection public_path: /content/lessons/defense/resource-exhaustion-detection-prevention.md pillar: learn pillar_label: Learn section: defense collection: defense taxonomy: intents: - prevent-resource-exhaustion - detect-anomalous-consumption techniques: - encoder-model-prediction - pre-generation-filtering - cost-based-rate-limiting evasions: - adversarial-pattern-masking - novel-linguistic-structures inputs: - api-requests - chat-messages - document-processing --- # Resource Exhaustion Detection: Preventing Computational DoS in LLM Applications > Responsible use: Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. ## Purpose Resource exhaustion attacks aim to drain computational budgets, cause denial-of-service, or drive up operational costs by submitting requests that trigger expensive LLM generation. This lesson teaches how encoder models can predict computational cost *before* generation begins, enabling defenses to reject or rate-limit potentially expensive requests proactively. ## What This Defense Is Resource exhaustion detection uses lightweight encoder models to analyze incoming requests and predict: - **Output length:** How many tokens the response will likely contain - **Computational complexity:** How much processing the request will require - **Resource cost:** The dollar/CPU/GPU cost to fulfill the request Rather than waiting for an expensive generation to complete, the defense makes a rapid prediction and applies enforcement policies before the costly work begins. ## How It Works ### The Detection Pipeline ``` Incoming Request ↓ Encoder Model Inference ↓ Cost Estimation ↓ Decision Gate ├─ Accept: Pass to LLM ├─ Rate-limit: Queue with reduced priority └─ Reject: Block with explanation ``` ### Technical Mechanism 1. **Encoder Analysis:** A lightweight encoder model (BERT-family, smaller than the generation model) processes the input request 2. **Feature Extraction:** The encoder captures linguistic patterns correlated with output complexity: - Request length and structure - Presence of recursive or repetitive patterns - Complexity of embedded instructions - Context window utilization 3. **Cost Prediction:** A prediction head estimates output length and computational requirements 4. **Policy Enforcement:** Compare predicted cost against thresholds and apply appropriate action ### Why Encoder Models Work for This Encoder models are well-suited for cost prediction because: - **Fast inference:** Sub-millisecond latency vs. multi-second generation - **Pattern recognition:** Training captures correlations between input structure and output complexity - **Resource efficient:** Small models (hundreds of MB) vs. large LLMs (tens of GB) - **Differentiable:** Can be fine-tuned on specific deployment cost patterns ## Detection Patterns Encoder models learn to identify linguistic patterns associated with expensive generation: | Pattern Type | Description | Cost Indicator | |-------------|-------------|----------------| | **Recursive Structures** | Self-referential or iterative expansion prompts | Very High | | **Repetition Triggers** | Requests for extensive lists or redundant explanations | High | | **Context Flooding** | Input documents with excessive token counts | High | | **Complex Reasoning** | Multi-step logical or mathematical problems | Medium-High | | **Code Generation** | Requests for large codebases or complex algorithms | Medium-High | | **Translation/Expansion** | Converting short inputs to verbose outputs | Medium | ## Implementation Approaches ### Pre-Generation Filtering Reject requests with predicted costs exceeding budget before any LLM inference: ``` if predicted_cost > max_allowed_cost: return rate_limit_response() else: return llm.generate(request) ``` ### Adaptive Rate Limiting Apply tiered rate limits based on predicted cost: - **Low cost:** Standard rate limit (100 req/min) - **Medium cost:** Reduced rate limit (20 req/min) - **High cost:** Strict rate limit (5 req/min) + human review queue ### Budget Enforcement Track per-user or per-session predicted costs and enforce caps: ``` user_session.predicted_cost += predicted_cost if user_session.predicted_cost > user_session.budget: return budget_exceeded_response() ``` ### Progressive Generation For borderline requests, use the prediction to set generation parameters: - Limit maximum output tokens based on prediction confidence - Use faster/cheaper model variants for high-cost predictions - Enable early stopping if generation exceeds predicted bounds ## Failure Modes ### Where Detection Fails 1. **Novel Patterns:** Attacks using linguistic structures not seen during encoder training 2. **Adversarial Evasion:** Deliberate crafting of inputs that appear low-cost to the encoder but trigger expensive generation 3. **Context-Dependent Costs:** Requests whose cost depends on external state the encoder cannot access 4. **Model Drift:** As the LLM is updated, the cost prediction model may become less accurate 5. **False Positives:** Legitimate complex requests incorrectly flagged as attacks ### Mitigation Strategies - **Ensemble Predictors:** Use multiple encoder models trained on different data distributions - **Continuous Retraining:** Regularly update the encoder on recent production traffic - **Fallback Policies:** When prediction confidence is low, apply conservative defaults - **Human Review Queues:** Route borderline cases to human analysts - **Adaptive Thresholds:** Adjust cost thresholds based on current system load ## Operational Considerations ### Latency Trade-offs Encoder inference adds latency (typically 10-100ms) but prevents much larger costs from wasteful generation. The trade-off favors prediction for high-value or resource-constrained deployments. ### False Positive Management Aggressive cost thresholds catch more attacks but may block legitimate users. Monitor: - False positive rate by user segment - User complaints and support tickets - Business impact of blocked requests ### Model Maintenance Encoder models require ongoing maintenance: - Retraining as LLM behavior changes - Validation against new attack patterns - Performance monitoring for latency degradation ## Integration with Layered Defenses Resource exhaustion detection works best as part of a comprehensive defense stack: | Layer | Mechanism | Purpose | |-------|-----------|---------| | **Input** | Prompt filtering | Block known attack patterns | | **Prediction** | Encoder cost estimation | Predict and prevent expensive requests | | **Rate Limit** | Request throttling | Prevent volume-based DoS | | **Budget** | Per-user caps | Limit total resource consumption | | **Output** | Generation limits | Cap maximum output length | | **Monitoring** | Cost observability | Detect anomalies post-hoc | ## Defender Takeaways 1. **Predict before paying:** Encoder models enable cost prediction at a fraction of generation expense 2. **Layer your defenses:** Cost prediction complements but does not replace other protections 3. **Monitor and adapt:** Continuously retrain encoders and adjust thresholds based on observed traffic 4. **Consider trade-offs:** Balance security against user experience with graduated response policies 5. **Plan for failure:** Assume prediction will fail for novel attacks and have fallback controls ## Related Lessons - [BTAA-FUN-025 — Unbounded Consumption Resource Exhaustion](/content/lessons/fundamentals/unbounded-consumption-resource-exhaustion.md) — Understanding the risk this defense addresses - [BTAA-FUN-029 — AI Security Observability and Runtime Threat Detection](/content/lessons/fundamentals/ai-security-observability-runtime-detection.md) — Sibling lesson on runtime monitoring approaches - [BTAA-DEF-011 — Vector and Embedding Weaknesses](/content/lessons/defense/vector-embedding-weaknesses-rag-security.md) — Defense for RAG-specific resource risks --- ## From the Bot-Tricks Compendium Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments. --- *Lesson derived from Protect AI research on AI Risk Reports and runtime threat detection methodologies.*