Game BOTs (and economic scale of their black money) Huy Kang Kim (HK Kim) Graduate school of information security, Korea university cenda@korea.ac.kr
About me u H.K. Kim u Head of Information Security dept., NCSOFT (May 2004-Feb 2010) u Associate Professor, Graduate School of Information Security, Korea Unive rsity (from Mar 2010) u Research Interest u Online Game Security u International Conferences: NDSS 2016, WWW (2014, 2017), VizSec (2017), ACM NetGames (2013, 2014, 2015, 2017) u International Journals: IEEE Trans. On Information Forensics and Security (2017), Computer & Security (2016), Digital Investigation (2015) u http://ocslab.hksecurity.net/Dataset/ (Dataset)
I. Introduction Online game security - It is an endless battle against game bots and gold-farmers.
Online gaming u Online game is one of the most successful internet service as well as w orld wide web (WWW). u Over 59% of Americans play games u Average age of the gamer is 31
Human behavior observation platform u Online game is the best platform to observe human behaviors. u At the server side, various action logs are stored. u Friendship-oriented behavior – chatting, gifting u Take-oriented behavior - collaborative play (party-play or guild-play) u Economy – farming, producing, trading u Conflicts – player vs player combat, guild vs guild combat
Online Game Security – Threats u Cybercrime in online games u Account theft, reverse engineering for making game BOTs, and the other types of attacks are well-known. Account System/ne theft twork/DB Game BOT Malware hacking for Pirate account Gold- (private) theft DDoS farming server Real attack workshop money trade 6
2. Bots and GFGs The word ‘Bot’ is coming from the word ‘Robot’. Bot is an fully automated agent program to play a game instead of human player. GFG is an acronym for ‘gold-farming group’. In this case, ‘Gold’ means ‘virtual money used in game’.
Cheating (HACK), BOT u In FPS
Cheating (HACK), BOT u In MMORPG
I. Introduction > Seeing is Believing Cheating (HACK), BOT u In League of Legend (AOS genre) u This cheating tool gives the opponent player’s information (attack range, character status, attack’s ballistics, etc.) and collects item automatically. 10
Cheating (HACK), BOT u In Mobile Game (Puzzle genre) u Game bot plays automatically without human’s control. u Besides, game bot plays better than human! u Only thing needs to do is detonating the bomb when he wants (to maximize the damage). 11
Game Bot u Game bot u Automated program that plays the game on behalf of human players (without any human’s control) u Play without break, accumulate money and items much faster than normal human players (human player’s average play time is under 2 hours per day.) u Evils of game bots u Destroy the game world by rapidly depleting in-game contents and resources u Bots make human to feel deprived u Let human players lose interest in gaming u Cause imbalance of supply and demand, then do harm in-game economy
Gold Farming Group (GFG) u GFG is an industrialized game sweatshop (or game workshop) to gain cy ber money u Old type u They hire many low-cost workers to play a game u They collect cyber money, then exchange the cyber money into real money. u New type u They run lots of game bot programs and operations are fully automated.
Gold Farming Group (GFG) Old-type, labor-intensive type recent-type, fully automated, very cost-effective 14
Mobile Game GFG – running 20 game instances in a PC
BOTs and GFG – how to survive http://www.thisisgame.com/board/view.php?id=282968&board=&category=106&subcategory=2&page=1&bes u t=&searchmode=&search=&orderby=&token In this gold-farming GM tries to chat Then BOT respond to with suspected workshop GM with pre-configured conversation character Are Hi If GM keeps on Sir? you sending messages... there. there? And bot calls Then human-in- Thank charge respond to you for human-in charge.. your GM and pass the test. cooper ation, I’m not a bot player. 16
Game BOT & Gold-Farming u This is a serious business. Bot can recognize other bot-maker’s bot program! To increase market share, some bot programs can kill other competitors’ bots. u It’s Real ‘Robot-war’ Lots of bot- Every bot has its own Some bots can recognize the other competitor’s bots. makers nowadays pattern. Then, they kill other bot-maker’s Help me! Adios… bot.
