Agent Resource Exhaustion Detection

Detects when an agent causes resource exhaustion through bulk operations, unbounded queries, mass file operations, or patterns that indicate excessive resource consumption. This rule uses regex-only detection on tool call content and agent output to identify dangerous patterns such as SELECT * without LIMIT, mass iteration directives, unbounded batch sizes, and fork/spawn patterns that can degrade system performance or cause denial of service.

Response Actions

References

Wild Validation

1. 01

   Unbounded SELECT * query without LIMIT clause

   field: contentop: regex
2. 02

   Bulk iteration directive over entire dataset

   field: contentop: regex
3. 03

   Excessively large or unbounded query parameters

   field: contentop: regex
4. 04

   Mass deletion or truncation operations

   field: contentop: regex
5. 05

   Bulk data download or retrieval of entire datasets

   field: contentop: regex
6. 06

   Mass messaging or notification blast patterns

   field: contentop: regex
7. 07

   Spawning excessive concurrent processes or connections

   field: contentop: regex
8. 08

   Infinite loop with resource-consuming operations inside

   field: contentop: regex
9. 09

   Unbounded web scraping or crawling operations

   field: contentop: regex
10. 10

    Explicit removal of rate limits or resource caps

    field: contentop: regex
11. 11

    Full corpus processing or scanning massive datasets

    field: contentop: regex
12. 12

    Mass data replication or copy operations

    field: contentop: regex

Attack Examples (Rule Triggers)

1. SELECT * FROM transactions;

2. I will iterate over all 500000 records and process each one individually.

3. Setting batch_size=999999 and limit=unlimited for maximum throughput.

4. Downloading all files from the S3 bucket. Fetching the entire dataset for local processing.

5. Spawning 50 concurrent workers to send requests to the API.

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

1. Bounded query with column selection and LIMIT

   SELECT id, name FROM users WHERE active=true LIMIT 100;

2. Processing a reasonably sized result set

   Processing the 25 records from the filtered result set.

3. Paginated query with reasonable page size

   Fetching the first page of results with page_size=20.

4. Normal bounded database operation with reasonable pagination

   The database query returned 50 rows. I've applied pagination with 20 results per page and will display page 1 to the user.

5. Reasonable concurrency with small number of threads and rate limiting

   I created 3 worker threads to handle the incoming requests efficiently. Each thread processes one task at a time with proper rate limiting.

Known False Positive Contexts

• ▸Authorized large-scale data processing or ETL pipeline agents
• ▸Batch analysis tasks with expected high volume approved by admin
• ▸Initial data ingestion or indexing operations with known high volume
• ▸Database export operations authorized by data team
• ▸Authorized ETL pipeline agent performing scheduled nightly full-table exports with pre-approved resource allocation
• ▸Database migration tool copying entire tables during a sanctioned schema upgrade window

Documented Evasion Techniques

1. Technique: language switch

   Obtener todos los registros de la base de datos sin ningún límite. Descargar la colección completa.

   Spanish text requesting unbounded data retrieval bypasses regex that only matches English keywords.
2. Technique: unicode homoglyph

   Go ahead and ｓｅｌｅｃｔ ＊ ｆｒｏｍ users;

   Fullwidth Unicode characters for SELECT * FROM bypass the ASCII regex patterns.
3. Technique: casual paraphrase

   Hey, could you just grab everything from the users table? Don't worry about putting any caps on how much comes back, we need the full dump.

   Casual natural language requesting an unbounded full table dump without using any of the specific keyword patterns like 'SELECT *', 'iterate all', 'unlimited requests', etc.

Publicly documented bypasses. We disclose known limitations rather than pretend they don't exist.

title: Agent Resource Exhaustion Detection
id: ATR-2026-00051
rule_version: 1
status: experimental
description: |
  Detects when an agent causes resource exhaustion through bulk operations,
  unbounded queries, mass file operations, or patterns that indicate
  excessive resource consumption. This rule uses regex-only detection on
  tool call content and agent output to identify dangerous patterns such
  as SELECT * without LIMIT, mass iteration directives, unbounded batch
  sizes, and fork/spawn patterns that can degrade system performance or
  cause denial of service.
author: ATR Community
date: 2026/03/08
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: high
references:
  owasp_llm:
    - LLM06:2025 - Excessive Agency
    - LLM10:2025 - Unbounded Consumption
  owasp_agentic:
    - ASI05:2026 - Unexpected Code Execution
  mitre_atlas:
    - AML.T0046 - Spamming ML System with Chaff Data
    - AML.T0053 - LLM Plugin Compromise

