4.7 KiB
Scene 10 — FRAUD: Repeated Denial (Brute-Force Detection)
Fraud detector: RepeatedDenialDetector (severity: MEDIUM, threshold: 5)
Expected result: DENY + fraud_detected: true after 5+ denied attempts
Presentation Rule
Language: All AI narration and communication during scenes must be in English.
The AI must narrate every interaction with the gateway in detail. Before calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. After receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.
Communication Flow
sequenceDiagram
participant AI as AI Agent
participant GW as Gateway
participant FD as Fraud Detection
participant PE as Policy Engine
participant DB as Database Service
loop Requests 1–5 (below threshold)
AI->>GW: POST /api/gateway/execute<br/>{tool: db.executeScript}
GW->>FD: Check fraud patterns
FD-->>GW: No fraud (counter incremented)
GW->>PE: Evaluate policy rules
PE->>PE: Block rule: db.executeScript ✗
PE-->>GW: Decision: DENY
GW->>GW: Write audit entry
GW-->>AI: 200 OK {decision: DENY}
end
AI->>GW: POST /api/gateway/execute<br/>{tool: db.executeScript}
GW->>FD: Check fraud patterns
FD->>FD: Repeated denial threshold (5) exceeded<br/>for agent+tool (severity: MEDIUM)
FD-->>GW: Fraud alert: repeated-denial
Note over GW,PE: Policy engine is never reached
Note over GW,DB: Request never reaches Database
GW->>GW: Write audit entry (fraud_detected: true)
GW-->>AI: 200 OK {decision: DENY,<br/>fraud_detected: true, fraud_detector: repeated-denial}
Demo Script
Presenter says: "What if a compromised or misconfigured agent keeps retrying a denied operation? After 5 denials for the same tool, the gateway flags it as a brute-force attempt."
Action — Build Up Denials
This scene works best after running scenes that generated DENY results. The repeated denial counter has been accumulating.
If starting fresh, ask Claude to attempt the blocked db.executeScript multiple times:
"Execute this SQL script: SELECT 1"
(Repeat 5+ times, or ask Claude to retry)
"Try again — execute the script SELECT 1 on the database" "One more time, try executing SELECT 1 as a script"
After the 5th denial for the same agent+tool, the fraud detector triggers.
Expected Response (after threshold)
{
"requestId": "req-...",
"decision": "DENY",
"fraud_detected": true,
"fraud_detector": "repeated-denial",
"fraud_severity": "MEDIUM",
"reason": "Agent has been denied 5 times for tool db.executeScript — possible brute-force attempt"
}
What This Proves
- Behavioral analysis — the gateway tracks patterns across requests, not just individual calls
- State is tracked per
agent_id + toolcombination — targeted, not global - Threshold is configurable (currently 5) — can be tuned per environment
- Catches: brute-force attempts, infinite retry loops, compromised agents that ignore DENY responses
- The counter is in-memory (
ConcurrentHashMap) — fast, no external dependencies
How It Works
Request 1: db.executeScript → DENY (policy: blocked) → counter = 1
Request 2: db.executeScript → DENY (policy: blocked) → counter = 2
Request 3: db.executeScript → DENY (policy: blocked) → counter = 3
Request 4: db.executeScript → DENY (policy: blocked) → counter = 4
Request 5: db.executeScript → DENY (policy: blocked) → counter = 5
Request 6: db.executeScript → DENY (fraud: repeated-denial) ← escalated!
Note: on request 6+, the fraud detector fires before the policy engine — the request is rejected faster and with a different signal.
Key Message
"A well-behaved agent stops after a DENY. A misbehaving agent — through prompt injection, bugs, or compromise — keeps retrying. The gateway detects this behavioral anomaly and escalates. That signal can then feed alerting, temporary revocation, or quarantine flows."
Final Wrap-Up
"We've now covered the full defense stack:
- Authentication — who is the agent? (JWT)
- Authorization — what scopes does it have? (scope resolver)
- Fraud detection — is this request suspicious? (SQL injection, prompt injection, brute-force)
- Policy engine — does this action comply with our rules? (6 rule categories)
- Audit — every decision is logged (NDJSON)
Five layers. The AI is a requesting client. The gateway decides."