[AntiCheat] Game Security: The Minority Report Dilemma #0

@codewiz · February 21, 2013 · 6 min read

the minority report dilemma0

IRIS
Because these Minority Reports are destroyed the instant they occur.

ANDERTON
Why?

IRIS
Obviously, for Precrime to function, there can’t be any suggestion of fallibility.
After all, what good is a Justice system that instills doubt?
It may be reasonable, but it’s still doubt.

– Minority Report, 2002

The translation of this scene from the movie "Minority Report" is so beautifully executed that one might doubt the translator's background; not a system engineer, perhaps? In reality, acknowledging the possibility of errors within a system can lead to issues with efficiency, and innumerable examples can be found. Game security programmers are always forced into a trade-off between the potential for errors and efficiency, much like dealing with the classical problems of speed and space.

#0

At the XIGNCODE development team, we continuously develop new detection routines. Let's think of one such detection routine we developed as 'P'. We can express the performance of our code 'P' on a scale from 0 to 1. A performance value of 0 means that it can block known hacking tools from the past but it is incapable of blocking any future tools that may emerge. Conversely, a 1 indicates that it can predict and block all hacking tools that will appear in the future. You can think of a 'P' with performance 1 as being akin to the Precrime system depicted in "Minority Report."

At first glance, it seems logical to assume that the routine with a performance of 1 would be the best. However, there's a pitfall hidden here, one that's the same as what "Minority Report" pointed out: the issue of false positives. While it's possible that the way a detection routine is implemented may not significantly correlate performance with false positives, in most cases, as performance indices rise, the false positive indices tend to rise in tandem. In a perfect world, we would have a routine like the 'Philosopher’s Stone,' performing at the ideal 1 while having a 0 chance of false positives, but no such thing exists in the real world. It's possible that we simply haven’t discovered such a method yet. Due to these performance and false positive relationships, game security programmers are always in a conflict between what is reasonable and what instills doubt, just like IRIS described. Is this level reasonable? Is it not too doubtful? These are the questions they face. The performance index of the routine is thus often adjusted in small increments, pressed by these uncertainties, to reach a level that's considered manageable in the real world.

#1

So why did we try to resolve the issue by enhancing P's performance? What if we used a routine with P set to 0 and quickly traced the past, couldn't that be effective? Indeed, it's a clever idea. However, there are roughly three reasons why such a strategy would fail.

The first reason is the update speed. As I have consistently mentioned in previous posts, when dealing with code related to games that are used by an incredibly large number of people, there is a great need for extensive verification whenever updates are made, which can also introduce risks. Consequently, update speed cannot be rapid. Therefore, we naturally must focus on making code updates less frequent but more effective.

The second reason is the speed at which hacking tools are distributed. Typically, we assess the level of hacking tool proliferation by its detection ratio compared to the execution of the tools. For games where this contamination rate exceeds 1%, it's tough to see significant results with a retrospective tracing method, regardless of how rapid the updates may be. Hackers compile, modify, and release their codes at the very moment we are swallowing our New Year's rice cake soup. And, of course, the volume of such activities is beyond our wildest imaginations. Therefore, a race against time isn't usually a great strategy. Ironically though, there are indeed moments when speed is absolutely necessary.

Really, one in ten are using hacks. It's no lie that every room is overflowing with hacks.

Really, one in ten are using hacks. It's no lie that every room is overflowing with hacks.

The third reason is the inefficiency of tracing. The hacking tools that we can collect are merely the tip of the iceberg. Typically, we collect around 1500-2000 hacking tool samples per day. This number, of course, exponentially increases as more games are affected. However, even this is just a tiny dot on a massive iceberg. There are a myriad of game hacks out there, and new ones are being created at this very moment. To say that we can find all of them is nearly impossible.

For these various reasons, we have no choice but to use routines with high-performance P, even if it means tolerating a certain degree of false positive rates. Of course, it goes without saying that the best solution is to improve performance while also reducing false positives.

#2

Then, what kinds of things typically fall under the category of false positives? The nature of the detection routines varies widely, but there are common culprits that boast high false positive rates in the majority of these routines. They are none other than malware or viruses. Some are even used with the intent to hijack game accounts, so they demand special attention. Users infected with such severe malware or viruses occasionally reach out for help.

Mostly, remote assistance is provided to allow gaming, but there are times when some issues are simply not fixable by antivirus software, and sometimes, even after a fix, the internet may become completely unresponsive. These situations have led to more than a few instances where one ends up in an awkward predicament after extensively trying to help.

Regrettably, the more such incidents occur, the more hacking tools we may miss.

Regrettably, the more such incidents occur, the more hacking tools we may miss.

#3

Many gamers desire to play in a fair gaming environment. If you're really after a fair game, then it's best not to get infected with viruses or malware. This benefits gamers as they won't experience account hijacking or lag, and it benefits us since we won't have to forcibly adjust performance metrics. In addition, detection rates willincrease, and game operators will be happier with fewer claims. It's not that hard to create a clean gaming environment if we take these steps.

Remember, the easiest way to spot the unclean one in a group is for everyone to be clean. When everyone is smeared with dirt, it's hard to tell who's the unclean one. So now, go install a free antivirus and turn on the real-time monitoring feature. And re.member, absolutely do not run any suspicious files downloaded from the Internet, even if the antivirus reports them as harmless. As a tip, among free antivirus programs, Avira seems to catch the most, although it does display adverts.

@codewiz
Looking back, there were good days and bad days. I record all of my little everyday experiences and learnings here. Everything written here is from my personal perspective and opinion, and it has absolutely nothing to do with the organization I am a part of.
(C) 2001 YoungJin Shin, 0일째 운영 중