Return to the fairness of the game and declare war on the game gold studio!

News 2023-08-09 07:08:44 views: null

What is Dajin Studio?

In recent years, China's game market has continued to develop, domestic self-developed high-quality games have emerged in an endless stream, and the game industry has a stable trend of high-quality, high-quality and healthy development. According to the "2022 China Game Industry Report" released by the Game Working Committee (GPC) of the China Music and Digital Association and the China Game Industry Research Institute, in 2022, the actual sales revenue of the Chinese game market will be 265.884 billion yuan, and the actual sales revenue of self-developed games in the domestic market 222.377 billion yuan.

While the game market is becoming more and more prosperous, the game security situation is also becoming increasingly severe. All kinds of illegal game plug-ins endanger the internal ecological balance of the game and infringe on the interests of game players and manufacturers.

In this context, while game manufacturers focus on game quality, they also urgently need to do a good job in game security protection. According to the game security annual report released by Netease Yidun in 2022, Netease Yidun detected 3,709,617,186 cheating threats overall, a year-on-year increase of 104.2%, and 63,989,592 environmental threats were detected in mobile games throughout the year, a year-on-year increase of 296%. Due to the launch of many popular games, the confrontational and competitive nature of mobile games has been further strengthened, which makes the game security, especially the cheating protection, always in a high confrontational state.

Among the sub-categories, role-playing, design, and action games are more vulnerable to cheating attacks, accounting for 60% of the total. According to the game security risk control data, in these games, custom plug-ins are still the most common form of plug-ins in various games, accounting for as high as 83%.

A typical of these plug-ins is the "Dajin studio" or "black (gray) production studio" . Their targets are usually online games with trading mechanisms or hidden resource transfer mechanisms. By using various black production tools and scripts, they can complete synchronizer multi-opening, script batch activation, automatic task completion, resource production and transfer in the game wait. There are often huge industries behind this kind of cheating. For example, NetEase Blizzard has cooperated with the police to crack down on the cheating studio of "World of Warcraft" many times, and the amount involved in each case is tens of millions.

The massive accounts controlled by Dajin Studio obtain resources from the game. The output of this part of resources is beyond the original design of the game economic system. The output and sale of a large number of resources will squeeze the normal market, resulting in a virtual game. The economy collapsed, the price of gold plummeted, and eventually players lost and servers died. In order to improve the life cycle of the game, the game owner has no choice but to continue to open new servers, but Dajin Studio will continue to pour in new servers, thus forming a vicious circle. The game owner is exhausted, but cannot fundamentally solve the problem of profit loss.

Netease Smart Enterprise's game AI anti-cheating solution

There are many kinds of games on the market, and the categories, platforms, and data conditions are also different. After years of confrontation with Dajin Studio, Netease Smart Enterprise Game AI has accumulated a set of mature, data-driven game security solutions. These solutions can effectively make up for the lack of business data utilization of traditional solutions, and can also avoid additional access to SDK for games, ensuring the versatility of cross-terminal solutions.

The data-based solution can be more in line with the phenomenon observed by the player. This technical solution that cuts into the game from the phenomenon does not need to consume energy to perceive the means of plug-in implementation.

The detection plan can be divided from different dimensions. From the perspective of narrative logic, we divide the plan into three types: pre-event, during-event, and post-event according to the life cycle of cheating and the chronological order of detection plan intervention.

Since the solution needs to be driven by data, cheaters do not have much accumulated in-game behavior data in advance, such as the account registration stage. We usually use device-dimensional information for initial risk avoidance. For example, based on the user's hardware, IP and other information, and comparing it with the historically maintained blacklist database, the user is tagged. At the same time, NetEase Yidun's reinforcement, anti-cracking, anti-debugging and other functions also intercept cheaters outside the initial link.

Data-driven solutions are mainly used during and after the event. In upstream data processing, we use kafka to receive game messages and write them into HDFS/HBase clusters. Downstream will deploy hourly or daily offline data ETL processes to complete data writing into hive/impala data warehouses to meet offline business Analyze or complete the fast query requirements of the full amount of data within a certain time range for a specific user.

In MMO games, cheaters will automatically collect/spawn monsters, automatically complete tasks/instances, etc. during the process. To deal with these problems, we have accumulated a variety of solutions. For example:

  • Based on game log data: We construct the player's behavior sequence in the game, and use representation learning and clustering algorithms to identify highly suspicious clusters, thereby completing the detection of abnormal studio groups.

