Tree of Savior Forum

Anti-Botting Strategy: imc needs to start using behavioral biometrics

I still haven’t heard your great suggestion for defeating bots so let’s hear it. Given that you’re so adamant about shooting this suggestion down, you must have an amazing one.

If you are using detection that will cause this much overhead in server, yes, you can probably detect the bot.

But first, they have to solve the problem of server not being optimized or these method will only destroy the server.

I would think that a report function with gm is a much cheaper method compared to hiring someone to implement these method.

Edit: I just read that paper. Yes its implementable but too much overhead.

lol so that’s why RMT gold sellers use humans instead of bots to farm right?

What overhead? If you trained a multidimensional SVM or multilayered neural net implementation in terms of speed is negligible. Sure training takes time but once such things are trained up deployment requires minimal overhead. How do you think Google does recaptcha with mouse movements for so many users? It takes way less overhead than you think.

Edit: also detection and decision making does not have to be in real time. They already collect input info about keystrokes and other aspects of user interactions on the server side, no reason why you couldn’t sample leisurely and make make decisions down the line. You could have ban waves every few days.

Online game accept way more input than your example… Just the net overhead by sending out the keystrokes of every user is not negligible (unless when this game is dead and there is much lesser player).

Also, as I said, the system you are proposing is most likely out of IMC’s capability if they are not able to optimize the network connection or fix some of the current reported bug (which is relatively simple compared to what you proposed, even if a predefined function already exist).

Luckily, due to how ToS is designed, there is a simple way to counter lower level bots. They just have to detect the players that’s grinding in a map for an extensive time, and determine manually whether they are bot or not.

Edit: Also, I wouldn’t recommend you to dwell too much on that paper. It’s not a well recognized paper, just look at the citation number.

Um… they don’t have to be watching actions 24/7 also you act like you’ve never heard of subsampling data.

For a human observer (gm)how long would it take to categorize a bot? 30 seconds or more do you think? How many bots out there do you think there will be once f2p opens up?

How will you be assured that enough players will meet a bot to report it?

These are all problems with a manual centric method.

The paper was merely an example of concept. If you want a more highly cited paper I’m sure there is one.

That’s still a big amount of data even if you subsample it. If you are doing subsampling it by client side you will have the problem of the bot user playing around it (it’s definitely not out of bot’s creator capability. I wouldn’t be surprised if the bot’s creator is more skilled than the game dev in this matter, because game dev is more specialized in game design, and bot’s creator is specialized in avoiding detection).

I do agree there should be a way to categorize a bot to reduce workload, but you can’t really do any processing client side.

I’m quoting some game dev I knew (ya I know every game dev is different) on these bot/hack countering matter, “You wouldn’t expect me to be a game dev if I actually knew how to counter the bot/hack efficiently. I will be working at a security company tackling the real world problem with much higher pay.”

Your proposed method does work with proper implementation. Can IMC implement it properly? I don’t think so, considering how buggy the current client is developed by the same IMC. That’s why I think another easier but subpar solution (that won’t actually fk with the game if IMC failed at implementing it) should be used by IMC.

Edit: I will be assuming that you are at least graduate level if you are regularly reading this type of papers. You do know that hiring a graduate level is usually expensive and IMC probably couldn’t afford it. Though, you shouldn’t assume those who are under your education level to easily do what you could do. I learnt that the hard way.

Client still sends a significant amount of data to server (character positions, skills used, skills use latency, typical skills used, character prior movement trajectories, chat habits, log on time habits). These are all parameters which can be subsampled serverside which can be sent to a decision server which decides whether the recieved parameters is from a bot or not. So no need for clientside collection of any additional anything unless there were a desire for it… this process could even be triggered by a human report of bottling activity if overhead is truly that serious of a problem.

Yeah, you are right. The problem remain in whether IMC can actually, or willing to learn these. Which I doubt the answer is no.

Well it’s here if they are interested and capable enough.

This would definitely be favorable and I hope that something like this happens. Although tbh I’m confused why, after years, it still isn’t something we have in ToS despite being an effective first-step in countless games before ours.

1 Like

I’ve had @Gwenyth explain to me that in korea game accounts are linked to your SSN. So they have much tighter control and identification of players there. So game companies over there don’t put as much effort into anti-botting because they don’t need to…

This bodes not so well for my proposal… but I still hope…

This would take a professional to implement correctly - I rather doubt they (or most companies running and MMO) have someone capable of implementing a automated detection system so sophisticated.

Do I think it would work, though? Ohhhh yes. This kind of information war is the future.

At the very least they could start making better anti-spam filters by teaching a classifier to identify strings that resemble website references… or strings that solicit RMT activities… that I argue you could give a CS undergrad to chew on and they could produce something…

Heck if I have some time tonight I could probably prototype a quick python classifier function to do just that…

Too bad we don’t speak and write Korean, huh. We’d be their employees of the month for years running.

(Or maybe you do! I wouldn’t know.)

I wonder what @pappus thinks about the effectiveness of this kind of idea against bots…
from an ex-RMT perspective…

It’s looking unlikely that imc has the desire or capabilities to implement something like this. But if some future game implemented a similar system, how effective would it be against RMT operations?