Jump to content

How Would You Detect Bots?


Alphanos

Recommended Posts

I see a lot of posts where people talk about how Jagex's bot-detecting algorithms are poor, and need improvement. I think people don't realize how inherently difficult this is.

 

One of the most important principles of computer software is that in order to write an algorithm instructing the computer how to do something, you must first be able to clearly understand how a person could perform the same task (although probably slower). For example, if you want a computer to be able to sort numbers, you must be able to sort numbers yourself first. Then you can translate the human method of performing the task into computer terms, and potentially optimize it from there.

 

So the focus of the thread is this: what methods or techniques would you, as a person, use to detect bots? If we actually can think of methods meeting certain criteria, I'm sure Jagex would be interested.

 

Your method must meet the following requirements:

 

1) The method must never indicate that a human player is a bot. Even players with strong language barriers, those who are AFK, or those who are frankly really stupid. In other words, no false positives.

 

2) The method must be an unavoidable barrier for bot-writers. In other words, a software developer writing a bot must be able to read and completely understand your described method, but be unable to write software which can pass your test. No details of how the method works can be hidden from the opposition - this is due to the nature of the Runescape Java client. The method may detect only specific types of bots, but should catch as many bots in that scenario as possible. For example, a method which only catches one currently-existing chin-hunting bot, but which is obviously avoided by other chin-hunting bots, is not suitable.

 

3) The method must not involve any extensive creation or deletion of in-game wealth.

 

The following additional goals should be met if at all possible:

 

1) Methods which kill players should be avoided.

 

2) Methods which unduly annoy players, such as long delays, taking their items and banking them or placing them a short distance away, etc, should be avoided.

 

If other requirements that I have missed arise in discussion, I reserve the right to amend the above rules to account for things I didn't think of while writing this.

 

This thread differs from the other thread about catching bots in the following way: rather than focusing on methods players can use to probably catch some bots some of the time, the goal here is to come up with permanent, unbreakable bot-detecting rules that Jagex could potentially use to solve the problem on a wide scale. If we really want them to improve their algorithms, let's see what we can come up with.

Alphanos

Alphanos.png

Link to comment
Share on other sites

  • Replies 226
  • Created
  • Last Reply

Top Posters In This Topic

Mouse click pattern, timing

sigcopyaf.png

Ever wanted to find street prices of RS items? Check out the SPOLI Index

 

Nex Drops: Pernix Cowl, Pernix Chaps, Torva Helm, Torva Platebody, Zaryte Bow, Pernix Chaps, Virtus Robe Legs, Virtus Robe Top, Torva Platelegs, Zaryte Bow, Pernix Chaps, Virtus Robe Legs, Zaryte Bow, Virtus Mask, Torva Legs, Virtus Robe Legs, Virtus Robe Top, Virtus Robe Top, Zaryte Bow, Virtus Robe Legs, Virtus Robe Top, Virtus Robe Top, Torva Platelegs, Zaryte Bow, Pernix Body, Torva Platelegs, Torva Platelegs, Virtus Robe Top

Link to comment
Share on other sites

Mouse click pattern, timing

 

This is one of the most commonly suggested methods; the trouble is that it only works against poorly-written bots. It would be fairly easy to add some randomness into a bot's click patterns using a random number generator so that i.e. it clicks different parts of its target, pauses for different numbers of ticks, and even misclicks some of the time.

Alphanos

Alphanos.png

Link to comment
Share on other sites

All right, let me screw things for botters everywhere.

 

Most scripts use a pre-defined ID programmed into the game to take action. e.g. attack monster 3435, eat food 5325, mine type rock 4323 or whatever. Just subtly shift one of the IDs every now and then. Flag players who never touch the objects with changed IDs and ban them eventually.

Link to comment
Share on other sites

All right, let me screw things for botters everywhere.

 

Most scripts use a pre-defined ID programmed into the game to take action. e.g. attack monster 3435, eat food 5325, mine type rock 4323 or whatever. Just subtly shift one of the IDs every now and then. Flag players who never touch the objects with changed IDs and ban them eventually.

They already change id's
Link to comment
Share on other sites

you would have to have an extensive knowledge of the bot your trying to trip up to make it anywhere, but as far as i know most bot scrips rely on colors to work or changing the order of how options appear such as when people had sat in the wild with a maker plant over the zammorak mage causing the bot to miss the mage.

