Identifying MMORPG Bots: A Traffic Analysis Approach (MMORPG: Massively Multiplayer Online Role Playing Game) Kuan-Ta Chen National Taiwan University Jhih-Wei Jiang Polly Huang Hao-Hua Chu Chin-Laung Lei Wen-Chin Chen Collaborators:

Identifying MMORPG Bots: A Traffic Analysis Approach 2 Talk Outline Motivation Trace collection Traffic analysis and bot identification schemes Performance evaluation Scheme Robustness Conclusion

Identifying MMORPG Bots: A Traffic Analysis Approach 3 Game Bots AI programs that can perform many tasks in place of gamers Can reap rewards efficiently in 24 hours a day  break the balance of power and economies in the game world Therefore bots are forbidden in most games

Identifying MMORPG Bots: A Traffic Analysis Approach 4 Bot Detection Detecting whether a character is controlled by a bot is difficult since a bot obeys the game rules perfectly No general detection methods are available today The state of practice is identifying via human intelligence (as bots cannot talk like humans) Labor-intensive and may annoy innocent players This work is dedicated to automatic detection of game bots (without intrusion in players’ gaming experience)

Identifying MMORPG Bots: A Traffic Analysis Approach 5 Key Contributions We proposed to detect bots with a traffic analysis approach We proposed four strategies to distinguish bots from human players based on their traffic characteristics

Identifying MMORPG Bots: A Traffic Analysis Approach 6 Bot Detection: A Decision Problem Game clientGame server Traffic stream Q:Whether a bot is controlling a game client given the traffic stream it generates? A:Yes or No

Identifying MMORPG Bots: A Traffic Analysis Approach 7 Ragnarok Online -- a screen shot Figure courtesy of Ragnarok Online One of the most popular MMORPGs (they claimed 17 million subscribers worldwide recently) Notorious for the prevalence of the use of game bots

Identifying MMORPG Bots: A Traffic Analysis Approach 8 Game Bots in Ragnarok Online Two mainstream bot series: Kore -- KoreC, X-Kore, modKore, Solos, Kore, wasu, Erok, iKore, and VisualKore DreamRO (popular in China and Taiwan) Both bots are standalone (game clients not needed), fully-automated, script-based, and interactive

Identifying MMORPG Bots: A Traffic Analysis Approach 9 DreamRO -- A Screen Shot World Map View Scope Character Status Character is here

Identifying MMORPG Bots: A Traffic Analysis Approach 10 Trace Collection CategoryTrace #ParticipantsAverage LengthNetwork Human players 8 traces2 rookies 2 experts 2.6 hours ADSL, Cable Modem, Campus Network Bots11 traces2 bots17 hours Player skills Character levels / equipments Network connections Network conditions (RTT, loss rate, etc) Heterogeneity was preserved 206 hours and 3.8 million packets were traced in total

Identifying MMORPG Bots: A Traffic Analysis Approach 11 Traffic Analysis of Collected Game Traces Traffic is analyzed in terms of Command timing Traffic burstiness Reaction to network conditions Four bot identification strategies are proposed

Identifying MMORPG Bots: A Traffic Analysis Approach 12 Command Timing Observation Bots often issue their commands based on arrivals of server packets, which carry the latest status of the character and environment game client game server time Client response time (response time) Time difference between the release of a client packet and the arrival of the most recent server packet State update t1 Client command t2 Response time T = t2 – t1

Identifying MMORPG Bots: A Traffic Analysis Approach 13 CDF of Response Times DreamRO > 50% response times are extremely small Kore Zigzag pattern (multiples of a certain value)

Identifying MMORPG Bots: A Traffic Analysis Approach 14 Histograms of Response Times (DreamRO traces) 1 ms multiple peaks 1 ms multiple peaks Many client packets are sent in response to server packets

Identifying MMORPG Bots: A Traffic Analysis Approach 15 Histograms of Response Times Regularity in the distribution of bots’ response times Scheme #1: Command Timing A traffic stream is considered from a bot if it has … Quick response times (< 10 ms) clustered Regularity in the distribution of response times, i.e., if any frequency component exists

Identifying MMORPG Bots: A Traffic Analysis Approach 16 Traffic Burstiness Traffic burstiness An indicator of how traffic fluctuates over time The variability of packet/byte counts observed in successive periods Index of Dispersion for Counts (IDC) T h e IDC a tt i mesca l e t i s d e ¯ ne d as I t = V ar ( N t ) E ( N t ) ; w h ere N t i n d i ca t es t h enum b ero f arr i va l s i n i n t erva l s o f t i me t.