  • Character-based trajectory class data: We employ time-series algorithms to mine anomalous data with obvious patterns and regularities.

Some early and mid-term plans lack sufficient data accumulation, or the information contained in the data is not strong enough to support the evidence. The post-event plan can be a good supplement, which also makes the overall plan more complete. For example, in the real money transaction (RMT) problem in MMO games, a more complete profit-making link can be observed after the fact. From the perspective of cheaters, they always face the risk of being punished, and in order to avoid risks, they tend to realize cash in stages. The after-the-fact plan can effectively prevent subsequent game losses, and at the same time increase the account development cost of cheaters.

Prevention and control schemes for different data types

Log/Behavioral Sequence Scheme

Since the original log of the game contains a lot of noise (such as active/passive, player information/player action, system environment, automatic/manual, etc.), it cannot truly reflect the player's operation, so we designed the behavior sequence processing logic for the player's A unified description of real behavior.

We use the idea of ​​where-what-how-when to express a player's behavior. For example, in an MMO game, a player's behavior can be expressed as a sequence of four tuples (map_id, action_id, detail_id, ts). The sequence data will then undergo data enhancement processing such as segmentation and sampling and store it for access by downstream services.

 

Both Transformer and RNN are suitable tools for processing sequence data, especially the former, which is a neural network architecture based on the self-attention mechanism, which has excellent effects on sequence data modeling and is widely used in deep learning fields such as NLP , large-scale language models such as the recently popular ChatGPT are based on the Transformer architecture.

We use the Encoder part of the Transformer to perform characterization modeling on the player's behavior sequence, and capture the event information, time information, order and context information of the character in the game.

The process of training modeling characterization is usually accompanied by business experience, which can greatly optimize the quality of characterization vectors obtained from unsupervised and self-supervised training. We use a model based on Transfromer to fuse player events and time information. On the basis of player characterization, density clustering and correlation analysis are carried out to obtain suspected player groups, and at the same time, combined with game operation experience, the suspected player groups are classified and screened.

 

Game customers have different standards for grading and screening. Some customers are suspicious of player groups with obvious group portraits, which is enough to support the judgment standard in their minds, so group portraits can be used as the output basis; some customers think that group portraits are not enough, or the game If the data does not support richer portrait generation, then we will provide the characteristics of the group itself that are "unreachable by humans".

After the scheme is initially verified online and run for a period of time, the user's feedback will be sent back to the model as supervision information. For the pre-training model, these correct and misjudgment examples can be used as explicit sample guidance models to better understand the semantic information of logs. For downstream classification tasks, penalized examples can be used as labels to guide the training of supervised models to improve the accuracy and generalization of the scheme.

Track detection scheme (mouse, position track)

The game contains a wealth of trajectory data, such as the trajectory of the mouse operation, the trajectory of the moving position of the character in the game world, and so on. Trajectory data can be unified and abstracted into the relationship between coordinate points and timestamps, as shown in the following table. The trajectory data has a high degree of time and space characteristics, which can reflect the potential operation mode of the player. Because Dajin Studio uses automatic cheating software tools to replace human operations, their trajectory data is very different from that of normal players.

The basic assumption is that the trajectories of normal players are chaotic and disorderly, while cheating players use multiple devices such as plug-in software or simulators, which will make the trajectories between characters and within characters show obvious patterns, because cheating players are To maximize the collection of benefits, even if the plug-in adds randomness to interfere, the overall trajectory can still be found to be different from normal players.

 

Trajectory data is very suitable for visualization and viewing, so it has good interpretability and ease of explanation. The difference between the trajectory data of normal players and abnormal players is very obvious.

 

We propose a general framework with player evidence trajectory data to detect cheating players using automated cheating in MMORPGs. The overall process is shown in the figure above, and the framework consists of 5 modules:

  • Data Recording data recording module, which is deployed on the player client, responsible for recording player trajectory data and sending it to the log server of the server;

  • Data Collecting data collection module, which is deployed on the server, receives the trajectory data sent by the client, and performs preliminary processing such as sorting and alignment;

  • Preprocessing and Feature Engineering preprocessing and feature engineering module, which processes trajectory data and generates feature files as input to the model;

  • Labeling and Model Training labeling and model training module, the model is deployed offline, responsible for sample labeling and model training, and the obtained model files enter the next module for processing;

  • Periodic Prediction and Result Processing Periodic prediction and result processing, this module is deployed online to predict the trajectory of cheating players, and output the results to the portrait platform for display;

To avoid expensive manual feature engineering, we use AutoML to automatically find features to reduce the effort. We also designed an automatic iteration mechanism to ensure that the online effect does not decay over time.

