Technical Paper on Gaming Cheating

[ReCycled]

This is some kind of research paper about on-line gaming cheating (not Quake specific) and discusses alternate methods of detecting it. Rather than counter each new technical exploit as they surface, it suggests tracking gaming behavior and using statistical means to compare to. For example how long someone tracks moving objects (players) that are obscured behind opaque surfaces (ie wallhacking). The cheater will spend 2.5 times as long tracking solid walls, as a normal player using sound or other clues.

Anyway interesting reading. The PDF file was 2.5 meg so I zipped it down to 1.02 meg to see if it will attach here.

Here's a brief excerpt from it.

 

   

[quadz]

Rather than counter each new technical exploit as they surface, it suggests tracking gaming behavior and using statistical means to compare to. For example how long someone tracks moving objects (players) that are obscured behind opaque surfaces (ie wallhacking).

Nice.  I recall brainstorming with someone about the possibility of a system like this a long time ago.  That's awesome these folks have turned it into a real research project.


 

[The Happy Friar]

Defcon has the simplest anticheat: if the checksum of the client doesn't match the server then the server overrides the client.

So either a) everybody has the "cheat" available or b) nobody has the cheat (it's listen servers).  If everybody can cheat then there's no point in cheating.

[reaper]

I don't think it's that simple, in my estimation even with anticheat, it would be still possible to cheat, although I don't know how diffiicult.

If it's just client < - > server, you would have the client respond with what the server wants.

[quadz]

Defcon has the simplest anticheat: if the checksum of the client doesn't match the server then the server overrides the client.

Server: tell me your checksum
Client: (lying) it's 0xF39AC30B
Server: i believe you!

[VaeVictis]

could do a method that causes a TON of overhead on your server and just render everything for the players server side and send the display info to the clients lol... although that would cause HELL for high ping players... even if it was just simplified down to the server only rendering the models and leaving the map rendering up to the client

still probably a way to exploit that though lol

[ReCycled]

I think you have to read the whole document to get a clear picture of the process. I personally think it would work quite well with good algorithms modelling typical non-cheating behaviour. After all, isn't that what we do here with reviewing demos to use our experience and knowledge of the game to see if something looks suspect? These parameters could be defined for this game and tested. At first there might be some false positives, but all this can be refined when examining what legitimate action(s) caused that. As the author mentioned, this type of logic is already used in programs to detect attempts to penetrate web sites for malicious use.

It would be a joy to see some long time cheaters get booted from our servers - as well as people who think they are technically smarter and are bent on cheating for it's own sake (eg Razor).
    

[VaeVictis]

I think you have to read the whole document to get a clear picture of the process. I personally think it would work quite well with good algorithms modelling typical non-cheating behaviour. After all, isn't that what we do here with reviewing demos to use our experience and knowledge of the game to see if something looks suspect? These parameters could be defined for this game and tested. At first there might be some false positives, but all this can be refined when examining what legitimate action(s) caused that. As the author mentioned, this type of logic is already used in programs to detect attempts to penetrate web sites for malicious use.

It would be a joy to see some long time cheaters get booted from our servers - as well as people who think they are technically smarter and are bent on cheating for it's own sake (eg Razor).
    

lol well... if you classify 80% rail as an aimbot, guess what... some people really do rail that good

if you classify tracking people through walls as a wallhack... its not that hard for players with very good sound knowledge....

you have to have a person see it in context to tell if its a hack, hence why we review demos instead of just running them through a program

[peewee_RotA]

I think you have to read the whole document to get a clear picture of the process. I personally think it would work quite well with good algorithms modelling typical non-cheating behaviour. After all, isn't that what we do here with reviewing demos to use our experience and knowledge of the game to see if something looks suspect? These parameters could be defined for this game and tested. At first there might be some false positives, but all this can be refined when examining what legitimate action(s) caused that. As the author mentioned, this type of logic is already used in programs to detect attempts to penetrate web sites for malicious use.

It would be a joy to see some long time cheaters get booted from our servers - as well as people who think they are technically smarter and are bent on cheating for it's own sake (eg Razor).
    

I don't know if it's ever that easy.

One thing I have been working on for work which seemed simple at first turned out to be this:
http://en.wikipedia.org/wiki/Bin_packing_problem


Although this paper is most likely a giant leap forward solving similar problems. Realistically, how do you go from having people review something, to telling a computer what to analyze? The word behavior, in and of itself, is misleading. Behaviors to us are a human concept. If someone is constantly lying then we as humans can label him as a liar, but assuming a computer can magically detect how often someone tells a falsehood, what frequency makes him a liar? What about severity? What if that person is an actor and "lies" for a living, or an author.

