How Would You Detect Bots?

[Markup]

Why don't CAPTCHA's work...

[Riptide Mage]

Why don't CAPTCHA's work...

 

They don't work because they can be broken or paid to have solved using a service like decaptcha.com (1000 solved captchas for $2). They do nothing to stop the illegitimate users, and are a pain to the legitimate users.

[Markup]

Why don't CAPTCHA's work...

 

They don't work because they can be broken or paid to have solved using a service like decaptcha.com (1000 solved captchas for $2). They do nothing to stop the illegitimate users, and are a pain to the legitimate users.

 

I was unaware that services like this now exist. Time to investigate...

[Bladewing]

because captcha solving software is very easy to program and already readily available.

[gordoarcane]

Higher randomization of the "Random Events" requiring typing of answers and clicking of icons in event. Captcha could also be hybrid, including symbols instead of normally typed numbers and letters, this extra input would always require human intervention. Removal of all post deposit boxes may help. Requirement for all bank acc's to have a pin. If random event was not completed properly, bank would be reset, needing pin entry again. I suppose the more you think about it the more you realise that it is not an easy task to eradicate the current crop of bot's. Manual intervention is perhaps the only weapon that would create a headache for said creators & users of bots.

 

The more measures that Jagex implement the more it would slow down the real players. Then the upset would kick in, and the all too common flame posts and dummy throwing would ensue. So it may be regarded as a "Catch 22" situation, as we well know the bots cater for a market of raws, when certain items are needed fast from GE, whos to know who or what gathered, made them... Once again its a constant problem for many years as I see it, one that will not go away over night, but one that could be tempered much more, but at what cost to Jagex's revenue, and to our total gameplay experience. ?

[JoWie]

The solution against bots that modify the client is to move more logic to the server instead of the client. The most extreme is making the client only able to view a video stream and send direct input events.

This may seem far fetched but it is feasible.

 

Runescape is a very good candidate for such a method. Because of the nature of the graphics in runescape, there are some very efficient compression algorithms that could be used. The volume of input events is very low when compared to for example a First Person Shooter. Also, input lag (time between clicking the mouse and seeing an action performed on screen) is much less important in this game than in a FPS.

There are services which already provide this for FPS, racing games, etc. such as OnLive, StreamMyGame, gaikai. It may be possible for jagex to partner with such a company.

 

There are a number of advantages and disadvantages:

 

Advantages:

• No more bots that function through client modifications
  
• Very thin client, user hardware requirements are low.
  
• Can still be run from within a browser. It could even be implemented without java. It could be done with HTML 5 video and ecmascript
  
• Very easy to port to different operating systems, consoles, mobile phones. You could play runescape on an ipad or xbox.
  

 

Disadvantages:

• Higher bandwith load for players
  
• Higher bandwith requirement for players
  
• Input lag
  
• Higher bandwith for servers
  
• Much higher resource load on servers (note that this does not have to affect world limits)
  

 

OnLive recommends atleast 3 Mbit downstream for their services. I think this could be up to 4x as low in runescape.

 

This would go a long way, but it does not prevent bots that work using OCR+OOR. Luckily, creating such a fully functioning OCR+OOR bots is a lot harder then the other type of bots.

Making it harder for OCR+OOR bots could be done with more graphical randomization, random events (solving a random event will take a while for OCR+OOR bots), weather effects, night/day time, et cetera.

 

At this point, the most powerful bot would use machine learning to automatically recognize objects. The bot operator would feed many screen shots (different locations, different camera positions, etc) to the application, and mark the objects the bot has to identify. After a while a bot would be sufficiently trained to recognize that object with a low margin of error.

Random events would still be hard to learn, random events do not last very long and getting enough training data may take multiple occurrences of that event.

 

 

 

Note that any cheat protection (such as punkbuster) that scans for executables or usage of certain api's will not be effective against OCR+OOR bots. The runescape client runs in ring 3. An OCR bot could run in ring -1 by virtualizing runescape + an complete operating system using for example VMware or VirtualBox.

[Wkw]

Counter bots

 

Once every 24 hours, at random, all servers restart. Servers restart once every 4 hours, not all at the same time.

 

Yesterday, 1100 people in w25 were fog bots.

