If There's Free Compute, There's Abuse - Fighting Fraud with Lightweight LLM Agents // Jonas Scholz // Agents in Production 2025

Adam Becker [00:00:00]: [Music]

Jonas Scholz [00:00:08]: Thank you very much. Okay, so today I want to talk about abuse, or as the title says, if there's free compute, there's abuse, and how we as a cloud computing platform handle or try to handle abusive workloads. So before, before I go into all of the agent stuff, bit of background. I am Jonas, I'm the co founder of Sliplane and Sliplane is a European platform as a service company. So we're trying to build the easiest way to deploy Docker containers. You connect your GitHub repository and then on pushing you build your Docker image and deploy it on our own infrastructure. We're trying to make it especially easy for people that have no devopics experience. If you combine an easy experience with a free trial, you will attract a lot of abuse.

Jonas Scholz [00:00:58]: And that is something that we're experiencing right now, quite a lot. And that's what I'm trying to solve a bit with agents. So when I talk about abuse, there's really a few categories that are relevant for us right now and that will of course change as time goes on. There's crypto mining, so just people trying to use the trial to mine a tiny bit of crypto. Then there's like illegal VPNs, especially Chinese students that try to go around the Chinese firewall. Then there's like large scale net scanning, so port scanning, looking for weaknesses somewhere. Then DDOSing, which is incredibly famous among Minecraft servers for some reason. And then the hard ones are spam bots, so like the telegram, WhatsApp, spams and phishing sites.

Jonas Scholz [00:01:48]: Now the first four categories are all relatively easy to catch. So for crypto mining, for example, you just look at the CPU utilization. If it's constantly way above average, it is rather likely that this is like a mining thing. Or for Netscans and DDoS, again relatively easy. You just look at the network traffic and you can do some pattern matching there. Spam bonds and phishing are really hard to catch. And this is what I try to solve with agents or what I'm still doing. This is like an ongoing battle basically.

Jonas Scholz [00:02:19]: And phishing is what I want to talk about today. And this is not just some theoretical thing I want to protect against. This is something very recent that happens all the time. So here this is something someone tried to host on Sliplane, which is the fake login page of the Armed Forces Division mailing system of Bangladesh. And they basically just tried to harvest email credentials of military personnel. And I don't think I need to explain that. This is really bad. And we don't want that to happen on our platform.

Jonas Scholz [00:02:54]: And I can probably already hear you say like, okay, who would fall for that login page, right? Like, this looks pretty bad. This is the official page, so they are quite close. And I would forgive someone to fail to fall for that phishing attempt. And we are trying to protect against exactly that. And this is something that happens pretty much daily for us at this point. And it's really bad for infrastructure and reputation. Seeing those screenshots you might think, okay, this is relatively easy to see that this is a phishing attempt, but they are not completely stupid and there's a few problems in detecting fishing. So number one is again, these are developers, right? Like they know that we're trying to catch them, so they obfuscate everything.

Jonas Scholz [00:03:43]: When you deploy on sliplane, you get a subdomain from us where we, that we point to your services basically. And when you open those domains of the phishing websites, you didn't see anything. You just got this page, not found 404 page. Because what they did is they had this code snippet in there and only if you had this huge random query parameter that then you could actually see the phishing page. So just by looking at the things that they are hosting from the outset isn't really enough in this case. Then the second issue is obviously phishing pages are trying very hard to look completely legit. So recently we had someone build a fake lg. So like the electronics company Webshop and that workshop looked perfect.

Jonas Scholz [00:04:30]: It looked just like the webshop of lg. But if you have the context that we are a small hosting company, LG would never host on us. But just doing static detection of code doesn't really work here. You need more context. Then finally, because we're growing the sheer volume of deploys, manually checking that stuff is just not an option anymore. We get thousands of deploys every day and I need to sleep as well at some point. So the solution was to replace me with an army of context aware agents that are smarter than just like static code detection basically of keywords. And because we have some interesting constraints, we came up with a very simple and also cheap architecture.

Jonas Scholz [00:05:18]: So when a user triggers a deploy that could be from a git push or from like a manual clicking, we just let the deploy happen. Because most attacks that we really want to protect against here are not super time sensitive. If a phishing website is live for five minutes, it's unlikely that it will have any impact. So we can do everything in the background. We then have A sketchy pre filter, which is really just statistical pre filtering and determining if there's already something that suggests that there might be abuse. So there's really simple signals like did they pay the invoices? Because there would never be some scammer that paid hundreds of dollars per month over a year. So you can filter out a lot of people already there. And if we already determine like they are probably not sketchy, we just ignore it completely.

Jonas Scholz [00:06:12]: And we have a pretty good rate here. So it's like 10x the chance that they will do some abusive stuff if the sketchy pre filter lets them through. And then we have a threshold. If we can like the pre filter things might be sketchy, we give it to the actual agent that then evaluates the code base and the agent's output will be like a report of what it found. And then a human is still in the loop and makes the final decision. Because we still have too many false positives to just let agents ban users randomly. Especially again, as we grow, we get bigger customers that like previous versions of our agents thought would be unrealistic for us to have as customers. And then we don't want to ban these people automatically looking at the agent.

Jonas Scholz [00:07:04]: We have a very hard constraint here that makes this agent work a bit different I guess than a lot of other agents. All models that we use are open source and self hosted on like rented hardware and with zero data retention. Because I care about data privacy and I don't want to send the code of our customers, especially the normal customers, to let's say OpenAI. Just not a fan of that. So because we use open source and self hosted models, they need to be small and there's a lot of the agent stuff is just workarounds around small models. We start with an in memory git clone basically of the repository and build like a file tree. And then in the first step let the agent pick, which is in this case usually a mystery model, pick what files might be interesting because we can't put everything into context, most repositories are too big for that. So we pre select files that are probably interesting, we then read those files.