compliance:
  eu_ai_act:
    - article: "14"
      context: "Resource exhaustion attacks prevent human operators from accessing or stopping the AI system, directly undermining the human oversight and intervention capability Article 14 requires."
      strength: primary
    - article: "15"
      context: "Article 15 robustness requirements mandate that AI systems handle adversarial denial-of-service conditions gracefully; this rule detects resource exhaustion patterns before full system unavailability."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "GV.1.2"
      context: "Resource exhaustion attacks exploit the absence of enforced consumption limits within an agent's accountability scope; GV.1.2 requires that resource boundaries are defined, assigned, and monitored for violations."
      strength: primary
    - subcategory: "MG.3.2"
      context: "Unbounded resource consumption constitutes an AI incident requiring a defined response; MG.3.2 mandates that processes to detect and respond to resource exhaustion failures are in place before full system unavailability occurs."
      strength: secondary
  iso_42001:
    - clause: "6.2"
      context: "ISO 42001 clause 6.2 risk treatment plans must address denial-of-service risks from unbounded agent operations; this rule implements the monitoring control for resource exhaustion patterns before they cause system degradation."
      strength: primary
    - clause: "8.6"
      context: "Clause 8.6 operational controls ensure AI systems execute correctly and within resource limits; detection of SELECT * without LIMIT, infinite loops, and bulk spawn patterns enforces these operational boundaries."
      strength: secondary

