Identifying MMORPG Bots: A Traffic Analysis Approach


Published on

MMORPGs have become extremely popular among network gamers. Despite their success, one of MMORPG’s greatest challenges is the increasing use of game bots, i.e., autoplaying game clients. The use of game bots is considered unsportsmanlike and is therefore forbidden. To keep games in order, game police, played by actual human players, often patrol game zones and question suspicious players. This practice, however, is labor-intensive and ineffective. To address this problem, we analyze the traffic generated by human players vs. game bots and propose solutions to automatically identify game bots.

Taking Ragnarok Online, one of the most popular MMOGs, as our subject, we study the traffic generated by mainstream game bots and human players. We find that their traffic is distinguishable by: 1) the regularity in the release time of client commands, 2) the trend and magnitude of traffic burstiness in multiple time scales, and 3) the sensitivity to network conditions. We propose four strategies and two integrated schemes to identify bots. For our data sets, the conservative scheme completely avoids making false accusations against bona fide players, while the progressive scheme tracks game bots down more aggressively. Finally, we show that the proposed methods are generalizable to other games and robust against counter-measures from bot developers.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identifying MMORPG Bots: A Traffic Analysis Approach

  1. 1. Identifying MMORPG Bots: A Traffic Analysis Approach (MMORPG: Massively Multiplayer Online Role Playing Game) Kuan-Ta Chen National Taiwan University Jhih-Wei Jiang Polly Huang Hao-Hua Chu Chin-Laung Lei Wen-Chin Chen Collaborators:
  2. 2. Talk Outline <ul><li>Motivation </li></ul><ul><li>Trace collection </li></ul><ul><li>Traffic analysis and bot identification schemes </li></ul><ul><li>Performance evaluation </li></ul><ul><li>Scheme Robustness </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Game Bots <ul><li>AI programs that can perform many tasks in place of gamers </li></ul><ul><li>Can reap rewards efficiently in 24 hours a day  break the balance of power and economies in the game world </li></ul><ul><li>Therefore bots are forbidden in most games </li></ul>
  4. 4. Bot Detection <ul><li>Detecting whether a character is controlled by a bot is difficult since a bot obeys the game rules perfectly </li></ul><ul><li>No general detection methods are available today </li></ul><ul><li>The state of practice is identifying via human intelligence (as bots cannot talk like humans) </li></ul><ul><ul><li>Labor-intensive and may annoy innocent players </li></ul></ul>This work is dedicated to automatic detection of game bots (without intrusion in players’ gaming experience)
  5. 5. Key Contributions <ul><li>We proposed to detect bots with a traffic analysis approach </li></ul><ul><li>We proposed four strategies to distinguish bots from human players based on their traffic characteristics </li></ul>
  6. 6. Bot Detection: A Decision Problem Game client Game server Traffic stream Q: Whether a bot is controlling a game client given the traffic stream it generates? A: Yes or No
  7. 7. Ragnarok Online -- a screen shot Figure courtesy of Ragnarok Online <ul><li>One of the most popular MMORPGs (they claimed 17 million subscribers worldwide recently) </li></ul><ul><li>Notorious for the prevalence of the use of game bots </li></ul>
  8. 8. Game Bots in Ragnarok Online <ul><li>Two mainstream bot series: </li></ul><ul><ul><li>Kore -- KoreC , X-Kore , modKore , Solos, Kore , wasu , Erok , iKore , and VisualKore </li></ul></ul><ul><ul><li>DreamRO (popular in China and Taiwan) </li></ul></ul><ul><li>Both bots are standalone (game clients not needed), fully-automated, script-based, and interactive </li></ul>
  9. 9. DreamRO -- A Screen Shot World Map View Scope Character Status Character is here
  10. 10. Trace Collection <ul><li>Player skills </li></ul><ul><li>Character levels / equipments </li></ul><ul><li>Network connections </li></ul><ul><li>Network conditions (RTT, loss rate, etc) </li></ul>Heterogeneity was preserved 206 hours and 3.8 million packets were traced in total 2 bots 2 rookies 2 experts Participants 11 traces 8 traces Trace # ADSL, Cable Modem, Campus Network Network 17 hours Bots 2.6 hours Average Length Human players Category
  11. 11. Traffic Analysis of Collected Game Traces <ul><li>Traffic is analyzed in terms of </li></ul><ul><ul><li>Command timing </li></ul></ul><ul><ul><li>Traffic burstiness </li></ul></ul><ul><ul><li>Reaction to network conditions </li></ul></ul><ul><li>Four bot identification strategies are proposed </li></ul>
  12. 12. Command Timing game client game server time Bots often issue their commands based on arrivals of server packets , which carry the latest status of the character and environment Observation Time difference between the release of a client packet and the arrival of the most recent server packet Client response time (response time) State update t1 Client command t2 Response time T = t2 – t1
  13. 13. CDF of Response Times Kore Zigzag pattern (multiples of a certain value) DreamRO > 50% response times are extremely small
  14. 14. Histograms of Response Times (DreamRO traces) 1 ms multiple peaks 1 ms multiple peaks Many client packets are sent in response to server packets