Identifying MMORPG Bots: A Traffic Analysis Approach 17 Example: Wine Sales and IDC The period is approximately 12 months The IDC at 12 months is the lowest

Identifying MMORPG Bots: A Traffic Analysis Approach 18 The Trend of Traffic Burstiness Traffic generated by human players, of course, has no reason to exhibit such property Conjecture for Bot Traffic 1.Each iteration of the bot program’s main loop takes roughly the same amount of time 2.Each iteration of the main loop sends out roughly the same number of packets 3.Bot traffic burstiness will be the lowest in the time scale around the time needed to complete each iteration

Identifying MMORPG Bots: A Traffic Analysis Approach 19 Examining the Trend of Traffic Burstiness Regularity in the distribution of bots’ response times Scheme #2: Trend of Traffic Burstiness A traffic stream is considered from a bot if … the IDC curve has a falling trend at first and after that a rising trend, and both trends are detected at time scales < 10 sec

Identifying MMORPG Bots: A Traffic Analysis Approach 20 The Magnitude of Traffic Burstiness Difficulty no “typical” burstiness of human player traffic Solution compare the burstiness of client traffic with that of the corresponding server traffic (as servers treat all game clients equally) Scheme #3: Burstiness Magnitude A traffic stream is considered to be generated by a bot if the client traffic burstiness is much lower than the corresponding server traffic burstiness Conjecture Bot traffic is relatively smooth than human player traffic

Identifying MMORPG Bots: A Traffic Analysis Approach 21 Human Reaction to Network Conditions Conjecture for Human Player Traces 1.The network delay of packets will influence the pace of game playing (the rate of screen updates, character movement) 2.Human players will unconsciously adapt to the game pace (the faster the game pace is, the faster the player acts) server Traffic jam!! Is there any relationship between network delay and the pace of user actions?

Identifying MMORPG Bots: A Traffic Analysis Approach 22 Packet Rate vs. Network Delay Scheme #4: Pacing A traffic stream is considered from a bot if … correlation between pkt rate vs. network delay is non- negative Human player traces: downward trend

Identifying MMORPG Bots: A Traffic Analysis Approach 23 Performance Evaluation Evaluate the sensitivity of input size by dividing traces into segments, and computing the above metrics on a segment basis Metrics Correct ratethe ratio the client type of a trace is correctly determined False positive ratethe ratio a player is misjudged as a bot False negative ratethe ratio a bot is misjudged as a human player

Identifying MMORPG Bots: A Traffic Analysis Approach 24 Performance Evaluation Results [Burstiness magnitude] always achieves low false positive rates (< 5%) and yields a moderate correct rate (≈ 75%) [Command timing and Burstiness trend] Correct rates higher than 95% and false negative rates lower than 5% given an input size > 2,000 packets

Identifying MMORPG Bots: A Traffic Analysis Approach 25 An Integrated Approach In practice, we can carry out multiple schemes simultaneously and combine their results according to preference Conservative approach: command timing AND burstiness trend Aggressive approach: command timing OR burstiness trend

Identifying MMORPG Bots: A Traffic Analysis Approach 26 An Integrated Approach -- Results Aggressive approach (2,000 packets): false negative rate < 1% and 95% correct rate Conservative approach (10,000 packets): ≈ 0% false positive rate and > 90% correct rate Aggressive

Identifying MMORPG Bots: A Traffic Analysis Approach 27 Robustness against Counter-Attacks Just like anti-virus software vs. virus writers Our schemes only rely on packet timings An obvious attack is adding random delays to the release time of client packets Command timing scheme will be ineffective Schemes based on traffic burstiness are robust  Adding random delays will not eliminate the bot signature unless the added delay is longer than the iteration time by orders of magnitude or heavy-tailed  However, adding such long delays will make the bots incompetent as this will slowdown the character’s actions by orders of magnitude

Identifying MMORPG Bots: A Traffic Analysis Approach 28 Simulating the Effect of Random Delays on IDC

Identifying MMORPG Bots: A Traffic Analysis Approach 29 Summary Traffic analysis is effective to identify game bots Proposed four bot decision strategies and two integrated schemes for practical use The proposed schemes (except the one based on command timing) are robust under counter-attacks

Thank You! Kuan-Ta Chen