Iron_Pyrite.png

Link to comment
Share on other sites

Best idea I've ever heard was to have random resource spawns, such as yews growing randomly in a set area or coal randomly appearing throughout the mine.

 

Interesting; could you please elaborate as to how this would be used to distinguish bots from live players?

 

Random events would be fine too, if jagex cycled them every few weeks.

 

As with the current set of random events, the bot writers would simply solve all of the new ones - unless we can brainstorm ideas that can be solved by people, but not computers.

 

Adding a new random events every few weeks could do a lot of good, so long as it's possible to prevent bots from detecting that they are in an unexpected location, which could cause them to just logout until the bot is updated.

 

you would have to have an extensive knowledge of the bot your trying to trip up to make it anywhere, but as far as i know most bot scrips rely on colors to work or changing the order of how options appear such as when people had sat in the wild with a maker plant over the zammorak mage causing the bot to miss the mage.

 

These types of changes can catch bots for a short period of time, but what we're ideally seeking is a change that couldn't be coded around, so that it would permanently detect bots. Jagex has apparently already decided that changes which only catch some bots for short time periods aren't worth the man-hours invested in writing the change.

Alphanos

Alphanos.png

Link to comment
Share on other sites

Best idea I've ever heard was to have random resource spawns, such as yews growing randomly in a set area or coal randomly appearing throughout the mine.

 

Interesting; could you please elaborate as to how this would be used to distinguish bots from live players?

 

Random events would be fine too, if jagex cycled them every few weeks.

 

As with the current set of random events, the bot writers would simply solve all of the new ones - unless we can brainstorm ideas that can be solved by people, but not computers.

 

Adding a new random events every few weeks could do a lot of good, so long as it's possible to prevent bots from detecting that they are in an unexpected location, which could cause them to just logout until the bot is updated.

 

you would have to have an extensive knowledge of the bot your trying to trip up to make it anywhere, but as far as i know most bot scrips rely on colors to work or changing the order of how options appear such as when people had sat in the wild with a maker plant over the zammorak mage causing the bot to miss the mage.

 

These types of changes can catch bots for a short period of time, but what we're ideally seeking is a change that couldn't be coded around, so that it would permanently detect bots. Jagex has apparently already decided that changes which only catch some bots for short time periods aren't worth the man-hours invested in writing the change.

 

It would depend on the bot script, I know back in the day old bots used to have an order of predetermined clicks they'd cycle through, although I know new bots look for and detect the item.

 

I don't play much anymore, and am not up with how the new bots work.

 

I guess the only fool-proof method would be to have a game client that prevented other programs from running while the client is running. This would ruin the game for most people though.

Link to comment
Share on other sites

All right, let me screw things for botters everywhere.

 

Most scripts use a pre-defined ID programmed into the game to take action. e.g. attack monster 3435, eat food 5325, mine type rock 4323 or whatever. Just subtly shift one of the IDs every now and then. Flag players who never touch the objects with changed IDs and ban them eventually.

They already change id's

 

I only have a general idea of this ID-based system. Can anyone explain in more detail how it works, how the bots use it, and what Jagex changes?

Alphanos

Alphanos.png

Link to comment
Share on other sites

All right, let me screw things for botters everywhere.

 

Most scripts use a pre-defined ID programmed into the game to take action. e.g. attack monster 3435, eat food 5325, mine type rock 4323 or whatever. Just subtly shift one of the IDs every now and then. Flag players who never touch the objects with changed IDs and ban them eventually.

They already change id's

 

I only have a general idea of this ID-based system. Can anyone explain in more detail how it works, how the bots use it, and what Jagex changes?

Basically they obfuscate the client after some updates
Link to comment
Share on other sites

Even if I was einstein and could come up with a genius way to detect bots, I wouldn't post it here - as it would give cheaters all the information they need as to how they could circumvent the system.

2vuhgcn.png
Link to comment
Share on other sites

Even if I was einstein and could come up with a genius way to detect bots, I wouldn't post it here - as it would give cheaters all the information they need as to how they could circumvent the system.

 

The point is, due to the way Runescape's Java-based client works, any bot detection methods implemented in the Runescape code are provided in full to bot-writers just by logging on. In order for any bot-detection method to work better than the existing randoms, it has to be a method that you could describe in exquisite detail to a bot-writer, yet they would be unable to solve.

 

If anyone wants to come up with a server-only bot detection method, one that would not be downloaded by players as part of the client code, it would need to perform its detection entirely based upon player action messages sent to the server - no new displays, prompts, or anything the player would ever see or interact with could be different.

