lowexperimentalLinuxAI/MLOCIT1499.004

LLM Service Launching Multiple OCI CLI Commands

Detects high rates of OCI CLI invocations from LLM service processes within a short time window. Repeated OCI CLI calls may indicate the model is executing unbounded cloud API operations, consuming OCI API quotas or generating unexpected cloud costs.

Updated Jan 15, 2025 · Detection Engineering Team

llmunbounded-consumptionlinuxociowasp-llm10

Problem Statement

An LLM directing unbounded OCI CLI calls can exhaust API rate quotas, trigger unexpected cloud costs, provision attacker-controlled resources, or perform reconnaissance at scale against the OCI tenancy.

Sample Logs

{"timestamp":"2025-01-15T16:05:00Z","computer_name":"llm-host-01","user":"llm_svc","image":"/usr/local/bin/oci","command_line":"oci compute instance list","parent_image":"/opt/llm/app/infra_agent.py","oci_calls_per_5min":47}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Approved LLM infrastructure agents that legitimately make many OCI API calls

Tuning Guidance

Baseline expected OCI CLI invocation rates for approved agent workflows. Alert on rates exceeding the approved baseline, especially for destructive sub-commands.