Now, only 300 people playing, and maybe 60 people playing fog

[sees_all1]

The day they get rid of a majority of bots is the day I'll turn off my adblock when I play on my f2p accounts.

OMFG REPORTED.

<3:

[BioIce]

The day they get rid of a majority of bots is the day I'll turn off my adblock when I play on my f2p accounts.

OMFG REPORTED.

<3:

Oh hi.

 

As if they'd do anything. I've been using adblock since...well, feels like forever. :rolleyes: And even if they did, they won't get 'em all. Hah!

 

Restarting servers at random can end up being a headache for players.

 

I'd be interested to see a machine-learning bot become proficient in Runescape.

[n64jive]

I am finding it somewhat ironic that a lot of the "most successful sounding" solutions have actually been used before far in the past, but they got removed also because they too were not successful.

 

What I haven't heard yet is a method they use in some foreign MMOs, which is to implement a roaming "dangerous hellbeast" type of thing that patrols the zone and immediately murders anything in its path that doesn't have the sense to notice the incredibly obvious warnings of its approach - namely, the types of warnings that bots wouldn't see, but I suppose that would be too disruptive for most folks, and I guess they would figure that one out eventually too...

 

For the most part, since Runescape is unwilling to be a game that is not reliant on easily botted actions, it will forever live as such. If you're not willing to give up repetitive tasks and non-involving gameplay, then you must embrace the fact that bots are more viable than actual people in Runescape (although you don't have to like it). It seems somewhat pointless for Jagex to continue to punish people for both doing what is deemed most effective by the game, and to indirectly punish those others who choose to abide by the rules by ineffectively enforcing their laws.

 

if (hellBeast.isOnScreen())

logAndSwitchWorlds();

[Wkw]

The day they get rid of a majority of bots is the day I'll turn off my adblock when I play on my f2p accounts.

OMFG REPORTED.

<3:

Oh hi.

 

As if they'd do anything. I've been using adblock since...well, feels like forever. :rolleyes: And even if they did, they won't get 'em all. Hah!

 

Restarting servers at random can end up being a headache for players.

 

I'd be interested to see a machine-learning bot become proficient in Runescape.

 

But it'd work.

 

What is wrong about the server restarting once a day, at most? Unless you play for 18 hours a day, you won't really be effected. Start a farm run? Finish it, make a samdwich, and come back. DKing? Go up, make a sandwich, and come back. Skilling? Sandwich and come back. PKing? Post on RSOF how you lost a kill of someone with dss and claws and come back.

[n64jive]

First off, most data standards are developed to be relatively cheap. That is the goal of data security, to have very little overhead.

If you kindly reread my post, you'll notice the cost I mentioned is the time it took to develop the algorithm, not the time it takes for the algorithm to execute. The time it took IBM and the NSA to develop current standards is on the order of decades.

 

Many of the encryption algorithms in use today were not developed by IBM or the NSA, and they certainly did not take decades to develop. For example, the AES algorithm was developed by a huge number of two Belgians. You can read their paper about it here.

 

@ Sees_all1 Did you know: Most of the research on data security, encryption/decryption methods, etc. is done in Academia? Those companies you speak of are businesses. They do very little other then adopt these methods into "standards".

 

What does that mean? That tons of money doesn't have to be spent on this research because there is academic institutions all around the world that are willing to put their time/effort into engineering these methods.

 

I'll use the same example, AES. It wasn't called AES by the two belgiums that developed it. Instead the NIST put out a claim that they would pay if someone came up with a better standard then DES. There was hundreds of submissions, and the two belgiums (it was called something like rejdael, taking after their last names) was the one selected. IBM did come up with a standard, and you might be right, they might have spent a lot of money on it. There method was very poor though and I believed received the least amount of votes. Also as far as taking decades, I believe it took at most 2 years.

 

source:Just learned about this in class like two weeks ago...

[sees_all1]

Those companies you speak of are businesses.

I didn't realize that the National Security Agency was a business. :rolleyes:

Also, these security standards were an iterative design - that is to say that AES didn't come out of nowhere. It may have taken two guys to think of something, but they were only in the position to do it because they were standing on the shoulders of giants.

[BioIce]

The day they get rid of a majority of bots is the day I'll turn off my adblock when I play on my f2p accounts.

OMFG REPORTED.

<3:

Oh hi.

