Professional Documents
Culture Documents
GAN-Aimbots: Using Machine Learning For Cheating in First Person Shooters
GAN-Aimbots: Using Machine Learning For Cheating in First Person Shooters
Abstract—Playing games with cheaters is not fun, and in a is prohibited by game publishers, and they monitor players
multi-billion-dollar video game industry with hundreds of mil- with anti-cheat software to detect hacking. A standard approach
lions of players, game developers aim to improve the security and, is to check running processes on the player’s computer for
consequently, the user experience of their games by preventing
cheating. Both traditional software-based methods and statistical known cheating software—similar to how antivirus scanners
arXiv:2205.07060v1 [cs.AI] 14 May 2022
systems have been successful in protecting against cheating, but look for specific strings of binary on a machine. The publisher
recent advances in the automatic generation of content, such as can also analyse players’ behaviour and performance to detect
images or speech, threaten the video game industry; they could be suspicious activity, such as a sudden increase in a player’s
used to generate artificial gameplay indistinguishable from that performance. While hacks can be hidden from the former
of legitimate human players. To better understand this threat,
we begin by reviewing the current state of multiplayer video detection approach, the latter cannot be bypassed, as the system
game cheating, and then proceed to build a proof-of-concept runs on game servers. Analysis of player behaviour is thus an
method, GAN-Aimbot. By gathering data from various players in attractive option for publishers.
a first-person shooter game we show that the method improves These data-based anti-cheats have also attracted the attention
players’ performance while remaining hidden from automatic
and manual protection mechanisms. By sharing this work we
of the academic community, as well as from the game industry.
hope to raise awareness on this issue and encourage further Galli et al. (2011) [6] developed hacks that provide additional
research into protecting the gaming communities. information to the player and move the mouse in the game
Unreal Tournament III. The authors then used machine learning
to distinguish these hackers from legitimate players. Hashen et
I. I NTRODUCTION
al. (2013) [7] extended this work by evaluating the accuracy
IDEO games attract millions of players, and the industry
V reports their revenue in billions of dollars. For instance,
one of the biggest video game publishers, Activision Blizzard,
of different classifiers versus different hacks. Yeung and
Lui (2008) [8] analysed players’ performance and then used
Bayesian inference to analyse players’ accuracy and classify
reported more than 75 million players of their game Call if a player was hacking.
of Duty: Modern Warfare (2019) and net revenue of over All of these works have focused on detecting hackers with
3.7 billion US dollars in the first half of 2020 [1]. The machine learning, but little attention had been given to cheating
gaming communities also contain e-sport tournaments with with machine learning. Yan and Randell [4] have mentioned
prize pools in millions, e.g. World Electronic Sports Games the use of machine learning for cheating, but only in the
2016 contained a prize pool of 1.5 million USD. With such context of board games like Chess and Go and not in video
popularity, cheating practices similar to doping in physical games. Recent advances in machine learning allow one to
sports is commonplace in video games. For example, two generate photorealistic imagery [9], speech to attack voice
public cheating communities have existed since 2000 and 2001, biometric systems [10] or computer agents that mimic the
and have more than seven million members in total [2], [3], demonstrators [11], [12]. Similar methods could be applied
and this is only a fraction of such communities. In these to video games to generate human-like gameplay. We define
communities, users can share and develop different ways to “human-like gameplay” as artificially generated gameplay that
cheat in multiplayer games. Although cheating is more difficult is indistinguishable from genuine human gameplay, either by
in in-person tournaments, cheating in online games is still other humans or by automated detection systems. If used for
prevalent. For example, UnknownCheats [3] has 213 threads cheating, these methods threaten the integrity of multiplayer
and more than a million views for the game Call of Duty: games, as the previously mentioned anti-cheat systems could
Modern Warfare (2019). The presence of cheaters degrades the not distinguish these cheaters.
user experience of other players, as playing with cheaters is
To develop an understanding of this threat, we design a
not fun. Game developers are therefore encouraged to prevent
machine learning method for controlling the computer mouse
such cheating.
to augment the player’s gameplay and study how effective it is
A common way to cheat in online games is by using tools and
for cheating. This work and its contributions can be summarised
software (“hacks”) used by “hackers” [4], dating back to 1990
as follows:
with the first forms of hacking with Game Genie [5]. Hacking
• We review different ways people hack in multiplayer video
All authors are with School of Computing, University of Eastern Finland, games and methods for detecting such cheaters.
