Identifying MMORPG Bots: A Traffic Analysis Approach

1
Identifying MMORPG BotsA Traffic Analysis
Approach
(MMORPG Massively Multiplayer Online Role
Playing Game)
Kuan-Ta Chen National Taiwan University
Jhih-Wei Jiang Polly Huang Hao-Hua Chu Chin-Laung
Lei Wen-Chin Chen
Collaborators

2
Talk Outline

• Motivation
• Trace collection
• Traffic analysis and bot identification schemes
• Performance evaluation
• Scheme Robustness
• Conclusion

3
Game Bots

• AI programs that can perform many tasks in place
  of gamers
• Can reap rewards efficiently in 24 hours a day
  ?break the balance of power and economies in the
  game world
• Therefore bots are forbidden in most games

4
Bot Detection

• Detecting whether a character is controlled by a
  bot is difficult since a bot obeys the game rules
  perfectly
• No general detection methods are available today
• The state of practice is identifying via human
  intelligence (as bots cannot talk like humans)
• Labor-intensive and may annoy innocent players

This work is dedicated to automaticdetection of
game bots (without intrusion in players gaming
experience)
5
Key Contributions

• We proposed to detect bots with a traffic
  analysis approach
• We proposed four strategies to distinguish bots
  from human players based on their traffic
  characteristics

6
Bot Detection A Decision Problem
Q Whether a bot is controlling a game client
given the traffic stream it generates? A Yes or
No
Game client
Game server
Traffic stream
7
Ragnarok Online -- a screen shot
Figure courtesy of www.Ragnarok.co.kr
8
Game Bots in Ragnarok Online

• Two mainstream bot series
• Kore -- KoreC, X-Kore, modKore, Solos, Kore,
  wasu, Erok, iKore, and VisualKore
• DreamRO (popular in China and Taiwan)
• Both bots are standalone (game clients not
  needed), fully-automated, script-based, and
  interactive

9
DreamRO -- A Screen Shot
View Scope
World Map
Character is here
Character Status
10
Trace Collection
Category Trace Participants Average Length Network
Human players 8 traces 2 rookies2 experts 2.6 hours ADSL, Cable Modem,Campus Network
Bots 11 traces 2 bots 17 hours ADSL, Cable Modem,Campus Network
Heterogeneity was preserved

• Player skills
• Character levels / equipments
• Network connections
• Network conditions (RTT, loss rate, etc)

206 hours and 3.8 million packets were traced in
total
11
Traffic Analysis of Collected Game Traces

• Traffic is analyzed in terms of
• Command timing
• Traffic burstiness
• Reaction to network conditions
• Four bot identification strategies are proposed

12
Command Timing
Observation
Bots often issue their commands based on arrivals of server packets, which carry the latest status of the character and environment
game server
game client
time
Client response time (response time)
Time difference between the release of a client packet and the arrival of the most recent server packet
13
CDF of Response Times
Kore Zigzag pattern (multiples of a certain value)
14
Histograms of Response Times (DreamRO traces)
Many client packets are sent in response to
server packets
1 ms
1 ms
multiple peaks
multiple peaks
15
Histograms of Response Times
Scheme 1 Command Timing
A traffic stream is considered from a bot if it has
Regularity in the distribution of bots response
times

• Quick response times (lt 10 ms) clustered
• Regularity in the distribution of response times,
  i.e., if any frequency component exists

16
Traffic Burstiness

• Traffic burstiness
• An indicator of how traffic fluctuates over time
• The variability of packet/byte counts observed in
  successive periods
• Index of Dispersion for Counts (IDC)

17
Example Wine Sales and IDC
The period is approximately 12 months
The IDC at 12 months is the lowest
18
The Trend of Traffic Burstiness
Conjecture for Bot Traffic
Each iteration of the bot programs main loop takes roughly the same amount of time Each iteration of the main loop sends out roughly the same number of packets Bot traffic burstiness will be the lowest in the time scale around the time needed to complete each iteration

• Traffic generated by human players, of course,
  has no reason to exhibit such property

19
Examining the Trend of Traffic Burstiness
Scheme 2 Trend of Traffic Burstiness
A traffic stream is considered from a bot if
Regularity in the distribution of bots response
times

• the IDC curve has a falling trend at first and
  after that a rising trend, and
• both trends are detected at time scales lt 10 sec

20
The Magnitude of Traffic Burstiness
Conjecture
Bot traffic is relatively smooth than human player traffic

• Difficultyno typical burstiness of human
  player traffic
• Solutioncompare the burstiness of client traffic
  with that of the corresponding server traffic (as
  servers treat all game clients equally)
• Scheme 3 Burstiness MagnitudeA traffic stream
  is considered to be generated by a bot if the
  client traffic burstiness is much lower than the
  corresponding server traffic burstiness

21
Human Reaction to Network Conditions
Conjecture for Human Player Traces
The network delay of packets will influence the pace of game playing (the rate of screen updates, character movement) Human players will unconsciously adapt to the game pace (the faster the game pace is, the faster the player acts)
Traffic jam!!
server
Is there any relationship between network delay
andthe pace of user actions?
22
Packet Rate vs. Network Delay
Human player traces downward trend
Scheme 4 Pacing
A traffic stream is considered from a bot if

• correlation between pkt rate vs. network delay is
  non-negative

23
Performance Evaluation
Metrics Metrics
Correct rate the ratio the client type of a trace is correctly determined
False positive rate the ratio a player is misjudged as a bot
False negative rate the ratio a bot is misjudged as a human player

• Evaluate the sensitivity of input size by
  dividing traces into segments, and computing the
  above metrics on a segment basis

24
Performance Evaluation Results
25
An Integrated Approach

• In practice, we can carry out multiple schemes
  simultaneously and combine their results
  according to preference
• Conservative approachcommand timing AND
  burstiness trend
• Aggressive approachcommand timing OR burstiness
  trend

26
An Integrated Approach -- Results
Aggressive
27
Robustness against Counter-Attacks

• Just like anti-virus software vs. virus writers
• Our schemes only rely on packet timings
• An obvious attack is adding random delays to the
  release time of client packets
• Command timing scheme will be ineffective
• Schemes based on traffic burstiness are robust
• Adding random delays will not eliminate the bot
  signature unless the added delay is longer than
  the iteration time by orders of magnitude or
  heavy-tailed
• However, adding such long delays will make the
  bots incompetent as this will slowdown the
  characters actions by orders of magnitude

28
Simulating the Effect of Random Delays on IDC
29
Summary

• Traffic analysis is effective to identify game
  bots
• Proposed four bot decision strategies and two
  integrated schemes for practical use
• The proposed schemes (except the one based on
  command timing) are robust under counter-attacks

30
Thank You!
Kuan-Ta Chen