An Overview: “How PUBG uses Machine Learning to find cheaters?”
PUBG, an online multiplayer battle royale game developed and published by PUBG Corporation is one of the most addictive game of the decade, how uses Machine Learning or Artificial Intelligence technologies to identify cheaters or fake players on their system. The game has also made multiple headlines for banning even professional players who cheat in their games.
The problem has never really gone away ever since the game was in beta. Cheaters continued to find new methods to exploit holes in the game’s implementation of anti-cheat and were caught in the next wave of bans, but more and more just kept coming.
According ot the Press Release statement by Anti-Cheat team of PUBG, they detailed the various reinforcements and the solutions.
Reinforcement of Techical Measures
There have been various types of attacks made by cheat programs over PUBG’s lifetime, PUBG has taken action and added multiple security measures to improve efficiency and respond to each type of attack, this will always be a never-ending battle. First, how these cheat programs operate in general and the technical reinforcement which have been made based on this by PUBG.
When a cheat program (exe) and the game (exe) launch, relevant data loads onto system RAM simultaneously.
A default protection from the game process or a 3rd party anti-cheat solution gets activated.
- This is a preliminary protection phase to block other processes from accessing this process.
The cheat program process attempts to make the protection technology from #2 ineffective and successfully gains access to the game process memory.
- Being able to access memory means being able to change game related info.
- The most notorious cheats used for this are DKOM, Process Hollowing and SSDT hooking.
The cheat program with game process memory access can collect various data and modify or copy it to provide illegal features that are not provided in the game. The most representative technique used here are DLL injection and Code injection.
- DLL injection: Injects the DLL file to a certain process. Uses LoadLibrary() API from Windows.
- Code injection: Injects execution in the target process. Uses CreateRemoteThread() from Windows.
Memory space obtained can be read freely or falsified/modified to provide features that are not actually provided in-game.
DLL injection is the oldest and most widely used hack method. DLL injection places a certain DLL file into the game process forcefully. When this attack is done successfully, this DLL code will be trusted as if it is the original game code. Consequently, the game process can be modified as the hacker wants by using this DLL for hooking into and hijacking data.
Blocking DLL injection attacks has been a high priority for the anti-cheat team. In the early development phase of PUBG, there were also compatibility issues where programs such as Steam and Discord were incorrectly recognized as attempting to inject DLLs or had DLLs recognized as malicious code.
Kernel driver attacks are another type of hack we’ve experienced. Kernel driver is a file needed for communication between hardware and comes up with a process that operates under a certain authority. As the kernel driver can bypass most anti-cheat solutions and is executed with an authority higher than the general user authority, it is much more difficult to detect.
In addition, despite Windows OS blocking unauthorized kernel driver internally, there are many cases where unauthorized kernel drivers are sold as if they are legal by exploiting security breaches and illegally traded certificates.
The Developer’s team could defend against this type of attack using the same method used to block DLL injections, but it would not be very effective because new vulnerabilities in the Windows OS are constantly being found, and most anti-cheat solutions employ methods similar to those used by malignant code, meaning it is difficult to tell them apart. The anti-cheat team therefore is currently protecting the memory area, which can be abused by hackers, with the highest priority using encryption to effectively respond to attacks using kernel drivers, and is doing its best to apply this method to a wider scope of areas.
Finally, the main methods used by cheaters to hack the game include DLL and code injection, kernel driver attacks, and SSDT process hollowing. Even as PUBG has employed two different anti-cheat solutions, BattlEye and Uncheater, the cheater epidemic has not ceased. These anti-cheats protect the game’s process, and the attempts to circumvent one anti-cheat system.
Improvement of Anti-cheat Solutions
In addition to the technical protection explained above, PUBG also utilizes external anti-cheat solutions to protect the game process area.
The PUBG using two solutions BattlEye and Uncheater. They protect the game process area and detect various attempts used to circumvent the anti-cheat solution at the same time.
On top of these protective anti-cheat solutions, PUBG also applied a machine learning technique that analyzes our players’ usage patterns and have built a system that can detect abnormal game patterns or actions that interrupt the normal operations of the game coming from hack users.
Machine learning is the major solution as anti-cheat team analyzes around 3TB of game logs, 60 or so types of cheat logs, and over 10 million reports on average on a daily basis. Out of this sea of data, the company pick out users who show abnormal patterns and after a verification process, such accounts are banned. Also, They periodically update patterns of unauthorized programs to ensure programs they’ve blocked before haven’t been modified to work again. Moreover, PUBG Corp also encouraged individuals to send reports of individuals they believed were cheating. This is also integral to determining whether an individual is cheating or not, they stated.
This is how PUBG and their Anti-Cheat Team uses Machine Learning to identify or ban fake users, cheaters and hackers to improve quality of their game and also to make game fair for all.
This Article is Written, Edited and Researched by Shobhit Sharma.
