Authors : Jamiu Olamilekan Akande; Aluma Michael Ako; Abdulrahman Adebola Iyaniwura; Sheriffdeen Leke Soleye; Nuhu Ezra

Volume/Issue : Volume 10 - 2025, Issue 12 - December

Google Scholar : https://tinyurl.com/5atkvu7x

Scribd : https://tinyurl.com/2wvza592

DOI : https://doi.org/10.38124/ijisrt/25dec1155

Note : A published paper may take 4-5 working days from the publication date to appear in PlumX Metrics, Semantic Scholar, and ResearchGate.

Abstract : Rate limiting is a basic API security control governing client request rates in order to prevent backend service overloading and abuse. Through request limits per time interval, rate limiters dampen threats such as denial-of-service (DoS) assaults and brute-force abuse while ensuring proper use and not allowing a single client to dominate resources. However, constant thresholds are unable to respond to dynamic traffic: fixed limits might under-secure during spikes or over-limit users when demand varies. Reinforcement learning (RL) offers a dynamic response: framing rate control as a sequential decision problem, an RL agent learns optimal throttles from real-time traffic cues. It can take this form as a Markov decision process solved by Q-learning so iteration occurs based on rewards. States can indicate traffic metrics and actions modify rate limits or invoke secondary verification while the reward balances blocking attackers versus preserving rightful access. What emerges is an AI-controlled rate limiter which continuously fine-tunes itself in response to shifting patterns in real-time, frequently lowering false positives (good requests blocked) and false negatives (attacks missed) relative to static rules. Advantages include enhanced resistance in shifting abuse modi operandi in addition to smoother service upon traffic spikes. Through such adaptiveness even fairness is enhanced as it separates legitimate high-volume use from attack behavior so no single client dominates. Difficulties are inherent training or simulation sufficiency requirements within greater computational overhead for online learning in addition to decision modeling inherent within real-time constraints. Generally, RL-controlled dynamic rate limiting offers a contextual API protection which shifts gears in order stay functional yet still protect when use patterns shift.

Keywords : Reinforcement Learning, API Security, Rate Limiting, Q-Learning, Denial of Service (DoS).

References :