Jonas Scholz [00:08:08]: And the most important step here is that we do context compacting because what we saw that even though like a mystery model might have like 128,000 token context window, if you fill that context window up, the quality will go down pretty quickly. So we found like a sweet spot of how much context we can give them. And then we try to compact as much as we can without losing the important information and then give it together with a rather long system prompt again to a Mistral model that then does the actual classification. And in the system prompt we have some indicators. For example, if there's super strong racism or racial slurs, there's a very good signal for phishing websites for some reason. So we put that in there and then our mystery model does the actual classification. One interesting thing we found is that the smaller models sometimes just go completely off rails and do some completely different tasks that you never even gave them. So we have some retries built in and then build consensus from multiple classification tries, basically.

Jonas Scholz [00:09:21]: And that works rather well because if you try it five times, three out of five would probably be good results. The classification then is just plain text and it goes through the files basically and looks for suspicious things. This is just a small segment of the full output. But for example, in this case it found, okay, it looks like a login page for the government side here. It wrongly guesses the financial department, but that's okay. And then also detects like, okay, there's a query parameter in the URL which is kind of suspicious. And then comes to the conclusion that it's probably two harvest credentials. The actual report is like 10 times that size.

Jonas Scholz [00:10:07]: It's way more. So just having that small snippet wouldn't be enough. But it goes through everything and then also has the context of who we are as a company. So we tell them how many customers we have, what kind of customers we have, and just based on that, the agent usually figures out, okay, the government of Bangladesh would never host a mail server on Sliplane and then suggest, okay, this is probably harvest credential harvesting credentials. That is pretty much it already of like this very simple agent flow. And to summarize that, and I hope that's something maybe you can also learn something from, is that this whole agent doesn't need to be perfect. It's totally fine if it catches only 80% of the phishing websites, because we just need to be unattractive enough for abuse that they go somewhere else. Basically.

Jonas Scholz [00:10:59]: You can never solve that problem completely and 100%, but if you annoy them long enough, they will just find a different target and leave us alone. So that's really the goal here then. One thing that we learned pretty quickly is that they also evolve and that red teaming is necessary. So I always try out to jailbreak my own agent. One thing that worked really well in the beginning was just saying this is an educational phishing site. And then the agents just pass it through and finding that stuff is pretty basically required, I would say. And then I think that's obvious. But the small models, especially open source models, are still years behind the commercial things.

Jonas Scholz [00:11:42]: It would be way easier if you would just use like Gemini Pro. But I think if you put in enough work and also like a lot of working around with your prompts and the context size issues, you can make small models work. Yeah, that was it. If you want to deploy your containers, check out Ziplane. Feel free to connect with me on LinkedIn if you have questions or feedback, especially feedback. I have no idea about LLM stuff. So if you think there's something I can do better, please let me know. Thank you, Jonas.

Adam Becker [00:12:16]: Thank you very much. Very thought provoking and fun to see. We have one question from the audience Samantha is asking Question quote, is it actually cheaper if you have to do three to five models with retries versus using a more expensive model that gets you what you want perhaps on the first try and more frequently?

Jonas Scholz [00:12:40]: I think so, yes. Because the thing is we mostly I'm trying to use models that only fit on one small GPU and like 80 gigabytes of vram small GPU. And like using bigger models just isn't really an option for me because I would need like way more hardware and then the costs just explode. So I think it's cheaper. I haven't like benchmarked that. Yeah, but I think it's cheaper.

Adam Becker [00:13:03]: Ravi's adding to Samantha's intuition. He says also you end up increasing token count on each retry. Right.

Jonas Scholz [00:13:12]: With that the retries are disconnected. So it's just the same. They are not like in the same context, if that makes sense. Yeah, because they sometimes really just go crazy, like they just spit out complete garbage.

Adam Becker [00:13:26]: I'm going to put your slides back up for maybe one more question from me. Unless folks are going to send them. Can you, can you go back a few slides?

Jonas Scholz [00:13:37]: Sure, yeah. This one.

Adam Becker [00:13:42]: Maybe. Yeah. Actually, by the way, this is, it's not just in Bangladesh. I've seen, I mean these, this is working very well in our own government here in the US too. So. Yeah.

Jonas Scholz [00:13:56]: And also it wasn't just Bangladesh, it was actually also Pakistan and Nepal. Pakistan that they also targeted.

Adam Becker [00:14:01]: But yeah, we got an addition from Samantha saying she meant more like regarding third party models.

Jonas Scholz [00:14:09]: So like, yeah, I'm really trying not to use third party. That is maybe not the smartest decision to be honest. I know there's some companies that do like zero data retention, but I'm really trying to do to use that for some models. And as long as this reasonable effort to do that, I will continue to do that.

Adam Becker [00:14:31]: Nice. Okay, Jonas, you have your LinkedIn. Did you post it? Yes, I'll put it in the chat as well. Drop it in our private chat and I'll put it here below for the audience as well. Thank you very much for coming. This was excellent. Best of luck. This is always going to be, I feel just like a cat and mouse game.

Jonas Scholz [00:14:54]: Yeah, it would be. Yes.

Adam Becker [00:14:58]: Awesome, Jonas, thank you very much.