On early detection of application-level resource exhaustion and starvation.

•A system for “early” detection of application-level exhaustion and starvation attacks. It employs a novel detection algorithm based on timed probabilistic finite automata. The systems directly works on binaries, without requiring source code or debugging information.•A prototype implementation that uses kernel monitoring. It incurs very low overhead, high accuracy and saves significant amounts of resources compared to the best static threshold.•A comparison with another implementation that runs entirely in user-space. User-space version is easier to deploy, but incurs higher overhead and is less accurate.•Extensive experiments using synthetic and in-the-wild attacks against several applications, including Apache Killer and Slowloris attacks against the Apache server.•Theoretic analysis of the advantage that attackers may gain by knowing the system, quantified by a novel metric. The metric can also be used to decide when to throttle inputs to protected programs to control resources consumed by benign-yet-demanding inputs.