 

As if they'd do anything. I've been using adblock since...well, feels like forever. :rolleyes: And even if they did, they won't get 'em all. Hah!

 

Restarting servers at random can end up being a headache for players.

 

I'd be interested to see a machine-learning bot become proficient in Runescape.

 

But it'd work.

 

What is wrong about the server restarting once a day, at most? Unless you play for 18 hours a day, you won't really be effected. Start a farm run? Finish it, make a samdwich, and come back. DKing? Go up, make a sandwich, and come back. Skilling? Sandwich and come back. PKing? Post on RSOF how you lost a kill of someone with dss and claws and come back.

 

It would work until bots come along with an auto-login script. Come to think on it, they might already have since they can bypass the auto-logout feature.

[n64jive]

The solution against bots that modify the client is to move more logic to the server instead of the client. The most extreme is making the client only able to view a video stream and send direct input events.

This may seem far fetched but it is feasible.

 

Runescape is a very good candidate for such a method. Because of the nature of the graphics in runescape, there are some very efficient compression algorithms that could be used. The volume of input events is very low when compared to for example a First Person Shooter. Also, input lag (time between clicking the mouse and seeing an action performed on screen) is much less important in this game than in a FPS.

There are services which already provide this for FPS, racing games, etc. such as OnLive, StreamMyGame, gaikai. It may be possible for jagex to partner with such a company.

 

There are a number of advantages and disadvantages:

 

Advantages:

• No more bots that function through client modifications
  
• Very thin client, user hardware requirements are low.
  
• Can still be run from within a browser. It could even be implemented without java. It could be done with HTML 5 video and ecmascript
  
• Very easy to port to different operating systems, consoles, mobile phones. You could play runescape on an ipad or xbox.
  

 

Disadvantages:

• Higher bandwith load for players
  
• Higher bandwith requirement for players
  
• Input lag
  
• Higher bandwith for servers
  
• Much higher resource load on servers (note that this does not have to affect world limits)
  

 

OnLive recommends atleast 3 Mbit downstream for their services. I think this could be up to 4x as low in runescape.

 

This would go a long way, but it does not prevent bots that work using OCR+OOR. Luckily, creating such a fully functioning OCR+OOR bots is a lot harder then the other type of bots.

Making it harder for OCR+OOR bots could be done with more graphical randomization, random events (solving a random event will take a while for OCR+OOR bots), weather effects, night/day time, et cetera.

 

At this point, the most powerful bot would use machine learning to automatically recognize objects. The bot operator would feed many screen shots (different locations, different camera positions, etc) to the application, and mark the objects the bot has to identify. After a while a bot would be sufficiently trained to recognize that object with a low margin of error.

Random events would still be hard to learn, random events do not last very long and getting enough training data may take multiple occurrences of that event.

 

 

 

Note that any cheat protection (such as punkbuster) that scans for executables or usage of certain api's will not be effective against OCR+OOR bots. The runescape client runs in ring 3. An OCR bot could run in ring -1 by virtualizing runescape + an complete operating system using for example VMware or VirtualBox.

 

I've played runescape using remote access technology, and let me tell you, it sucks. Responsiveness decreases quite a bit, and Jagex already has a problem with responsivness(ever notice there is a slight delay between click and animation...this isn't caused only by client-server communication lag, but also because of the nature of how jagex programs their game (using the "tick" system)...

 

I think a lot of people would quit if they implemented this, as I don't think the game would be very enjoyable.

 

Honestly, I don't think bots are that huge of problem...What skills are overly botted in p2p in a way that effects they players? Pure ess mining is terrible, but most people just [bleep] with it because it's obvious that these are bots performing these tasks. Hunter is getting bad, and it being a competative skill, it does piss off legitimate players. Yew/Magic cuting is bad. What else? Either way, my solution is Jagex should focus on these skills. Banning bots that compete with legitimate players would 1. End these annoying threads. 2. Make more people happy. It would also send an underlying message to botters: Go ahead and bot, but don't bot something that pisses off our paying customers, because we will find you, and we will ban you.

 

My cents

[Misfortune]

Bots are inevitable. The soon Jagex realizes this and gets a team of player moderators or staff that were dedicated to finding and banning bots, you WILL NOT STOP them. I did TONS of research on this, after viewing 3 websites that sold or produced botting software, I realized the problem is much bigger than you think. From those 3 websites there are close to 2 MILLION players who have purchased or used a botting program.