Sensor solution

Sensor data is essentially a kind of trajectory data, and the platforms it applies to are generally mobile devices, and the data content and meaning are more abundant than ordinary trajectory data, for example, on the basis of "xy coordinates" and "time stamp" In addition, "Touch Type", "Touch Pressure", and "Touch Index" have been added.

  • Touch type: such as MOVE, DOWN, UP, CANCEL.

  • Touch pressure: (Optional), if the device screen supports a pressure gauge, it will be recorded according to the actual collected pressure value.

  • Touch index: It is used to distinguish multi-finger operations. For example, if two fingers are required for a zoom operation, the index of one finger is 0 and the index of the other is 1.

Various detection schemes can be carried out on the sensor data, such as simulating clicks.

 

We divide outlier player identification based on sensor data into 2 broad categories: individual detection and group detection.

  • Individual detection refers to the detection of a single sensor data sample. The advantage is that it has high detection efficiency and can detect streaming data in real time. At the same time, the model can be deployed to the end side to reduce data transmission and shielding.

  • Group detection refers to the detection of batch samples. The advantage is that the correlation between samples can be found and the evidence of abnormal results can be enhanced. Because the group detection scheme can be carried out from both horizontal and vertical angles, it can not only detect multiple trajectories in player history, but also Detect similar anomalous trajectories among players.

 

In individual sample detection, LSTM is used to model trajectory events and trajectory coordinates, and finally a fully connected layer is used to fuse multi-dimensional data and output prediction results. In group detection, the trajectory data has been entered into the data warehouse, and batch trajectory samples are extracted from the data warehouse. After data preprocessing, entropy convolution and Transformer models are used to extract trajectory feature vectors. After storing the trajectory feature vectors, the nearest neighbor Query, or HDBSCAN density clustering, get multiple suspected clusters and classify and sort them according to different standards of game customers, find abnormal correlation samples from the sorting results, and then manually summarize the cheating mode, you can easily find new cheating.

Relationship graph scheme

In order to obtain income from the game, Dajin Studio will transfer and trade the assets in the game. Among them, offline real currency transactions are invisible, and what we can actually observe in the game is the transaction link of game assets. In addition to resource transactions, players, including Dajin studios and normal players, will definitely interact with other characters in the game, such as forming teams, friends, and sharing hardware. Conforms to normal player behavior patterns.

 

Dajin studios often have a group nature, that is, characters in a small group (studio) usually have many transactions of unequal value with each other to transfer property. These abnormal transaction participants can be divided into three groups: "farmers", "bankers", and "buyers". Gold diggers are like workers who dig gold mines in large numbers; aggregators are like contractors who collect the gold mines dug by workers; buyers are people who buy gold mines from contractors. ——The existence of cheats is like allowing the contractor to have countless, tireless, and extremely efficient robots to mine gold mines for him. This behavior obviously disrupts the price system of the gold mine market. In the corresponding game, the gold digger is the character who opens the plug-in to automatically refresh the copy; the task of the aggregator is to collect the game resources obtained by the gold miners, and then sell these resources to the buyer; Consumers who buy gold everywhere.


 

In terms of composition, we value the props and items in the game, and convert the transaction graph between players into a value transfer graph, and each player role is a node in the graph. Graph embedding (Network Embedding), Graph Neural Networks (Graph Neural Networks) and other technologies have received extensive attention and in-depth research in the academic community. These methods usually project the nodes in the network to vectors in a low-dimensional space, thereby completing the conversion from unstructured data to structured data. Based on this, we designed a semi-supervised model MVAN (Multi-View Attention Network) that integrates multiple relationship graph data to detect and identify players.

Process Justice for AI Systems

The detection of data schemes is particularly special in terms of evidentiary issues compared to traditional means. Traditional solutions often do not require too much interpretation of the results, such as whether to modify the memory, whether to change the signature, etc. are all either-or, undoubted issues.