Alphanos

Alphanos.png

Link to comment
Share on other sites

Best idea I've ever heard was to have random resource spawns, such as yews growing randomly in a set area or coal randomly appearing throughout the mine.

 

Interesting; could you please elaborate as to how this would be used to distinguish bots from live players?

 

Random events would be fine too, if jagex cycled them every few weeks.

 

As with the current set of random events, the bot writers would simply solve all of the new ones - unless we can brainstorm ideas that can be solved by people, but not computers.

 

Adding a new random events every few weeks could do a lot of good, so long as it's possible to prevent bots from detecting that they are in an unexpected location, which could cause them to just logout until the bot is updated.

 

you would have to have an extensive knowledge of the bot your trying to trip up to make it anywhere, but as far as i know most bot scrips rely on colors to work or changing the order of how options appear such as when people had sat in the wild with a maker plant over the zammorak mage causing the bot to miss the mage.

 

These types of changes can catch bots for a short period of time, but what we're ideally seeking is a change that couldn't be coded around, so that it would permanently detect bots. Jagex has apparently already decided that changes which only catch some bots for short time periods aren't worth the man-hours invested in writing the change.

 

I think - ultimately, this is going to be a unrealizable goal.

 

For starters, it's going to be a bajillion times harder trying to make the game such that there is definitely no way to bypass security or whatever fail safes jagex has set up.

What we should be aiming at should be a way to detecting some of these botters banned/suspended.

 

A.) There are a bunch of mods (the golden crowned) ones running around Jagex.

Often, I see them walk around and there would be bots around but I don't see them actually trying to do anything.

If they took the time, they could actually scout out some especially bot heavy places and try to talk to them. Clearly if it's a place which requires clicking i.e chopping yews, mining, etc - you can just ask them a few questions and see if they respond. If they don't flag them at first, and then try this again in the future (kind of like backtracking and checking up on people who may be "offenders"). If they're caught like this multiple times - they should be banned.

 

B.) There should be some auto banning system - I've seen bots fail and the botter just stand there/try to do somethings over and over. If theres somebody clicking one space or relogging in and out every 10 minutes for a couple of hours - flag their accounts. Then check their accounts for suspicious activity via whatever logs Jagex has.

 

C.) Make sure people can't play 24 hours a day for like multiple days straight. The 6 hour thing was a step towards the right direction but I'm sure it's not hard to program a bot to just relog in after that set amount of time.

Say if somebody plays for 72 hours straight without a break then I think it's pretty safe to assume that they're botting.

capt%20kevin.png
Link to comment
Share on other sites

Even if I was einstein and could come up with a genius way to detect bots, I wouldn't post it here - as it would give cheaters all the information they need as to how they could circumvent the system.

 

^This, also if there is a way to write a program to stop bots - I'm sure with enough diligence - a corresponding program can be written to bypass this.

If there are scripts complex enough to DG (even if it is slow), I'm not sure what else can be invented to stop these programmers.

capt%20kevin.png
Link to comment
Share on other sites

[hide=Quote tree]

Best idea I've ever heard was to have random resource spawns, such as yews growing randomly in a set area or coal randomly appearing throughout the mine.

 

Interesting; could you please elaborate as to how this would be used to distinguish bots from live players?

 

Random events would be fine too, if jagex cycled them every few weeks.

 

As with the current set of random events, the bot writers would simply solve all of the new ones - unless we can brainstorm ideas that can be solved by people, but not computers.

 

Adding a new random events every few weeks could do a lot of good, so long as it's possible to prevent bots from detecting that they are in an unexpected location, which could cause them to just logout until the bot is updated.

 

you would have to have an extensive knowledge of the bot your trying to trip up to make it anywhere, but as far as i know most bot scrips rely on colors to work or changing the order of how options appear such as when people had sat in the wild with a maker plant over the zammorak mage causing the bot to miss the mage.

 

These types of changes can catch bots for a short period of time, but what we're ideally seeking is a change that couldn't be coded around, so that it would permanently detect bots. Jagex has apparently already decided that changes which only catch some bots for short time periods aren't worth the man-hours invested in writing the change.

[/hide]

I think - ultimately, this is going to be a unrealizable goal.

 

For starters, it's going to be a bajillion times harder trying to make the game such that there is definitely no way to bypass security or whatever fail safes jagex has set up.

What we should be aiming at should be a way to detecting some of these botters banned/suspended.

