Feature #1021

Add real time player behavior analysis

Added by Spyhawk about 3 years ago. Updated about 1 month ago.

Status:New% Done:


Target version:2.77
OS: Arch:


I have trouble calling this an "anticheat" since it’s radically different from traditional anticheat, so let’s say this feature is about an "automated monitoring of players behavior" using Machine Learning techniques.
The necessary framework exists already and minimal work is required to implement its interface in ETL code. The core feature itself which is/will be implemented in python, leveraging the power of the scikit-learn library.

This is the perfect companion of the server side anti-wallhack feature (by Laszlo) that we already implemented.

From the forums:

I worked on an opensource anticheat architecture, completely server-sided (so that cheaters can’t avoid it), based on behavior analysis automated by machine learning.

There are several research papers about automated behavior analysis to detect cheaters, it works well. My architecture goes beyond simply doing behavior analysis by providing a full architecture to produce the necessary behavior data from servers automatically, then ease the analysis (using any algorithm you want), the sharing of behavior analysis parameters (so that server administrators can share the parameters or even the behaviors databases in order to construct big datasets to get better parameters) and finally allows for ban/kick/demo recording/any rcon command as a final measure.

The whole project is here, made for OpenArena, but easily translatable to any ioq3 based game:

That being said, I stopped the project because of a lack of time, but it fully works. The only downfall is that the algorithms I used are not efficient enough. I plan to add support for scikit-learn, leveraging the big library of machine learning algorithms scikit-learn offers. Also, better behavior features could provide better results, such as a better reaction time estimator and a crosshair estimator (is the crosshair aiming at a player’s head? for how long? etc.).

This approach was implemented by the mod ExcessivePlus (along with an enhanced antiwallhack but stemming from the same Laszlo patch). If anybody is interested into reviving this project, I can supervise the effort and provide the update to support scikit-learn.

To clarify what is the goal of such a system: with behavior analysis, you analyze what are "normal" players behavior (non-cheaters), and from that you can detect "anomalous" behaviors (cheaters). This has the big advantage that you just need to get data from normal players, which is readily available. It will also be robust enough to detect new cheats (because we don’t model the cheats anyway but the non-cheat).

In the end, cheats can still work, but only if they do not display "anomalous" behavior, such as a too high precision or unnatural human movements or reaction time. So in the end, such cheats are not a threat anymore, since they do not give a "surnatural" power, because they simply are not allowed to trespass the "natural ability" threshold.

Of course that’s in theory, and in practice there will be several false positives. But the goal of the system is NOT to auto-ban or auto-kick (even if it is possible), but rather to autodetect suspicious behavior, and launch an autorecord of them, for later review by the server administrator. This would also be the most efficient, as delaying the punition will reduce the clues cheaters can have (indeed if they get kicked instantly, they can iteratively refine their cheats, whereas if the punition is delayed, they can’t know what version of their cheat did that).

I’m convinced this is the best approach for an opensource anticheating system, as it will leverage the collaborative nature of opensource, because:
1. you can share datasets and parameters, everything is anonymized, the ids are not necessary for the behavior analysis).
2. having the database/parameters does not provide the program (since it is learnt by a machine), and even if learnt, it cannot be bypassed (since everything is analyzed server-side). This is why this approach is also being investigated by AAA studios currently such as Battlefields.

I’m personally familiar with ML and scikit-learn, and seeing that the existing framework does all the nitty-gritty already, most of the effort could be spent on doing the relevant ML work.


#1 Updated by Spyhawk about 1 month ago

  • Target version changed from 2.78 to 2.77

Also available in: Atom PDF