Joensuu, Finland. V. Hautamäki is also with the Department of Electri-
cal and Computer Engineering, National University of Singapore. E-mail: • We present a proof-of-concept machine learning method,
anssk@uef.fi, tkinnu@uef.fi, villeh@uef.fi GAN-Aimbot, for training a hack that mimics hu-
2
Misc. 2, 8, 10
• We implement GAN-Aimbot along with heuristic hacks Game memory
Modify game code
Display Image buffer
as baseline solutions. We then collect gameplay data from Vision
Other players.
multiple human participants and compare how much these Game process Network
Game server.
Operating
hacks improve players’ performance. system
input handling
Local player 6
• We implement an automatic cheat detection system using (hacker)
Input devices Game files Read packets
TABLE I
E XAMPLES OF HACKS “ IN - THE - WILD “, MOST OF WHICH ARE PUBLICLY AND FREELY SHARED ON U NKNOWN C HEATS FORUMS . T HESE
EXAMPLES WERE PICKED TO DEMONSTRATE DIFFERENT ATTACK METHODS AND FEATURES , PRIORITIZING FOR POPULAR GAMES .
Call Of Duty: Modern External ESP1 External, mem- ESP, aimbot Read memory for information. Draw on new
Warfare 2 ory (read) window on top of game. Control mouse via OS
function. Heuristic mouse movement.
InvLabs M22 Internal (inject) ESP, aimbot, Read and modify game logic
kill everyone
ARMA 2 (DayZ mod) DayZ Navigator3 External, mem- ESP Read memory for information. Show enemy
ory (read) locations on browser-based map
DayZ "Wallhack"9 External, mod- ESP, shoot Remove objects from game by removing files.
ify files through walls
DayZ Control Players8 Internal (inject), Misc. Take control of characters of other players using
exploit game’s functions.
DayZ DayZ Ghost7 External, mem- Fly-hack Write desired location of player into memory
ory (read/write) faster than game would modify it
Counter Strike: Global Charlatano4 External, mem- ESP, aimbot Read memory for information. Control mouse
Offensive ory (read) via OS function. Advanced heuristics for human-
like behaviour (short movement, Bézier curves).
Neural Network Aimbot5 Displayed Aimbot Use CV to detect enemies on the screen. Con-
image trol mouse via OS function. Heuristic mouse
movement.
PLAYERUNKNOWN’S PUBG-Radar6 Network (read) ESP Read network packets for information. Draw
BATTLEGROUNDS info on a separate window.
Battlefield 4 BF4 Wallhack10 Unknown, ESP, shoot Possibly exploiting the fact server does not check
exploit through walls hits against walls.
1 https://www.unknowncheats.me/forum/call-duty-6-modern-warfare-2/64376-external-boxesp-v5-1-bigradar-1-2-208-a.html
2 https://www.unknowncheats.me/forum/call-of-duty-6-modern-warfare-2-a/91102-newtechnology_publicbot-v4-0-invlabs-m2.html
3 https://www.unknowncheats.me/forum/arma-2-a/80397-dayz-navigator-v3-7-a.html
4 https://github.com/Jire/Charlatano
5 https://www.unknowncheats.me/forum/cs-go-releases/285847-hayha-neural-network-aimbot.html
6 https://www.unknowncheats.me/forum/pubg-releases/262741-radar-pubg.html
7 https://www.unknowncheats.me/forum/dayz-sa/228162-ghost-mode-free-camera-tutorial-source-video-compatible-online-offline.html
8 https://www.unknowncheats.me/forum/arma-2-a/114967-taking-control-players.html
9 https://www.unknowncheats.me/forum/arma-2-a/77733-dayz-wallhack-sorta.html
10 https://www.youtube.com/watch?v=yF7CyqbSS48
of different hacks people have devised, but they generally the effect of aimbot on how a player moves their mouse, would
are easily noticeable by other players or can be prevented by be the only possible source for detecting this hack.
developers.
An open-source hack more similar to our core topic of C. Countermeasures against hacking
human-like behaviour is “Charlatano”, which advertises itself To prevent hacking and cheating, passive methods include
as a “stream-proof” hack. This hack would not be detected by designing game flow such that hacking is not possible or
people observing the gameplay of the hacker and is achieved obfuscating the compiled game binary such that reverse
via a human-like aimbot, which adjusts aim in natural and small engineering becomes more difficult. An example of the former
increments to avoid suspicion. These features are based on option is the game “World of Tanks”, in which the player client
heuristics and on visual observations of what looks human-like does not receive any information about enemy locations until
to humans. Another hack, the “Neural Network Aimbot”, uses they are within line of sight, rendering ESP hacks difficult to
the deep neural network “YOLO” [16] to detect targets visible implement. The latter option can be a by-product of a digital
on the screen and then directs aim towards them by emulating rights management (DRM) system or an anti-tamper system
mouse movement. The screen image is captured in a manner like that of Denuvo [22], which encrypts the executable code
that mimics game-recording software, and the mouse is moved and prevents the use of debugging tools for analysing game
with operating-system functions, rendering this hack virtually flow.
