[PPT] - Game BOTs (and economic scale of their black money) Huy Kang Kim PowerPoint Presentation

SLIDE 1

Game BOTs (and economic scale of their black money)

Huy Kang Kim (HK Kim) Graduate school of information security, Korea university cenda@korea.ac.kr

SLIDE 2

About me

u H.K. Kim

u Head of Information Security dept., NCSOFT (May 2004-Feb 2010) u Associate Professor, Graduate School of Information Security, Korea Unive

rsity (from Mar 2010)

u Research Interest u Online Game Security

u International Conferences: NDSS 2016, WWW (2014, 2017), VizSec

(2017), ACM NetGames (2013, 2014, 2015, 2017)

u International Journals: IEEE Trans. On Information Forensics and

Security (2017), Computer & Security (2016), Digital Investigation (2015)

u http://ocslab.hksecurity.net/Dataset/ (Dataset)

SLIDE 3

I. Introduction

Online game security

It is an endless battle against game bots and gold-farmers.

SLIDE 4

Online gaming

u Online game is one of the most successful internet service as well as w

rld wide web (WWW).

u Over 59% of Americans play games u Average age of the gamer is 31

SLIDE 5

Human behavior observation platform

u Online game is the best platform to

bserve human behaviors.

u At the server side, various action logs are

stored.

u Friendship-oriented behavior – chatting,

gifting

u Take-oriented behavior - collaborative play

(party-play or guild-play)

u Economy – farming, producing, trading u Conflicts – player vs player combat, guild vs

guild combat

SLIDE 6

u Cybercrime in online games

u Account theft, reverse engineering for making game BOTs, and the other

types of attacks are well-known.

Online Game Security – Threats

6

Game BOT Gold- farming workshop Account theft Real money trade Malware for account theft System/ne twork/DB hacking DDoS attack Pirate (private) server

SLIDE 7

2. Bots and GFGs

The word ‘Bot’ is coming from the word ‘Robot’. Bot is an fully automated agent program to play a game instead of human player. GFG is an acronym for ‘gold-farming group’. In this case, ‘Gold’ means ‘virtual money used in game’.

SLIDE 8

Cheating (HACK), BOT

u In FPS

SLIDE 9

Cheating (HACK), BOT

u In MMORPG

SLIDE 10

u In League of Legend (AOS genre)

u This cheating tool gives the opponent player’s information (attack range, character

status, attack’s ballistics, etc.) and collects item automatically.

Cheating (HACK), BOT

10

I. Introduction > Seeing is Believing

SLIDE 11

u In Mobile Game (Puzzle genre)

u Game bot plays automatically without

human’s control.

u Besides, game bot plays better than

human!

u Only thing needs to do is detonating the

bomb when he wants (to maximize the damage).

Cheating (HACK), BOT

11

SLIDE 12

Game Bot

u Game bot

u Automated program that plays the game on behalf of human players (without

any human’s control)

u Play without break, accumulate money and items much faster than normal

human players (human player’s average play time is under 2 hours per day.)

u Evils of game bots

u Destroy the game world by rapidly depleting in-game contents and resources

u Bots make human to feel deprived u Let human players lose interest in gaming u Cause imbalance of supply and demand, then do harm in-game economy

SLIDE 13

Gold Farming Group (GFG)

u GFG is an industrialized game sweatshop (or game workshop) to gain cy

ber money

u Old type

u They hire many low-cost workers to play a game u They collect cyber money, then exchange the cyber money into real money.

u New type

u They run lots of game bot programs and operations are fully automated.

SLIDE 14

Gold Farming Group (GFG)

14

Old-type, labor-intensive type recent-type, fully automated, very cost-effective

SLIDE 15

Mobile Game GFG – running 20 game instances in a PC

SLIDE 16

BOTs and GFG – how to survive

16

u

http://www.thisisgame.com/board/view.php?id=282968&board=&category=106&subcategory=2&page=1&bes t=&searchmode=&search=&orderby=&token

In this gold-farming workshop

GM tries to chat with suspected character

Then BOT respond to GM with pre-configured conversation

Hi there.

Sir?

Are you there?

And bot calls human-in charge..

Then human-in- charge respond to GM and pass the test. I’m not a bot player.

Thank you for your cooper ation, If GM keeps on sending messages...

SLIDE 17

Then, they kill other bot-maker’s bot. Help me! Adios…

Game BOT & Gold-Farming

u This is a serious business. Bot can recognize other bot-maker’s bot program! To

increase market share, some bot programs can kill other competitors’ bots.

u It’s Real ‘Robot-war’ Lots of bot- makers nowadays Every bot has its own pattern. Some bots can recognize the other competitor’s bots.

SLIDE 18

u http://english.donga.com/srv/service.php3?biid=201108059040

8, Donga Daily News, 8th Oct 2011

u Top NK hackers infiltrate S.Korean online game companies

u

North Korean computer experts hired by a South Korean crime rings are earning dollars by hacking South Korean online game sites, police in Seoul said Thursday.

u

This is the first time for North Korean hackers to be caught making money by hacking South Korean Web sites, though they have attacked computer systems of South Korean government agencies and financial institutions.

u

Seoul police are expanding their investigation under the judgment that the North has instituted policies to foster computer experts to use them in cyber terrorism.

u

The international crime investigation division of the Seoul Metropolitan Police Agency indicted Thursday six people for the production and distribution of an illegal program dubbed “auto program,” which collects popular online game items in South Korea. Nine people were also indicted without detention on the same charge and two were put on a wanted list.

Is it really dangerous? Is it real?

SLIDE 19

III. Economic Scale Analysis

SLIDE 20

price

▶ BOT makers seems like global SW company.

–

They operate customer call-center, also they have traveling sales persons for supporting net-café .