 

 

WE WILL NOT STOP THEM. The only way would be to take down each individual website producing these programs which legally could take YEARS.

[BioIce]

I seem to recall when the abomination called Final Fantasy XIV first came out, a lot of the gameplay/interface was based around anti-botting. Made for a very clunky, half-baked, unresponsive experience.

 

The tick system in Runescape is bad enough.

[n64jive]

Those companies you speak of are businesses.

I didn't realize that the National Security Agency was a business. :rolleyes:

Also, these security standards were an iterative design - that is to say that AES didn't come out of nowhere. It may have taken two guys to think of something, but they were only in the position to do it because they were standing on the shoulders of giants.

 

Is that the only part of the thread you read and then decided to just post on it. My point wasn't what those companies are, and yes, the NSA is really just a government ran business.

 

Now if you can get off symantics, you will see that most of the research done on this is by Graduate Students for different colleges/Universities around the world.

 

And regardless of all of that, it still disproves the fact that you seemed to be pulling information out of your ass. 1. It doesn't cost millions/billions for data security development. 2. Jagex isn't working on securing data, they are working on an algorithm to catch bots in a game. Not even close to of the same complexity.

[n64jive]

Bots are inevitable. The soon Jagex realizes this and gets a team of player moderators or staff that were dedicated to finding and banning bots, you WILL NOT STOP them. I did TONS of research on this, after viewing 3 websites that sold or produced botting software, I realized the problem is much bigger than you think. From those 3 websites there are close to 2 MILLION players who have purchased or used a botting program.

 

 

WE WILL NOT STOP THEM. The only way would be to take down each individual website producing these programs which legally could take YEARS.

 

 

Alas, seems like more [cabbage]. Sources? 2 million? considering that's about the same number of Jagex active players within the last 2 years, I hardly see that being true...

[RSBDavid]

Rewrite the client in C/C++ and only use the Java portion to draw onto the AWT Canvas. This wouldn't require you to download an exe and it could improve performance. Bot makers could basically inject into the DLL's and read basic client information, but Jagex could create detection algorithms to help deter the hackers. The logic is already on the server anyways, so no need for cloud-based clients.

 

Another option is to perform time-based client ID encryption. Jagex could write an algorithm to encrypt the item and object ID's based on the current time or any other factor, then every time the player reaches a "Loading... please wait" screen, the server will send a set of new ID's with a different encryption algorithm.

 

For example, lets say a bot was killing green dragons. The first time the bot goes to the green dragon location and uses the ID "4456", it will be linked to a green dragon. The next time, the same ID could be an NPC in Canfis.

[sees_all1]

1. It doesn't cost millions/billions for data security development.

This is flat out wrong. The NSA alone, dedicated to this sort of thing, has a budget of somewhere between 2-10 billion dollars a year. They (Governments, Companies, Academia, etc.) have been working these specific algorithms for nearly 4 decades now (DES started in 1972, and was the precursor to many more algorithms), and countries/nations/empires have been working on encryption/decryption and code breaking for thousands of years. L2History.

 

2. Jagex isn't working on securing data, they are working on an algorithm to catch bots in a game. Not even close to of the same complexity.

If you can't see the parallels between the two, let me spell them out:

1.There will always be people looking to break data encryption, just as there will always be people looking to beat Jagex's macro detection system

2.People looking to break data encryption already know everything about what they're trying to break (how the algorithm works, where its weak points may be), similar to everyone trying to write macro software can de-compile Jagex's client and examine the source code.

3. Once an algorithm has been beat, using it provides little to no protection. Once an anti-macro feature has been beat, using it does no good.

 

 

These are all still beside the original point I was trying to make:

The point being is that yes, eventually cheats will figure a way to bypass anti bot systems, but the best ones will be simple to implement, and take cheaters long times to figure out ways around it without it being too obstructive.

[Stev]

Rewrite the client in C/C++ and only use the Java portion to draw onto the AWT Canvas. This wouldn't require you to download an exe and it could improve performance. Bot makers could basically inject into the DLL's and read basic client information, but Jagex could create detection algorithms to help deter the hackers. The logic is already on the server anyways, so no need for cloud-based clients.