How I see this being used, if implemented, is a way of observing trends and simply flagging them for review. Maybe taking these markers, after 3 separate days of offenses, automatically taking some demos for review. Now THAT would be awesome.
 

[VaeVictis]

I think you have to read the whole document to get a clear picture of the process. I personally think it would work quite well with good algorithms modelling typical non-cheating behaviour. After all, isn't that what we do here with reviewing demos to use our experience and knowledge of the game to see if something looks suspect? These parameters could be defined for this game and tested. At first there might be some false positives, but all this can be refined when examining what legitimate action(s) caused that. As the author mentioned, this type of logic is already used in programs to detect attempts to penetrate web sites for malicious use.

It would be a joy to see some long time cheaters get booted from our servers - as well as people who think they are technically smarter and are bent on cheating for it's own sake (eg Razor).
    

I don't know if it's ever that easy.

One thing I have been working on for work which seemed simple at first turned out to be this:
http://en.wikipedia.org/wiki/Bin_packing_problem


Although this paper is most likely a giant leap forward solving similar problems. Realistically, how do you go from having people review something, to telling a computer what to analyze? The word behavior, in and of itself, is misleading. Behaviors to us are a human concept. If someone is constantly lying then we as humans can label him as a liar, but assuming a computer can magically detect how often someone tells a falsehood, what frequency makes him a liar? What about severity? What if that person is an actor and "lies" for a living, or an author.

How I see this being used, if implemented, is a way of observing trends and simply flagging them for review. Maybe taking these markers, after 3 separate days of offenses, automatically taking some demos for review. Now THAT would be awesome.
 

pretty damn good idea and it could use statistics with tolerance for a good range, and even different between each mod seeing as in an ffa setting with ffa players, tracking players through a wall might not happen, BUT in a tdm server with 1v1 where sound is very easy to use it might happen a lot

and it could use a system for registered nick's that could even be based on subnet, and so since we all know defiant doesnt hack and such, if he pushed out those behaviors and got a demo recorded, some one could just go in and add him to an exception list... this however could end up backfiring :/ BUT it would be anice feature so we dont get a hundred demos of the same people raping the servers over and over... i guess that could all be slimmed down by refining your behavioral range that it flags

[quadz]

if you classify 80% rail as an aimbot, guess what... some people really do rail that good

There's a lot finer grained data available.

Somewhere back around 2003 I recall suggesting to someone as a thought experiment: what if one were to train a neural net with the "motion" made by lots of legit human players as they aim their crosshairs at a target when firing {raigun, ssg, rocket launcher, chaingun, etc.}.

Such a neural net could then in theory be used to flag non-human aiming of {weapon}.

The downside, of course, is that an aimbot writer could use a similar technique to provide the aimbot with human-like reflexes that would fool the neural net.

So.... :shrug:

Similarly with wallhacks, there's more data available than just coarsely monitoring "tracking people through walls".  For instance, the server could be keeping stats on finer details, like, how rapidly the player 'reacts' in response to a player he can't see changing direction.  If over time, player X accumulates an unusual number of 'coincidental' reactions to something he can't see, then that data would weigh in on the wallhack factor.

How I see this being used, if implemented, is a way of observing trends and simply flagging them for review. Maybe taking these markers, after 3 separate days of offenses, automatically taking some demos for review. Now THAT would be awesome.

Agreed - similar to what credit card companies do already, scanning for sequences of purchases which are statistically out of character with the cardholder's usual behavior. . . .


Regards,

[l0ckp1ck]

only true way to ever stop cheaters is to watch their monitor while they play. don't know if its possible put like a  force record on people so it records on their end and somehow have the demo auto sent to somewhere where admin can view it

[quadz]

don't know if its possible put like a  force record on people so it records on their end and somehow have the demo auto sent to somewhere where admin can view it

If the client is hacked, it can simply record a demo full of lies.  (Same with screenshots.)

When you fully understand the implications of this, you will have gained an experience point.

[l0ckp1ck]

i don't know how it all works, was just a thought, but yeah i know what u mean. i was just trying to point out though nothing is foollproof and the only way to truely know if someone was cheating would be to stand over their shoulder while they play virtually

[[BTF] Reflex]

Mmmmmm,  lan party.