  15. 15. Histograms of Response Times Regularity in the distribution of bots’ response times <ul><li>Quick response times (< 10 ms) clustered </li></ul><ul><li>Regularity in the distribution of response times, i.e., if any frequency component exists </li></ul>A traffic stream is considered from a bot if it has … Scheme #1: Command Timing
  16. 16. Traffic Burstiness <ul><li>Traffic burstiness </li></ul><ul><ul><li>An indicator of how traffic fluctuates over time </li></ul></ul><ul><ul><li>The variability of packet/byte counts observed in successive periods </li></ul></ul><ul><li>Index of Dispersion for Counts (IDC) </li></ul>T h e I D C a t t i m e s c a l e t i s d e ¯ n e d a s I t = V a r ( N t ) E ( N t ) ; w h e r e N t i n d i c a t e s t h e n u m b e r o f a r r i v a l s i n i n t e r v a l s o f t i m e t .
  17. 17. Example: Wine Sales and IDC The period is approximately 12 months The IDC at 12 months is the lowest
  18. 18. The Trend of Traffic Burstiness <ul><li>Traffic generated by human players, of course, has no reason to exhibit such property </li></ul><ul><li>Each iteration of the bot program’s main loop takes roughly the same amount of time </li></ul><ul><li>Each iteration of the main loop sends out roughly the same number of packets </li></ul><ul><li>Bot traffic burstiness will be the lowest in the time scale around the time needed to complete each iteration </li></ul>Conjecture for Bot Traffic
  19. 19. Examining the Trend of Traffic Burstiness Regularity in the distribution of bots’ response times <ul><li>the IDC curve has a falling trend at first and after that a rising trend, and </li></ul><ul><li>both trends are detected at time scales < 10 sec </li></ul>A traffic stream is considered from a bot if … Scheme #2: Trend of Traffic Burstiness
  20. 20. The Magnitude of Traffic Burstiness <ul><li>Difficulty no “typical” burstiness of human player traffic </li></ul><ul><li>Solution compare the burstiness of client traffic with that of the corresponding server traffic (as servers treat all game clients equally) </li></ul><ul><li>Scheme #3: Burstiness Magnitude A traffic stream is considered to be generated by a bot if the client traffic burstiness is much lower than the corresponding server traffic burstiness </li></ul>Bot traffic is relatively smooth than human player traffic Conjecture
  21. 21. Human Reaction to Network Conditions server Traffic jam!! Is there any relationship between network delay and the pace of user actions ? <ul><li>The network delay of packets will influence the pace of game playing (the rate of screen updates, character movement) </li></ul><ul><li>Human players will unconsciously adapt to the game pace (the faster the game pace is, the faster the player acts) </li></ul>Conjecture for Human Player Traces
  22. 22. Packet Rate vs. Network Delay <ul><li>correlation between pkt rate vs. network delay is non-negative </li></ul>Human player traces: downward trend A traffic stream is considered from a bot if … Scheme #4: Pacing
  23. 23. Performance Evaluation <ul><li>Evaluate the sensitivity of input size by dividing traces into segments, and computing the above metrics on a segment basis </li></ul>the ratio a bot is misjudged as a human player False negative rate the ratio a player is misjudged as a bot False positive rate the ratio the client type of a trace is correctly determined Correct rate Metrics
  24. 24. Performance Evaluation Results [Burstiness magnitude] always achieves low false positive rates ( < 5% ) and yields a moderate correct rate ( ≈ 75% ) [Command timing and Burstiness trend] Correct rates higher than 95% and false negative rates lower than 5% given an input size > 2,000 packets
  25. 25. An Integrated Approach <ul><li>In practice, we can carry out multiple schemes simultaneously and combine their results according to preference </li></ul><ul><li>Conservative approach: command timing AND burstiness trend </li></ul><ul><li>Aggressive approach: command timing OR burstiness trend </li></ul>
  26. 26. An Integrated Approach -- Results Aggressive Aggressive approach (2,000 packets): false negative rate < 1% and 95% correct rate Conservative approach (10 , 000 packets): ≈ 0% false positive rate and > 90% correct rate
  27. 27. Robustness against Counter-Attacks <ul><li>Just like anti-virus software vs. virus writers </li></ul><ul><li>Our schemes only rely on packet timings </li></ul><ul><li>An obvious attack is adding random delays to the release time of client packets </li></ul><ul><ul><li>Command timing scheme will be ineffective </li></ul></ul><ul><ul><li>Schemes based on traffic burstiness are robust </li></ul></ul><ul><ul><ul><li>Adding random delays will not eliminate the bot signature unless the added delay is longer than the iteration time by orders of magnitude or heavy-tailed </li></ul></ul></ul><ul><ul><ul><li>However, adding such long delays will make the bots incompetent as this will slowdown the character’s actions by orders of magnitude </li></ul></ul></ul>
  28. 28. Simulating the Effect of Random Delays on IDC
  29. 29. Summary <ul><li>Traffic analysis is effective to identify game bots </li></ul><ul><li>Proposed four bot decision strategies and two integrated schemes for practical use </li></ul><ul><li>The proposed schemes (except the one based on command timing) are robust under counter-attacks </li></ul>
  30. 30. Thank You! Kuan-Ta Chen