 

A.) There are a bunch of mods (the golden crowned) ones running around Jagex.

Often, I see them walk around and there would be bots around but I don't see them actually trying to do anything.

If they took the time, they could actually scout out some especially bot heavy places and try to talk to them. Clearly if it's a place which requires clicking i.e chopping yews, mining, etc - you can just ask them a few questions and see if they respond. If they don't flag them at first, and then try this again in the future (kind of like backtracking and checking up on people who may be "offenders"). If they're caught like this multiple times - they should be banned.

 

B.) There should be some auto banning system - I've seen bots fail and the botter just stand there/try to do somethings over and over. If theres somebody clicking one space or relogging in and out every 10 minutes for a couple of hours - flag their accounts. Then check their accounts for suspicious activity via whatever logs Jagex has.

 

C.) Make sure people can't play 24 hours a day for like multiple days straight. The 6 hour thing was a step towards the right direction but I'm sure it's not hard to program a bot to just relog in after that set amount of time.

Say if somebody plays for 72 hours straight without a break then I think it's pretty safe to assume that they're botting.

 

A) Unfortunately, Jagex will never be able to field enough manpower to manually track down and eliminate enough bots to make any difference. There are almost certainly tens of thousands of bots running on Runescape at most times. Additionally, you run into situations where legitimate players may not notice even a Jagex mod talking to them. What if that player is cutting yews or LRC mining while watching a movie, and just clicks even few minutes to bank?

 

B) This seems potentially promising. If we can identify specific ways that bots break, this might be able to be expanded into a permanently useful rule system.

 

C) This, unfortunately, will do little good. We know that there are real players who, rightly or wrongly, play 16+ hours a day on a regular basis. The best that could really be accomplished here is to change things so that bots can only run 18 or so hours a day before needing to "sleep", and then continue running for 18+ hours the next day, and the next...

Alphanos

Alphanos.png

Link to comment
Share on other sites

You can catch all the bots at once or some bots all the time but you CAN'T CATCH ALL THE BOTS ALL THE TIME.

 

There is no such thing as full proof anti-cheat system. They can make them better and better but the bots will always catch up to them in few weeks (at max).

Link to comment
Share on other sites

Want to know how to find bots and easily catch them?

 

Invisible Items/Monsters that only bots would see.

 

 

RS runs on Java. Everything is coded with an ID #. Bots work by detecting ID's. Heres the solution:

 

Make a new era of random events where items appear around the person in question that are coded the same as whatever theyre doing but ARENT ACTUALLY THERE.

 

Aka, if the person in question is fighting... green dragons. have 4-5 invisible green dragons with the SAME id's as the regular green dragons appear all around the person, but theyd be unclickable (theyre ghosts basically, you wouldnt be able to see them but a bot would because its gathering java data) Therefore, the person in question would react to this in two different ways:

 

Regular person:

-wouldnt even see the "invisible" things and they continue on their way.

 

Bots:

-Would consider this "invisible" thing to be real and would constantly attempt to click/attack/whatever to it. Therefore proving its a bot.

 

 

 

So yeah, my dad does coding and crap for a living, and he made me take classes on it when I was in Jr High convinced that, "this will help me in the real world". Wasted most of my time that Summer but at least I can do Sites and stuff :) I dont know enough Java though to really get involved in giving better ideas, but thats one Ive always thought was a clever one.

 

 

 

-C14

nashv.png

Pixel Signature Made By Me.

Link to comment
Share on other sites

You can catch all the bots at once or some bots all the time but you CAN'T CATCH ALL THE BOTS ALL THE TIME.

 

There is no such thing as full proof anti-cheat system. They can make them better and better but the bots will always catch up to them in few weeks (at max).

 

It's true that up until now, updates designed to catch bots seem to have been solved by the bot-writers relatively quickly.

 

The main goal here isn't to catch every possible bot instantly, but to come up with methods that will never catch humans players, but will in some unavoidable situations catch botters at least some of the time. An idea for a random which would be unsolvable by a computer would be nice, but it seems like these days even captchas are getting solved by algorithms.

 

This is a very hard problem - Jagex has many smart people who have worked on this for a long time and haven't solved it yet. Maybe in the end we will conclude that there's no solution, and we've been too hard on them. But I think it's a bit too early to give up already.

