MMORPGs have become extremely popular among network gamers. Despite their success, one of MMORPG’s greatest challenges is the increasing use of game bots, i.e., autoplaying game clients. The use of game bots is considered unsportsmanlike and is therefore forbidden. To keep games in order, game police, played by actual human players, often patrol game zones and question suspicious players. This practice, however, is labor-intensive and ineffective. To address this problem, we analyze the traffic generated by human players vs. game bots and propose solutions to automatically identify game bots. Taking Ragnarok Online, one of the most popular MMOGs, as our subject, we study the traffic generated by mainstream game bots and human players. We find that their traffic is distinguishable by: 1) the regularity in the release time of client commands, 2) the trend and magnitude of traffic burstiness in multiple time scales, and 3) the sensitivity to network conditions. We propose four strategies and two integrated schemes to identify bots. For our data sets, the conservative scheme completely avoids making false accusations against bona fide players, while the progressive scheme tracks game bots down more aggressively. Finally, we show that the proposed methods are generalizable to other games and robust against counter-measures from bot developers.

1. Identifying MMORPG Bots: A Traffic Analysis Approach (MMORPG: Massively Multiplayer Online Role Playing Game) Kuan-Ta Chen National Taiwan University Jhih-Wei Jiang Polly Huang Hao-Hua Chu Chin-Laung Lei Wen-Chin Chen Collaborators:

6. Bot Detection: A Decision Problem Game client Game server Traffic stream Q: Whether a bot is controlling a game client given the traffic stream it generates? A: Yes or No

9. DreamRO -- A Screen Shot World Map View Scope Character Status Character is here

12. Command Timing game client game server time Bots often issue their commands based on arrivals of server packets , which carry the latest status of the character and environment Observation Time difference between the release of a client packet and the arrival of the most recent server packet Client response time (response time) State update t1 Client command t2 Response time T = t2 – t1

13. CDF of Response Times Kore Zigzag pattern (multiples of a certain value) DreamRO > 50% response times are extremely small

14. Histograms of Response Times (DreamRO traces) 1 ms multiple peaks 1 ms multiple peaks Many client packets are sent in response to server packets

17. Example: Wine Sales and IDC The period is approximately 12 months The IDC at 12 months is the lowest

24. Performance Evaluation Results [Burstiness magnitude] always achieves low false positive rates ( < 5% ) and yields a moderate correct rate ( ≈ 75% ) [Command timing and Burstiness trend] Correct rates higher than 95% and false negative rates lower than 5% given an input size > 2,000 packets

26. An Integrated Approach -- Results Aggressive Aggressive approach (2,000 packets): false negative rate < 1% and 95% correct rate Conservative approach (10 , 000 packets): ≈ 0% false positive rate and > 90% correct rate

28. Simulating the Effect of Random Delays on IDC

30. Thank You! Kuan-Ta Chen