Forensics analysis moves to online games

Cheating in MMO (Massively Multiplayer Online) games is on the rise, and “to fight back, game developers have taken a page from banks and credit card companies. They’re using fraud-detection software to analyze the rushing stream of events that occur in an ordinary MMO day, in search of something fishy.”http://www.wired.com/gaming/virtualworlds/news/2007/11/mmo_cheatsThe above article is interesting in the data forensics context for a few reasons:

  1. The principles of data forensics are stated clearly,
  2. There is a pervasive need for detection methodologies,
  3. We can learn from other disciplines in the fight against cheating,
  4. The distinction between “games” and “real life” is blurring, and
  5. Just as forensics methods are cross-disciplinary, so are cheating methods.

The gamers are modeling their detection software from the banking and credit card industries, by “by creating a model of how players normally behave during a game.” The software then recognizes a deviation from the norm and flags it. This is the essence of forensics detection.As an example of “normal test-taking” behavior, consider the histogram in Figure 1.

Figure 1: Histogram of test start times

Histogram 1

In the Figure above, most tests start between the hours of 7:00 am and 5:00 pm (17:00). However, there are a few tests that are beginning between the hours of 12 midnight and 2:00 am. This seems very strange and unlike normal test taking behavior.The forensics analyst recognizes that cheaters often repeat the same behavior and repeat the same mistakes. For example in the above data, the distribution of “after hours” testing (i.e., when the test center is normally dark) was not random. Instead there were just a few test sites where this behavior was occurring. As a consequence, those test sites could be detected. Data from one of the sites is shown below in Figure 2.

Figure 2: Anomalous test site with after-hours testing

Figure 2

What is amazing from Figure 2 is that even for this anomalous test site, it is clear that the “after hours” tests were unusual. While I do not know what actually happened, it appears that an individual at the test center allowed late-night access for some test takers. There could have been a legitimate reason for these tests being taken at these times (i.e., special testing sessions were arranged). On the other hand, such strange data could easily be the result of test fraud (i.e., getting test-taking assistance at late night in order to avoid detection by proctors).In the above example, I have illustrated how a “normal test-taking” model can be built and then used to detect unusual and anomalous data. After detection, the investigator then seeks an explanation. As Arthur Conan Doyle expressed through his detective, Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” http://thinkexist.com/quotation/once_you_eliminate_the_impossible-whatever/220272.html

Dennis Maynes

Chief Scientist, Caveon Test Security

Leave a Reply