How to detect bots on my game website?
February 17, 2014 9:17 AM Subscribe
As a follow up to my question about keeping an online game from being gamed: How do I programatically detect bot-players?
I'm running a game-site where you click on a button and, if you're click number X, you get a prize. There's a minimum wait between clicks, a few seconds.
I've detected some obvious bots, that clicked at regular intervals for over an hour.
Now I'd like to be able to analyse players' click histories automatically (they're logged in and I record every single click with a timestamp and user account) so as to flag likely bots, so I can challenge, penalize or delete them.
What sort of numerical analysis would help me figure out who's human and who's not?
The site's Django + Python on Heroku.
I'm running a game-site where you click on a button and, if you're click number X, you get a prize. There's a minimum wait between clicks, a few seconds.
I've detected some obvious bots, that clicked at regular intervals for over an hour.
Now I'd like to be able to analyse players' click histories automatically (they're logged in and I record every single click with a timestamp and user account) so as to flag likely bots, so I can challenge, penalize or delete them.
What sort of numerical analysis would help me figure out who's human and who's not?
The site's Django + Python on Heroku.
Best answer: Found another paper on the topic here. The authors combined in-page javascript with a bit of server-side analysis to make a bot v. human call.
posted by jquinby at 10:08 AM on February 17, 2014
posted by jquinby at 10:08 AM on February 17, 2014
You could just require a captcha to be solved after each click, or after some random number of clicks.
posted by jeffamaphone at 10:26 AM on February 17, 2014
posted by jeffamaphone at 10:26 AM on February 17, 2014
If you set out to distinguish humans from computers, you just set yourself up for an arms race, and probably eventually end up with something Captcha-ish. I guess if your game is low enough stakes, you might eventually raise the complexity bar for your attackers high enough that they move on to something which is less of a waste of their time.
Rather than focusing on detecting bots and banning them, it might be more productive to just make your game resistant to botting behavior. One way I think about this problem is to ask yourself what harm are bots going to do? How do bot-players gain an advantage over non-botting players?
For example, suppose that you figure that botting players will be able to play 24 hours a day, 7 days a week, while honest players will be playing much less. You could offer diminishing returns on payouts after certain time thresholds are reached, so that a bot does not come out significantly ahead of a regular player. This might have the added benefit of encouraging real humans to play every day, so that they do not miss out on "bonus" payouts. IIRC several MMOs do this now, where being offline accrues bonus "resting" XP which is cashed in when the player earns regular XP later.
posted by rustcrumb at 11:00 AM on February 17, 2014 [2 favorites]
Rather than focusing on detecting bots and banning them, it might be more productive to just make your game resistant to botting behavior. One way I think about this problem is to ask yourself what harm are bots going to do? How do bot-players gain an advantage over non-botting players?
For example, suppose that you figure that botting players will be able to play 24 hours a day, 7 days a week, while honest players will be playing much less. You could offer diminishing returns on payouts after certain time thresholds are reached, so that a bot does not come out significantly ahead of a regular player. This might have the added benefit of encouraging real humans to play every day, so that they do not miss out on "bonus" payouts. IIRC several MMOs do this now, where being offline accrues bonus "resting" XP which is cashed in when the player earns regular XP later.
posted by rustcrumb at 11:00 AM on February 17, 2014 [2 favorites]
One approach that comes to mind is to have a grid of images and have one image be distinctively different. The different image would hold the mark the users click on The images are assigned by the server. For example eight pictures of cats and one of a dog. Users must click on the dog.
posted by forforf at 5:33 PM on February 17, 2014
posted by forforf at 5:33 PM on February 17, 2014
I don't think you can get a 100% detection rate against bots, and the more elaborate your countermeasures are the more you are likely to drive off legitimate players. If the stakes are reasonably high, a malicious player could just hire some actual humans in another country to play the game for them for some small amount of money, much like how companies hire people to farm gold in MMORPGs that can then be converted to real money on third-party exchange sites.
If your prize is good enough, I think you can assume that the winner will pretty much always be a bot or a farmer. I've not heard of this problem being solved, though you can use captchas and such to raise the annoyance barrier to the point where only dedicated botters will bother. I suspect though that most off-the-shelf captcha systems are themselves locked in perpetual arms races with bots, and even if the bot is only successful at solving the captcha 25% of the time, that may be enough as long as it has a wide enough range of IP addresses to work from so that it getting locked out at any given address doesn't cause a problem.
Seriously, I think the answer to your question is "you can't". I mean, you can detect/prevent the most obvious bots, but the more sophisticated ones are basically unstoppable. As in most arms races, the attacking side generally has the advantage. People have sunk big bucks and lots of worker-hours into solving this problem, and none of them have perfect solutions or even very good solutions that don't cause a lot of annoyance to regular users. In your case, the system would have to be both perfect and non-annoying for it to be worth using.
posted by Scientist at 7:24 PM on February 17, 2014
If your prize is good enough, I think you can assume that the winner will pretty much always be a bot or a farmer. I've not heard of this problem being solved, though you can use captchas and such to raise the annoyance barrier to the point where only dedicated botters will bother. I suspect though that most off-the-shelf captcha systems are themselves locked in perpetual arms races with bots, and even if the bot is only successful at solving the captcha 25% of the time, that may be enough as long as it has a wide enough range of IP addresses to work from so that it getting locked out at any given address doesn't cause a problem.
Seriously, I think the answer to your question is "you can't". I mean, you can detect/prevent the most obvious bots, but the more sophisticated ones are basically unstoppable. As in most arms races, the attacking side generally has the advantage. People have sunk big bucks and lots of worker-hours into solving this problem, and none of them have perfect solutions or even very good solutions that don't cause a lot of annoyance to regular users. In your case, the system would have to be both perfect and non-annoying for it to be worth using.
posted by Scientist at 7:24 PM on February 17, 2014
Response by poster: I'm not looking for a perfect system to stop 100% of bots cold. I am looking for a mathematical way to analyse the data I have to flag some users as potential bots, so I can decide whether or not to throttle or deactivate their accounts (like jquimby's link). Any answers on that would be welcome.
posted by signal at 4:07 AM on February 18, 2014
posted by signal at 4:07 AM on February 18, 2014
This thread is closed to new comments.
posted by jquinby at 9:46 AM on February 17, 2014