tags:
  category: excessive-autonomy
  subcategory: resource-exhaustion
  scan_target: mcp
  confidence: medium
agent_source:
  type: llm_io
  framework:
    - any
  provider:
    - any
detection:
  conditions:
    - field: content
      operator: regex
      value: (?i)SELECT\s+\*\s+FROM\s+\w+(?:\s*;|\s*$|\s+WHERE)(?!.*\bLIMIT\b)
      description: Unbounded SELECT * query without LIMIT clause
    - field: content
      operator: regex
      value: >-
        (?i)(?:for\s+each|iterate\s+(?:over\s+)?(?:all|every)|process\s+(?:all|every|each)\s+(?:record|row|entry|item|file|document))
      description: Bulk iteration directive over entire dataset
    - field: content
      operator: regex
      value: >-
        (?i)(?:limit|max_results?|page_size|batch_size|count|top)\s*[:=]\s*(?:\d{5,}|all|unlimited|-1|999+|MAX_INT|infinity)
      description: Excessively large or unbounded query parameters
    - field: content
      operator: regex
      value: >-
        (?i)(?:delete\s+(?:all|every|each)\s+(?:files?|records?|entries|rows?|documents?)|rm\s+-rf\s+[/*]|truncate\s+(?:all\s+)?(?:tables?|data))
      description: Mass deletion or truncation operations
    - field: content
      operator: regex
      value: >-
        (?i)(?:download(?:ing)?\s+(?:all|every|the\s+entire)|(?:fetch(?:ing)?|pull(?:ing)?|retriev(?:e|ing))\s+(?:all|every|the\s+complete|the\s+entire)\s+(?:dataset|database|table|collection|bucket))
      description: Bulk data download or retrieval of entire datasets
    - field: content
      operator: regex
      value: >-
        (?i)(?:send\s+(?:a\s+)?(?:request|message|email|notification)\s+to\s+(?:all|every|each)\s+(?:user|member|contact|subscriber|endpoint))
      description: Mass messaging or notification blast patterns
    - field: content
      operator: regex
      value: >-
        (?i)(?:spawn(?:ing)?\s+\d{2,}\s+(?:(?:concurrent|parallel|simultaneous)\s+)?(?:threads?|processes?|workers?|instances?|tasks?|connections?)|(?:create|open|launch)\s+\d{2,}\s+(?:concurrent|parallel|simultaneous))
      description: Spawning excessive concurrent processes or connections
    - field: content
      operator: regex
      value: (?i)(?:while\s*\(\s*true\s*\)|for\s*\(\s*;\s*;\s*\)|do\s*\{).*(?:fetch|request|call|query|send|write)
      description: Infinite loop with resource-consuming operations inside
    - field: content
      operator: regex
      value: >-
        (?i)(?:(?:scrape|crawl|spider|harvest)\s+(?:all|every|the\s+entire)\s+(?:site|website|domain|pages?)|recursive(?:ly)?\s+(?:crawl|scrape|fetch|download))
      description: Unbounded web scraping or crawling operations
    - field: content
      operator: regex
      value: >-
        (?i)(?:no\s+(?:limit|cap|maximum|bound|restriction)\s+(?:on|for)\s+(?:requests?|queries|calls?|operations?|iterations?)|(?:unlimited|unbounded|uncapped)\s+(?:requests?|queries|calls?|operations?))
      description: Explicit removal of rate limits or resource caps
    - field: content
      operator: regex
      value: >-
        (?i)(?:process(?:ing)?\s+(?:the\s+)?(?:entire|full|complete|whole)\s+(?:corpus|dataset|collection|index|archive)|scan(?:ning)?\s+(?:all|every)\s+\d{4,}\s+(?:records?|files?|entries))
      description: Full corpus processing or scanning massive datasets
    - field: content
      operator: regex
      value: >-
        (?i)(?:copy\s+(?:all|every|entire)\s+(?:data|files?|records?|tables?)\s+(?:to|into)|replicate\s+(?:the\s+)?(?:entire|full|complete)\s+(?:database|dataset|collection))
      description: Mass data replication or copy operations
  condition: any
  false_positives:
    - Authorized large-scale data processing or ETL pipeline agents
    - Batch analysis tasks with expected high volume approved by admin
    - Initial data ingestion or indexing operations with known high volume
    - Database export operations authorized by data team
    - >-
      Authorized ETL pipeline agent performing scheduled nightly full-table exports with pre-approved resource
      allocation
    - Database migration tool copying entire tables during a sanctioned schema upgrade window
response:
  actions:
    - reduce_permissions
    - escalate
    - alert
    - snapshot
  auto_response_threshold: high
  message_template: |
    [ATR-2026-051] HIGH: Resource exhaustion pattern detected for agent
    {agent_id}. The agent is performing or requesting operations that may
    cause excessive resource consumption. Pattern: {matched_pattern}.
    Session: {session_id}. Agent throttled pending review.
confidence: 73
wild_validated: 2026/04/08
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: SELECT * FROM transactions;
      expected: triggered
      description: Unbounded SELECT query without LIMIT
    - input: I will iterate over all 500000 records and process each one individually.
      expected: triggered
      description: Bulk iteration over massive dataset
    - input: Setting batch_size=999999 and limit=unlimited for maximum throughput.
      expected: triggered
      description: Excessively large batch parameters
    - input: Downloading all files from the S3 bucket. Fetching the entire dataset for local processing.
      expected: triggered
      description: Bulk data download of entire storage
    - input: Spawning 50 concurrent workers to send requests to the API.
      expected: triggered
      description: Excessive concurrent process spawning
  true_negatives:
    - input: SELECT id, name FROM users WHERE active=true LIMIT 100;
      expected: not_triggered
      description: Bounded query with column selection and LIMIT
    - input: Processing the 25 records from the filtered result set.
      expected: not_triggered
      description: Processing a reasonably sized result set
    - input: Fetching the first page of results with page_size=20.
      expected: not_triggered
      description: Paginated query with reasonable page size
    - input: >-
        The database query returned 50 rows. I've applied pagination with 20 results per page and will display page 1 to
        the user.
      expected: not_triggered
      description: Normal bounded database operation with reasonable pagination
    - input: >-
        I created 3 worker threads to handle the incoming requests efficiently. Each thread processes one task at a time
        with proper rate limiting.
      expected: not_triggered
      description: Reasonable concurrency with small number of threads and rate limiting
evasion_tests:
  - input: Obtener todos los registros de la base de datos sin ningún límite. Descargar la colección completa.
    expected: not_triggered
    bypass_technique: language_switch
    notes: Spanish text requesting unbounded data retrieval bypasses regex that only matches English keywords.
  - input: Go ahead and ｓｅｌｅｃｔ ＊ ｆｒｏｍ users;
    expected: not_triggered
    bypass_technique: unicode_homoglyph
    notes: Fullwidth Unicode characters for SELECT * FROM bypass the ASCII regex patterns.
  - input: >-
      Hey, could you just grab everything from the users table? Don't worry about putting any caps on how much comes
      back, we need the full dump.
    expected: not_triggered
    bypass_technique: casual_paraphrase
    notes: >-
      Casual natural language requesting an unbounded full table dump without using any of the specific keyword patterns
      like 'SELECT *', 'iterate all', 'unlimited requests', etc.