1. Todd, P., Morton, M., Kirby, H., & James, A. (2025, May 24). Rate limiting and threat detection in intelligent API gateways.
2. Sivaraman, H. (2025, August 9). Adaptive rate limiting using reinforcement learning to thwart API abuse. ResearchGate.
3. API7.ai. (2025, August 1). Rate Limiting Strategies for API Management.
4. Kong. (2024, July 23). API Rate Limiting: Beginner’s Guide.
5. Akamai. (2025). Web application and API attack report 2025. Akamai. https://www.akamai.com/content/dam/site/en/documents/state-of-the-internet/2025/akamai-web-application-attacks-and-api-attacks-report.pdf
6. Prophaze. (2025). Emerging API security threats in 2025. Prophaze. https://prophaze.com/blog/emerging-api-security-threats-2025
7. Qodex. (2025). API security trends: 2025 industry insights. Qodex. https://qodex.ai/blog/api-security-trends
8. ResearchGate. (2025, May). AI-based rate limiting for cloud infrastructure: Implementation guide. ResearchGate. https://www.researchgate.net/publication/391435133_AI-Based_Rate_Limiting_for_Cloud_Infrastructure_Implementation_Guide
9. Syncloop. (2024). Dynamic API rate limiting: Balancing traffic spikes and system health. Syncloop. https://www.syncloop.com/blogs/dynamic-api-rate-limiting.html
10. TechRadar Pro. (2025, February). From crawlers to AI agents: Why untangling the new AI-powered web takes an intent-based approach. TechRadar. https://www.techradar.com/pro/from-crawlers-to-ai-agents-why-untangling-the-new-ai-powered-web-takes-an-intent-based-approach
11. Ahmed, M., Mahmood, A. N., & Hu, J. (2016). A survey of network anomaly detection techniques. Journal of Network and Computer Applications, 60, 19–31. https://doi.org/10.1016/j.jnca.2015.11.016
12. API7.ai. (2025). API rate limiting strategies for secure microservices. API7.ai. https://api7.ai
13. Kong. (2024). Understanding rate limiting in API gateways. Kong Inc. https://konghq.com
14. API7.ai. (2025). Rate limiting and API security best practices. API7.ai. https://api7.ai
15. Farooq, M. O., & Kunz, T. (2025). Combining supervised and reinforcement learning to build a generic defensive cyber agent. Journal of Cybersecurity and Privacy, 5(2), 23. https://doi.org/10.3390/jcp5020023
16. Foley, M., & Maffeis, S. (2024). APIRL: Deep reinforcement learning for REST API fuzzing. arXiv. https://arxiv.org/abs/2412.15991
17. Krishnan, R., & Rao, P. (2021). Adaptive thresholding in API rate limiting: Challenges and approaches. International Journal of Computer Networks and Communications, 13(2), 45–58. https://doi.org/10.5121/ijcnc.2021.13204
18. Kong. (2024). API security and rate limiting strategies. Kong. https://konghq.com
19. Nair, A., Gupta, R., & Li, S. (2024). Deep learning approaches for detecting anomalies in API traffic payloads. IEEE Access, 12, 13502–13515. https://doi.org/10.1109/ACCESS.2024.3362517
20. Nguyen, T. T., & Reddi, V. J. (2021). Deep reinforcement learning for cybersecurity. IEEE Transactions on Neural Networks and Learning Systems, 32(9), 4042–4057. https://doi.org/10.1109/TNNLS.2020.3042756
21. Nordic APIs. (2025, July). How AI agents are changing API rate limit approaches. Nordic APIs. https://nordicapis.com/how-ai-agents-are-changing-api-rate-limit-approaches
22. Zhang, H., Liu, S., & Wang, J. (2019). Comparative study of rate limiting algorithms for distributed systems. Journal of Systems Architecture, 96, 40–52. https://doi.org/10.1016/j.sysarc.2019.03.005
23. Zhang, L., Chen, M., & Zhao, Y. (2024). Reinforcement learning for intelligent network traffic management: A survey. Computer Networks, 243, 110556. https://doi.org/10.1016/j.comnet.2024.110556
24. Alam, M. M., Das, L. C., Roy, S., Shetty, S., & Wang, W. (2025). RESTRAIN: Reinforcement learning-based secure framework for trigger-action IoT environment. arXiv. https://arxiv.org/abs/2503.09513
25. Alnfiai, M. M. (2025). AI-powered cyber resilience: A reinforcement learning approach for automated threat hunting in 5G networks. EURASIP Journal on Wireless Communications and Networking, 2025(68). https://doi.org/10.1186/s13638-025-02497-2
26. Krishnan, S., & Rao, R. (2021). Scalability challenges in API security systems. IEEE Security & Privacy, 19(3), 25–34. https://doi.org/10.1109/MSEC.2021.3052845
27. Saqib, M., Mehta, D., Yashu, F., & Malhotra, S. (2025). Adaptive security policy management in cloud environments using reinforcement learning. arXiv. https://arxiv.org/abs/2505.08837
28. Srivastava, S. (2025, July 25). API security trends. Qodex.ai. https://qodex.ai/blog/api-security-trends
29. Todd, J., Lee, H., & Martinez, R. (2025). Dynamic API protection: An analysis of adaptive throttling techniques. ACM Digital Threats: Research and Practice, 6(2), 1–18. https://doi.org/10.1145/3601234
30. Yu, T., Liu, L., Zhou, Z., Xing, F., Wang, K., & Yang, Y. (2025). REFN: A reinforcement-learning-from-network framework against 1-day/n-day exploitations. arXiv. https://arxiv.org/abs/2508.10701
31. Zhang, X., Chen, Y., Wang, Z., & Xu, H. (2019). Comparative study of API rate limiting strategies in microservices. International Journal of Computer Applications, 178(28), 22–29. https://doi.org/10.5120/ijca2019918760