Is it really dangerous? Is it real? u http://english.donga.com/srv/service.php3?biid=201108059040 8, Donga Daily News, 8 th Oct 2011 u Top NK hackers infiltrate S.Korean online game companies North Korean computer experts hired by a South Korean crime rings are earning dollars by u hacking South Korean online game sites, police in Seoul said Thursday. This is the first time for North Korean hackers to be caught making money by hacking South u Korean Web sites, though they have attacked computer systems of South Korean government agencies and financial institutions. Seoul police are expanding their investigation under the judgment that the North has instituted u policies to foster computer experts to use them in cyber terrorism. The international crime investigation division of the Seoul Metropolitan Police Agency indicted u Thursday six people for the production and distribution of an illegal program dubbed “auto program,” which collects popular online game items in South Korea. Nine people were also indicted without detention on the same charge and two were put on a wanted list.
III. Economic Scale Analysis
price ▶ BOT makers seems like global SW company. They operate customer call-center, also they have traveling sales persons for supporting net-café . – They strictly check the license of BOT (monthly-base). – Only genuine BOT users can get customer support. – Game BOT maker price 비고 - 27$/month (more than 10 copy) Lineage Pashin-bot 30$/month - 25$/month (more than 30 copy) - 23$/month (more than 50 copy) Lineage II Apple-bot 10$/month - 9.5$ (more than 10 copy) AION Hanbok-bot 20$/month -12$ (more than 10 copy)
GFGs and their trading network u Game BOTs and gold-farmers form a criminal-network. Gold-farmers Banker (proxy) Buyer • Located in developing countries • Bridging gold-farmer • Paying money for Working in gold-farming • s and buyers raising their chara workshop Trading cyber assets cters’ level easily • • using game BOT program, someti and real money me they try to penetrate game sy stem directly
Countermeasure example – GFG detection u Whole trade network (1 sample server among 20 servers, in Aion game by NCSoft) # of characters 29,612 # of transaction 101,101 Mean # of trade per 3.41 char. 2010-4-9 ~ duration 2010-5-8
Countermeasure example – GFG detection u Define suspicious money transaction - free-money trading u If someone continuously (and regularly) transfer his possessions unidirectional way à It’s suspicious. u Also, he transfer almost 90% of his possession for free à It’s suspicious. u Hint for revealing “Gold-farmers è banker (proxy) è buyers” transaction. 23
Countermeasure example – GFG detection u Revealing free gift network Average Degree: 2.1699765107836857 Diameter: 7 Radius: 0 Average Path length: 2.452541238533916 Number of shortest paths: 25401 Weakly Connected Components: 934 Strongly Connected Components: 4301 Number of Communities: 127400 24
Countermeasure example – GFG detection u Filtering by Displaying long chain of networks composed of more than 4-tiers Nodes 2076 Edges 2856 Average Degree 2.751445 Average In Degree 1.375723 Average Out Degree 1.375723 Diameter 7 Radius 0 Average Path length 2.55501 Number of shortest paths 20978 Number of Communities 144 Weakly Connected Components 2 Strongly Connected Components 2062
Countermeasure example – GFG detection Nodes 519 Edges 416 Average Degree 1.603083 Average In Degree 0.801541 Average Out Degree 0.801541 Diameter 3 529,100,000 (9 transactions) Radius 0 Average Path length 1.141667 Number of shortest paths 480 Modularity 0.862243 Number of Communities 168 Weakly Connected Components 127 Strongly Connected Components 511 Total economy size - 48,615,053,115 Banker account – level 1, possesses 1,141,300,000 cyber money From 19 characters (totally 119 transactions)
IP-Account Combination analysis ▶ We also checked their IP address (From suspicious connection by using VPN, or coming from some countries. ) extracted Extract blacklist IP address Trace industrialized GFGs refining Gold Farming Network And related accounts 2,811 characters 555 characters 951,065 accounts 7,978 characters (475 accounts) (75,850 IP)
Server side BOT detection – rule-based ▶ Generated detection rule (example) • Free trade Ratio >=0.8 • Merchant(Agent) trade= 0 • # of free trade(take or give Item&GameMoney without reward)>16 • # of transactions/month >=20 • Amount of Money >=5,000,000 • Level>=10 • Indegree == 0, OutDegree > 0, Free trade Ratio == 1, level=50 28
Useful features u BOT vs Human Example of useful features to distinguish human player from bot players
Features selection u Example of different patterns between human and bots (a) Number of Login (b) Total play time(hours) (c) Number of item collection
Recommend
More recommend
