Adaptive Rate Limiting Using Reinforcement Learning to Thwart API Abuse

Abstract

Application Programming Interface (API) abuse is a type of threat faced by all publicly exposed systems; among these, credential stuffing, data scraping and Distributed Denial of Service (DDoS) attacks. While traditional rate-limiting techniques can be effective against well-defined and predictable attacks, leveraging these decisions in a rigid manner does not adapt to abuse patterns that may vary over time. This paper proposes a Reinforcement Learning (RL)-based adaptive rate-limiting model, which is capable of adjusting rate thresholds in real-time according to user status behavior. It defines rate allowing problem as Markov Decision Process (MDP) and dynamically manages API request limits via Q-learning. Experiments are performed on an e-commerce API and show that this approach increases the accuracy of abuse detection, while reducing the friction with legitimate users when compared to static models. The paper also discusses computational tradeoffs, scalability, and considerations for deploying the RL-based rate limiting in environments with heavy traffic.