Alphanos

Alphanos.png

Link to comment
Share on other sites

Some food for thought. Its well known among security and financial service companies that there is no such thing as an impossible to crack algorithm, just very difficult ones. For instance, current hashing algorithms and data standards are secure and usable for a set amount of time (2-7 years) - because that's the average amount of time it would take a brute force attack on a "standard computer" to break it.

 

The point being is that yes, eventually cheats will figure a way to bypass anti bot systems, but the best ones will be simple to implement, and take cheaters long times to figure out ways around it without it being too obstructive.

99 dungeoneering achieved, thanks to everyone that celebrated with me!

 

♪♪ Don't interrupt me as I struggle to complete this thought
Have some respect for someone more forgetful than yourself ♪♪

♪♪ And I'm not done
And I won't be till my head falls off ♪♪

Link to comment
Share on other sites

Want to know how to find bots and easily catch them?

 

Invisible Items/Monsters that only bots would see.

 

 

RS runs on Java. Everything is coded with an ID #. Bots work by detecting ID's. Heres the solution:

 

Make a new era of random events where items appear around the person in question that are coded the same as whatever theyre doing but ARENT ACTUALLY THERE.

 

Aka, if the person in question is fighting... green dragons. have 4-5 invisible green dragons with the SAME id's as the regular green dragons appear all around the person, but theyd be unclickable (theyre ghosts basically, you wouldnt be able to see them but a bot would because its gathering java data) Therefore, the person in question would react to this in two different ways:

 

Regular person:

-wouldnt even see the "invisible" things and they continue on their way.

 

Bots:

-Would consider this "invisible" thing to be real and would constantly attempt to click/attack/whatever to it. Therefore proving its a bot.

 

 

 

So yeah, my dad does coding and crap for a living, and he made me take classes on it when I was in Jr High convinced that, "this will help me in the real world". Wasted most of my time that Summer but at least I can do Sites and stuff :) I dont know enough Java though to really get involved in giving better ideas, but thats one Ive always thought was a clever one.

 

 

 

-C14

 

 

This idea sounds potentially quite promising. The real trick is how to make the server-sent data for these monsters/items identical to the "real" ones, so that the bots cannot tell them apart, yet ensure that they don't actually show up on the player's screen or attack them. I'll definitely give this some further thought, but if anyone has further ideas on this please speak up...

 

Edit: Hmm, additionally how to prevent colour/screen detection from foiling this, as noted below....

 

 

Some food for thought. Its well known among security and financial service companies that there is no such thing as an impossible to crack algorithm, just very difficult ones. For instance, current hashing algorithms and data standards are secure and usable for a set amount of time (2-7 years) - because that's the average amount of time it would take a brute force attack on a "standard computer" to break it.

 

The point being is that yes, eventually cheats will figure a way to bypass anti bot systems, but the best ones will be simple to implement, and take cheaters long times to figure out ways around it without it being too obstructive.

 

I understand what you're saying, but I for one would be happy with a bot-foiling method that lasts a mere 2-7 years :D.

Alphanos

Alphanos.png

Link to comment
Share on other sites

Want to know how to find bots and easily catch them?

 

RS runs on Java. Everything is coded with an ID #. Bots work by detecting ID's. Heres the solution:

That could easily be worked around by adding limited colour detection to current bcel or reflection bots
Link to comment
Share on other sites

Want to know how to find bots and easily catch them?

 

RS runs on Java. Everything is coded with an ID #. Bots work by detecting ID's. Heres the solution:

That could easily be worked around by adding limited colour detection to current bcel or reflection bots

 

 

lol its funny he says this because he has like 2 posts, joined like 30 min ago and knows a suspicious amount about bots. Ill let you guys decide where he stands as far as botting goes though.

 

 

As for colour detecting thats a completely different story and last time I checked bots havent used that method since the RSC days because it SUCKED. Think about how many misclicks that would provide. Im almost hoping they do that as it would make it that much more obvious.

nashv.png

Pixel Signature Made By Me.

Link to comment
Share on other sites

I understand what you're saying, but I for one would be happy with a bot-foiling method that lasts a mere 2-7 years :D.

Those algorithms took hundreds of millions (even billions) of dollars and many many years to develop. I don't think Jagex's pockets are that deep nor do they have that amount of talent to develop something that works that well.

99 dungeoneering achieved, thanks to everyone that celebrated with me!

 

♪♪ Don't interrupt me as I struggle to complete this thought
Have some respect for someone more forgetful than yourself ♪♪

♪♪ And I'm not done
And I won't be till my head falls off ♪♪

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.