Battle of Botcraft: Fighting Bots in Online Games withHuman Observational ProofsSteven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining WangThe College of William and Mary, USAACM CCS 2009

OUTLINE

1. Introduction2. Background3. Related Work4. Game Playing Characterization5. HOP System6. Experiments7. Limitations8. Conclusion

1. Introduction

About online games : $7.6 billion revenues in 2008. Massive multiplayer online games (MMOGs). Game bots.

The existing methods for combating bots. Human interactive proofs (HIPs). Warden, a process monitor.

1. Introduction (cont.)

A game bot defense system based on human observational proofs (HOPs). Behavioral biometric systems. A client-side exporter and a server-side analyzer.

The purpose of the HOP system is to raise the bar against game bots.

2. Background

Game bots : Standalone custom game client. Standard game client.

Game playing behaviors : Human Bots

3. Related Work

Anti-Cheating : Game cheating prevention Game cheating detection

Behavioral Biometrics : Keystroke dynamics and mouse dynamics Identity matching

4. Game playing characterization

The Glider Bot : Requires system administrator privileges. Profile — a set of configurations including

several waypoints and options.

4. Game playing characterization (cont.)

Input Data Collection : RUI — input data collection program.

clock resolution close to 0.015625 second (approximate 64 times/sec).

4. Game playing characterization (cont.)

men

women

18-24

25-34

35-44

>45

4. Game playing characterization (cont.)

Game bot is runningwith 10 different profiles in 7 locations in the game world for 40 hours.

Profiles are half run with a warrior and half run with a mage.

Characters range from level 1 to over 30 in the traces.

4. Game playing characterization (cont.)

4. Game playing characterization (cont.)

Game Playing Input Analysis : keyboard and mouse input traces with respect

to timing patterns (duration and inter-arrival time) and kinematics (distance, displacement, and velocity).

4. Game playing characterization (cont.)

4. Game playing characterization (cont.)

4. Game playing characterization (cont.)

5. HOP System

Client-side exporter sends a stream of user-input actions taken at a game

client to the game server. Server-side analyzer

processes each input stream and decides whether the corresponding client is operated by a bot or a human player.

5. HOP System (cont.)

Client-Side Exporter : Derives input actions from raw user-input

events. A standalone external program

5. HOP System (cont.)

Server-Side Analyzer : User-input action classifier Decision maker

Neural Network Classification : Eight input values for each user-input action

action duration, mouse travel distance, displacement, efficiency, speed, angle of displacement, virtual key and bias value.

Output Neuron

5. HOP System (cont.)

Decision Making : A simple “voting” scheme If the majority of the neural network output

classifies the user-input actions as those of a bot, the decision will be that the game is operated by a bot, and vice versa.

5. HOP System (cont.)

Performance Impact and Scalability : Client side

16 bytes of data per user-input action. additional bandwidth consumption induced by

the client-side exporter is negligible. Server side

The server-side analyzer is very efficient in terms of memory and CPU usage.

6. Experiments

In terms of detection accuracy, detection speed, and system overhead

True positive rate and true negative rate

6. Experiments (cont.)

Experimental Setup : 95 hours of traces, including 55 hours of human

traces and 40 hours of game bot traces. 3,000,066 raw user-input events and 286,626

user-input actions, with 10 bot instances and 30 humans involved.

6. Experiments (cont.)

Detection Results : The HOP system has four configurable

parameters : # of actions per block, and # of nodes The threshold, and # of outputs per output block.

6. Experiments (cont.)

Configure # of actions per block and # of nodes.

6. Experiments (cont.)

the threshold and # of outputs per block

6. Experiments (cont.)

Fully configured system (40 nodes, 4-action input, the threshold of 0.75, and 9 outputs per block)

The true negative rates are 1.0 for all of the humans

6. Experiments (cont.)

Detection of Other Game Bots : Test with Diablo 2without retraining the neural

network. A true positive rate of 0.864 on the bot and a

true negative rate of 1.0 on the human players.

6. Experiments (cont.) System Overhead :

To estimate the overhead of the analyzer for supporting 5,000 users.

The analyzer consumes only 37 KBytes of memory during operation.

The per-user memory requirement is approximately 66 bytes, this is only 330 KBytes in total.

The analyzer can process 95 hours of traces, over 286,626 user-input actions, in only 385 milliseconds on a Pentium 4 Xeon 3.0Ghz.

7. Limitations

Experimental Limitations : Player group, 30, is insufficient Mainly conducted in a lab environment There are a number of other bots Is HOP system effective for broader applications?

7. Limitations (cont.)

Potential Evasion : Bots could either interfere with the user-input

collection or manipulate the user-input stream at the client side.

Bots could mimic human behaviors to evade detection.

8. Conclusion

A game bot defense system that utilizes HOPs to detect game bots.

Compared to conventional HIPs such as CAPTCHAs, HOPs are transparent to users and work in a continuous manner.

The system can detect over 99% of current game bots with no false positives within a minute.