lowexperimentalLinuxAI/MLT1499.004

LLM Service Excessive Child Process Creation

Detects unusually high rates of child process creation from LLM service processes. Excessive process spawning may indicate an unbounded consumption attack where the model is being directed to execute repeated tasks, consuming host resources.

Updated Jan 15, 2025 · Detection Engineering Team

llmunbounded-consumptionlinuxdosowasp-llm10

Problem Statement

Unbounded consumption attacks exhaust host resources by directing the LLM to spawn excessive processes. This can degrade service availability for legitimate users and mask other malicious activities occurring under resource contention.

Sample Logs

{"timestamp":"2025-01-15T09:01:00Z","computer_name":"llm-host-01","user":"llm_svc","image":"/bin/sh","command_line":"sh -c echo test","parent_image":"/opt/llm/app/task_runner.py","count_in_window":157}

Required Fields

parent_image

image

user

computer_name

False Positives

·Legitimate batch processing workflows that spawn many short-lived child processes

Tuning Guidance

Establish a baseline for normal child process rates for the LLM service during peak load. Alert on rates significantly above this baseline (e.g. 3x normal).