–

They strictly check the license of BOT (monthly-base).

–

Only genuine BOT users can get customer support.

Game BOT maker price 비고

Lineage Pashin-bot 30$/month

27$/month (more than 10 copy)
25$/month (more than 30 copy)
23$/month (more than 50 copy)

Lineage II Apple-bot 10$/month

9.5$ (more than 10 copy)

AION Hanbok-bot 20$/month

12$ (more than 10 copy)

SLIDE 21

u Game BOTs and gold-farmers form a criminal-network.

GFGs and their trading network

Gold-farmers

Located in developing countries
Working in gold-farming

workshop

using game BOT program, someti

me they try to penetrate game sy stem directly

Banker (proxy)

Bridging gold-farmer

s and buyers

Trading cyber assets

and real money

Buyer

Paying money for

raising their chara cters’ level easily

SLIDE 22

u Whole trade network (1 sample server among 20 servers, in Aion game by

NCSoft)

Countermeasure example – GFG detection

# of characters 29,612 # of transaction 101,101 Mean # of trade per char. 3.41 duration 2010-4-9 ~ 2010-5-8

SLIDE 23

u Define suspicious money transaction - free-money trading

u If someone continuously (and regularly) transfer his possessions unidirectional

way à It’s suspicious.

u Also, he transfer almost 90% of his possession for free à It’s suspicious. u Hint for revealing “Gold-farmers è banker (proxy) è buyers” transaction.

Countermeasure example – GFG detection

23

SLIDE 24

Countermeasure example – GFG detection

u Revealing free gift network

Average Degree: 2.1699765107836857 Diameter: 7 Radius: 0 Average Path length: 2.452541238533916 Number of shortest paths: 25401 Weakly Connected Components: 934 Strongly Connected Components: 4301 Number of Communities: 127400

24

SLIDE 25

u Filtering by Displaying long chain of networks composed of more than 4-tiers

Countermeasure example – GFG detection

Nodes 2076 Edges 2856 Average Degree 2.751445 Average In Degree 1.375723 Average Out Degree 1.375723 Diameter 7 Radius Average Path length 2.55501 Number of shortest paths 20978 Number of Communities 144 Weakly Connected Components 2 Strongly Connected Components 2062

SLIDE 26

Countermeasure example – GFG detection

Nodes 519 Edges 416 Average Degree 1.603083 Average In Degree 0.801541 Average Out Degree 0.801541 Diameter 3 Radius Average Path length 1.141667 Number of shortest paths 480 Modularity 0.862243 Number of Communities 168 Weakly Connected Components 127 Strongly Connected Components 511

Banker account – level 1, possesses 1,141,300,000 cyber money From 19 characters (totally 119 transactions)

Total economy size - 48,615,053,115 529,100,000 (9 transactions)

SLIDE 27

IP-Account Combination analysis

▶ We also checked their IP address (From suspicious connection by using VPN, or coming from

some countries. )

extracted Gold Farming Network Extract blacklist IP address And related accounts Trace industrialized GFGs refining

951,065 accounts (75,850 IP) 7,978 characters 2,811 characters 555 characters (475 accounts)

SLIDE 28

Server side BOT detection – rule-based

▶ Generated detection rule (example)

Free trade Ratio >=0.8
Merchant(Agent) trade= 0
# of free trade(take or give Item&GameMoney without

reward)>16

# of transactions/month >=20
Amount of Money >=5,000,000
Level>=10
Indegree == 0, OutDegree > 0, Free trade Ratio == 1,

level=50

28

SLIDE 29

Useful features

u BOT vs Human

Example of useful features to distinguish human player from bot players

SLIDE 30

Features selection

u Example of different patterns between human and bots

(a) Number of Login (b) Total play time(hours) (c) Number of item collection

SLIDE 31

Features selection

u Party-play time (duration)

u 80% of human players can continue party-play with other friends less

than 2hr 20mins.

u 80% of bot players can continue more than 4 hrs.

u Entropy of social actions (chatting, messaging, mailing, selling,

guild play, …)

u Game bots rarely show social behaviors (they only talk with BOTs in the

same GFGs)

SLIDE 32

Meaningful Economic Characteristic

u Money statistics by GFS member’s role u Gained Money

Large GFG can earn money $107,400 per month, per server (120,000,000 KRW) without paying any tax!!! To estimate correctly, we must do some math. $107,400 x 20 servers for AION game x 4 countries = $8,592,000

SLIDE 33

It’s real world problem

Lineage GFG arrest case

They earned about 90,000 USD per

month

They illegally gained 1,500,000,000 KRW

(about 1,300,000 USD in total)

They have 120 PCs to run BOT programs.

SLIDE 34

Summary

u There are many security issues in online gaming service. u Game service providers continuously make an effort to detect bot

users and GFGs.

u Online game security is emerging research field. Many server-side

detection techniques are developing.

SLIDE 35

References

u Lee, Eunjo, et al. "You are a game bot!: uncovering game bots in MMORPGs via

self-similarity in the wild." NDSS, 2016.

u Kang, Ah Reum, et al. "Online game bot detection based on party-play log anal

ysis." Computers & Mathematics with Applications 65.9 (2013): 1384-1395.

u Kwon, Hyukmin, et al. "Crime scene reconstruction: Online gold farming

network analysis." IEEE Transactions on Information Forensics and Security 12.3 (2017): 544-556.

u Kim, Hana, Seongil Yang, and Huy Kang Kim. "Crime Scene Re-investigation: A

Postmortem Analysis of Game Account Stealers' Behaviors." ACM NetGames (2017)

u Woo, Kyungmoon, et al. "What can free money tell us on the virtual black

market?." ACM SIGCOMM Computer Communication Review 41.4 (2011): 392- 393.

SLIDE 36

Q & A

cenda@korea.ac.kr