lowexperimentalLinuxOCIT1499

Linux Agent Excessive Child Process Burst (Seed Rule)

Baseline seed rule to detect AI agent runtimes spawning an unusual number of child processes in a short time window, which may indicate runaway agent loops, denial of service behavior, or cascading failure conditions.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicascading-failureprocess-burstdoslinuxociowasp-asi08

Problem Statement

AI agents can enter runaway loops due to goal misinterpretation, recursive task generation, or adversarial prompts designed to exhaust compute resources. Excessive child process spawning can degrade OCI instance performance and trigger cascading failures across dependent services.

Sample Logs

{"timestamp":"2025-01-10T14:00:00Z","computer_name":"oci-worker-34","user":"agent_svc","image":"/bin/sh","command_line":"sh -c echo test","parent_image":"/usr/bin/python3","note":"1 of 47 child processes spawned in 60 seconds"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Build systems or test runners that legitimately spawn many short-lived processes
·Parallel data processing frameworks that fan out work across many subprocesses

Tuning Guidance

Calibrate the burst threshold based on the maximum expected process spawn rate for each agent type. Start with a high threshold (50/min) and reduce as baseline behavior is established.