In data solutions, developers usually use machine learning or deep learning models to convert business into a probability problem. However, due to the diversification of the sources of penalty labels, the intermediate process includes a large number of logical derivations, and unobservable data, this method only learns the mapping relationship from data to results one-sidedly, without thinking about whether the judgment process is reasonable and whether it is consistent with experts. Consistency of experience and whether the data itself supports a conclusion of violation. The absence of such "process justice" can trap the whole scheme in evidentiary problems.

According to past business experience, we have precipitated two methods to solve the above problems.

The first is to avoid getting bogged down in evidence by introducing additional processes. For some game scenarios with rich degrees of freedom, we will jointly design a relatively independent forensics module with the game party as the last piece of the puzzle to fill in the shortcomings of the solution. The operation process of these forensics modules has the characteristics of strong evidence, high accuracy, and high cost, such as verifying whether it is a real person in an interactive manner, and assisting the result judgment by collecting more fine-grained data.

After having an independent forensics module, the machine learning model can be more purely used as a precondition of the process to provide probabilistic meaning. The goal of its optimization is to improve the success rate of the forensics module, reduce unnecessary cost loss or damage to normal players. experience interference.

In addition to introducing additional processes, we will design models based on specific issues to ensure process justice.

For example, in the RMT problem, the unspoken rules of some games do not allow offline transactions between players, especially offline transactions in the appearance of Dajin Studio. However, due to the unobservable data outside the game, the judgment of this phenomenon depends entirely on the subjective experience of game operation. These experiences are essentially fair judgments on player behavior based on a deep understanding of the game. We believe that there must be such a scale in the mind of game operators, which can measure the severity of two different behaviors. The design of the model requires alignment with these fairness judgments.

In contrast to some recent work on AIGC that uses RL to introduce human preferences, we interpret fairness as a partially ordered relationship between features and outcomes. In practical applications, we use data enhancement methods such as feature perturbation and diffusion to construct the loss of contrastive learning.

In addition to the above solutions, we also try to introduce methods such as explaining models or building visualization platforms. These schemes play a more role in the transparency of data and process, and play some auxiliary role in core issues.

epilogue

On the surface, data-driven detection is just a "0/1" 2-category problem, but when you go deeper, you will find that it involves "how to formally define and describe the problem reasonably ", " how to introduce advanced Empirical knowledge ", " how to build a credible AI system ", " how to build a reasonable evaluation system ", " how to run an AI system safely and in line with human preferences " and other difficult problems. Against the background that cheaters have more sophisticated means and machines imitate humans more realistically, I believe that these issues will become the focus of common attention of the whole society in the near future, and I believe that the times will give us answers.

Over the years, Dajin Studio has also been developing. With the black production equipment becoming more and more intelligent and customized, the technology is also constantly upgrading, mainly in the following aspects:

  • Behavior anthropomorphic. Plug-in creators gradually add random factors to scripts and cheating software without reducing the profit-making efficiency of their scripts, and their behaviors are more and more similar to normal players. This requires a new approach to confrontation and analysis and identification from a more detailed perspective.

  • Device anthropomorphism. The illegal equipment used by the original Dajin studio group is often crude or "unreasonable". For example, it is very obvious that dozens or hundreds of accounts are logged on one equipment ID. However, with the evolution of illegal devices, the device information obtained by the client is getting closer to the device information of normal users, which can almost be confused with the real one, which is a huge challenge for the traditional hardware information identification scheme.

  • Continuously, again and again. Dajin Studio has opened up the link of black card dealers and black equipment. After the account is banned, it can be activated again in a very short period of time, causing harm to the game and playing endlessly. This has increased the real-time requirements for the confrontation. It is necessary to quickly identify black accounts in a very limited time and game behavior in order to effectively form suppression.

The so-called "the height of the road is one foot, and the height of the devil is one foot", this requires the close integration of game developers and game security practitioners, and always insist on being at the forefront of the fight against black production. NetEase Smart Enterprise's studio governance solution relies on big data + AI to carry out accurate studio group identification. In addition, it also provides abnormal group behavior analysis and management services. It can not only identify studio groups, but also conduct behavior sequence analysis, Player portrait multi-dimensional analysis, risk warning, abnormal behavior visualization and evidence display allow operators to clearly see the size, shape, link and performance of various dimensions of abnormal groups, so that punishments are reasonable and well-documented, and truly effective governance.

Guess you like

Origin blog.csdn.net/netease_im/article/details/131206383
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com