Pembatasan Laju Adaptif Berbasis Verifiable Delay Function untuk Mitigasi Penyalahgunaan API pada Gateway Edge Ringan
DOI:
https://doi.org/10.62383/polygon.v4i1.931Keywords:
Adaptive Rate Limiting, API Abuse, Edge Gateway, Risk Score, Verifiable Delay FunctionAbstract
API abuse on lightweight edge gateways has intensified as microservice-based services expose many REST endpoints to heterogeneous clients. Conventional per-identity rate limiting, such as static token buckets, is frequently bypassed through distributed bots and identity rotation, while legitimate burst traffic may be rejected and degrade user experience. This study proposes Adaptive Rate Limiting with Verifiable Delay Functions (ARL-VDF), which couples a lightweight risk score with selective VDF challenges to impose a tunable sequential-computation cost on suspicious clients without forcing aggressive dropping for low-risk users. The gateway continuously derives a per-identity risk score from short-window request rate, error tendency, and identity freshness, then maps the score to a target delay bounded by and . Evaluation uses a 600-second discrete-event simulation on a mixed workload consisting of normal clients, legitimate bursts, and distributed attackers. Compared with a static token bucket baseline, ARL-VDF maintains full success for legitimate traffic, reduces attacker throughput that passes the gateway, and keeps verification overhead within a fixed budget on the edge device. The results indicate that combining adaptive control with verifiable sequential cost can improve availability and fairness on resource-constrained edge gateways without resorting to aggressive dropping.
Downloads
References
Ali, I., Caprolu, M., & Di Pietro, R. (2020). Foundations, properties, and security applications of puzzles: A survey. ACM Computing Surveys, 53(4), Article 88. https://doi.org/10.1145/3396374
Attias, D., Vigneri, L., & Dimitrov, D. (2021). Implementation study of two verifiable delay functions. In Proceedings of Tokenomics 2020 (pp. 1–10). https://doi.org/10.4230/OASIcs.Tokenomics.2020.9
Bartkov, M., & Borovikov, D. (2022). Selection of a suitable algorithm for the implementation of rate-limiter based on Bucket4j. International Journal of Online and Biomedical Engineering (IJOE), 18(4), 51–62. https://doi.org/10.3991/ijoe.v18i04.25641
Boneh, D., Bonneau, J., Bünz, B., & Fisch, B. (2018). Verifiable delay functions. In Advances in cryptology – CRYPTO 2018 (pp. 757–788). Springer. https://doi.org/10.1007/978-3-319-96884-1_25
Chandramouli, R., Romero-Mariona, S., & McCarthy, A. (2019). Security strategies for microservices-based application systems (NIST Special Publication No. 800-204). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204
El Malki, A., Zdun, U., & Pautasso, C. (2022). Impact of API rate limit on reliability of microservices-based architectures. In 2022 IEEE International Conference on Service-Oriented System Engineering (SOSE) (pp. 19–28). IEEE. https://doi.org/10.1109/SOSE55356.2022.00009
Farkiani, S., Sarramia, D., & Lau, H. C. W. (2025). Rethinking HTTP API rate limiting: Client-side approach. Manuscript submitted for publication.
Hossain, M. D., et al. (2023). The role of microservice approach in edge computing: Opportunities, challenges, and research directions. ICT Express, 9(6), 1162–1182. https://doi.org/10.1016/j.icte.2023.06.006
Kalyanasundaram, T., Punith, B., & V, S. (2025). Load balancer filter-based approach to enable distributed API rate limiting. In Proceedings of the 37th Conference of FRUCT Association (pp. 75–85).
Morabito, R., Petrolo, R., Loscrì, V., & Mitton, N. (2019). Reprint of: LEGIoT: A lightweight edge gateway for the Internet of Things. Future Generation Computer Systems, 92, 1157–1171. https://doi.org/10.1016/j.future.2018.10.020
Pietrzak, K. (2019). Simple verifiable delay functions. In Proceedings of the 10th Innovations in Theoretical Computer Science Conference (ITCS 2019) (Article 60, pp. 1–18). https://doi.org/10.4230/LIPIcs.ITCS.2019.60
Prinakaa, S., Bavanika, V., Sanjana, S., Srinivasan, S., & Sarasvathi, V. (2024). A real-time approach to detecting API abuses based on behavioral patterns. In 2024 8th International Conference on Cryptography, Security and Privacy (CSP) (pp. 24–28). IEEE. https://doi.org/10.1109/CSP62567.2024.00012
Sanchez, B. A., et al. (2018). RestMule: Enabling resilient clients for remote APIs. In Proceedings of the 15th International Conference on Mining Software Repositories (MSR) (pp. 537–541). https://doi.org/10.1145/3196398.3196405
Serbout, B., et al. (2023). A pattern collection for API rate limit adoption. In Proceedings of the European Conference on Pattern Languages of Programs (EuroPLoP ’23) (pp. 1–20). https://doi.org/10.1145/3628034.3628039
Shi, W., Cao, J., Zhang, Q., Li, Y., & Xu, L. (2016). Edge computing: Vision and challenges. IEEE Internet of Things Journal, 3(5), 637–646. https://doi.org/10.1109/JIOT.2016.2579198
Tanveer, F., Houssein, E. H., & Hassanien, A. E. (2025). A survey on RESTful API vulnerability detection. Computers, Materials & Continua, 84(3), 4223–4257. https://doi.org/10.32604/cmc.2025.067536
Wesolowski, B. (2020). Efficient verifiable delay functions. Journal of Cryptology, 33, 2113–2147. https://doi.org/10.1007/s00145-020-09364-x
Wu, Q., Zhao, Y., Luo, Z., & Zhang, X. (2022). Verifiable delay function and its blockchain-related applications: A survey. Sensors, 22(19), 7524. https://doi.org/10.3390/s22197524
Xu, R., Jin, W., & Kim, D. (2019). Microservice security agent based on API gateway in edge computing. Sensors, 19(22), 4905. https://doi.org/10.3390/s19224905
Yin, Z., Song, Y., & Zong, G. (2024). Discovering API usage specifications for security detection using two-stage code mining. Cybersecurity, 7, Article 30. https://doi.org/10.1186/s42400-024-00224-w
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Polygon : Jurnal Ilmu Komputer dan Ilmu Pengetahuan Alam

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.