Jagex... Create detection algorithms? You really think they could do that? We have new hacks out for games that have companies like PunkBuster and HackShield which are dedicated to trying to detect our DLL injection... And ours are undetected 30 seconds after an update. Lol. Not only that, but your assuming every bot uses the same method of injection, which I assure you they don't.

 

Another option is to perform time-based client ID encryption. Jagex could write an algorithm to encrypt the item and object ID's based on the current time or any other factor, then every time the player reaches a "Loading... please wait" screen, the server will send a set of new ID's with a different encryption algorithm.

 

For example, lets say a bot was killing green dragons. The first time the bot goes to the green dragon location and uses the ID "4456", it will be linked to a green dragon. The next time, the same ID could be an NPC in Canfis.

As I said before, not every bot uses IDs. Even if they managed to change the IDs, it'd only be a short matter of time before the bot developers found a way around it. And going back to my previous point... Bots are easily created without using IDs and models.

[Alphanos]

Everyone talking about extra server restarts has gotten me to thinking. The foremost reason why bots have to log out after an update is that in the event of game changes, they might not run correctly and end up getting people banned - as with the wilderness ditch -> wall change. So all semi-intelligent bot-writers have their bots stay logged out after a client version bump.

 

Therefore, yes additional server restarts should be performed, but in addition the client version number should be bumped, or maybe even randomized. Each server should restart at minimum once per day, and if certain checks pass (I.E. nobody currently in the fight caves or fighting Nex, a couple things like that) then the server could even restart every 4-6 hours. The client version will change each time. Then bot-writers will be faced with a tough choice: they can either have their bots regularly getting kicked and locked out of the game, or they can ignore the version numbers and risk mass bans when Jagex really *does* release bot-breaking game changes. As it stands right now, bot-breaking changes have their effect limited because the bots stay away until the bot-writers have checked out the update, but with a change like this to the version numbering, each bot-breaking update could actually catch a few thousand botters.

[noble_aloof]

First let me state that AFKing is still apparently against the rules. I think that shifting or inverting colors upon certain circumstances or turning the players view angle would be helpful. though i'm not knowledgeable enough to know.

[Kata_Phfract__the_slayer]

as i have said before, bots will always be here, and the only way to get rid of them (by "get rid of" i mean low enough numbers to not care about) is to make then unprofitable.

 

not just in terms on money, if in the time it takes to make a bot, its becomes obsolete, then i highly doubt many would be around.

 

what i would do to get rid of them is make botting obsolete. if i find a bot, i would; acount ban, ip ban, and depending on the type of bot, posisbly ban all ip's within 100meters of that ip.

 

but for more passive action, give players little tools to play with, that just happen to confuse bots :wink:, flowers, marcker seeds, drawf cannons gota love em.

really just a [cabbage] load of stuff that you can walk though/past with no effort. if your organic that is. and if a place is known to be bot heavy, some heavyer equipment may be authorised for that place...

i would also make random events much more common, and harder. and tweek the current ones, make them have no unique music (keeps playing what the stuff was form where you where, has no sound effect of you going there, and very little graphical effects. this way people botting but watching there account (bot in one tab, something else interesting in another is common) wont instantly go "errgh, random ... done" and get back to botting.

 

but to contrast this, some very obvious random events will happen, but move you to a place that looks a lot like your current one.

so if your picking flax, you could end up in a flax field (with flax you can pick, but disappears when/if the player/bot finished the random) in the middle of nowhere and are told to do an emote to get out. this would stuff with RWT bots as they will think everything is well, but its far form it :twisted:

 

on top of those randoms, some little random movement of small things, a fence, a block, a door. stuff that a human would go "its not here, oh its there" but make a bot go "error".

anyone remember when the wildy ditch was made in to a wall? thats what im talking about.

some more things are D&D's that no one would miss the chance to do. you know someone mining rune essence is a bot when they just walk past a shooting star with a pickaxe already equipped.

stuff like a lumberjack walking around going from one place good for wc xp to another. if you go talk to him and get the right questions, you get a chunk of free xp/money. would any human NOT do that if they saw him?

 

i could probably list much much more, and maybe i will, but i guess i will end this.

really though, it boils down to:

make people not want to bot.

make RWT unprofitable.

make designing bots a waste of time.