invisible to game software. If combined with an external video- If the creation or use of hacks was difficult or required
capture device and an independent micro-controller emulating expensive hardware to execute, hacking would be limited,
a mouse, this hack would be independent of the machine that much like how long passwords are considered secure because
runs the game. The behaviour of the player, and specifically randomly guessing them is virtually impossible. Unfortunately,
4
TABLE II
L IST OF COMMON ANTI - CHEAT SOFTWARE FOUND IN GAMES , ALONG WITH THE DESCRIPTION OF METHODS THEY USE FOR DETECTING HACKERS .
as game logic and code are the same for all players a game, only VACNet [21] and related work, [6], [8]). As these types of
one person needs to create and share a hack before everyone anti-cheats are executed on the game servers and use the same
else can use it, much like the unauthorised sharing of game data the player client must send to play the game in multiplayer
copies. As such, passive methods alone do not reliably prevent games, they cannot be bypassed by hackers like traditional
hacks unless they are guaranteed to prevent hacking. Active anti-cheats can be. Unfortunately, these methods do have their
prevention methods are thus necessary. weakness: errors in classification [24], [25].
Active prevention methods aim to detect players using Identifying hackers is a binary-classification task: is the
hacks and then remove them from the game, temporarily given player a hacker or bona fide?2 With two possible cases
or permanently (by banning the player). A simple method and two possible decisions, there are four outcomes, two of
is to use human spectators who look for suspicious players, which are desired (correct decisions) and two which are errors.
but this option does not scale with high numbers of players. In a false positive (FP) case, a bona fide player is predicted as
Human spectators are also susceptible to false alarms; genuinely a hacker, and in a false negative (FN) case a hacking player
proficient players may be flagged as hackers.1 CS:GO Over- is predicted as a bona fide player. Since the two classes are
watch [23] crowd-sources this by allowing the game community unlikely to be perfectly distinguishable (i.e., mistakes will
to judge recordings of other players. inevitably occur), system designers must balance between user
A more common approach is to use anti-cheat software convenience and security. A game developer likely wants to
to identify these hackers. Table II lists common anti-cheats develop a system that exerts caution when flagging people
found in modern games. A traditional approach is to search hackers, as FPs harm bona fide players, which in turn harm
for specific strings of bytes in computer memory obtained the game’s reputation. However, if an anti-cheat only analyses
by analysing publicly available hacks. The finding of such player performance, then a hacker can adjust their hacks to
a signature indicates that a known hack is running on the mimic top-performing, bona fide players. These hackers are
machine, and the player is flagged for hacking. This method still better than most players and they avoid detection by an
alone is effective against publicly shared hacks but is not anti-cheat system that has been tuned not to flag top-performing
helpful against private hacks. players. This approach clearly has limitations, which brings us
As with any attack-defend situation, with hackers being the to the analysis of player behaviour.
attackers and anti-cheats the defenders, there is a constant For example, FairFight gathers information on how a player
battle between building better defences and avoiding these moves and aims at targets through walls [26]. If a player often
defences with better attacks. Signature checks can be avoided aims at enemies behind obstacles and walls, this behaviour
by obfuscating the binary code of hacks. In turn, anti-cheats can signals that a hack is being used, and the player can be flagged.
search for suspicious memory accesses to the game process. VACNet employs a similar approach: a deep learning model
Hacks can hide this evidence by using lower levels in the has been trained to classify between bona fide and hacking
security rings (“kernel-level”), which cannot be scanned by players according to their mouse movement, using a dataset
anti-cheats running on the higher levels. Naturally, anti-cheats of known hackers and bona fide players [21]. This kind of
can adapt by installing themselves on this lower level. However, anti-cheat does not rely on high performance to detect a hacker,
as PCs are ultimately owned by their users, a hacker could as it attacks the very core of hacking: altering the player’s
modify their system to fool anti-cheats. Luckily for defenders, behaviour to improve performance. A hack cannot improve a
studying a user’s machine is not the only way to detect hackers. player’s performance if it does not alter their behaviour.
One frame of
mouse movement Human mouse trajectory
Bona fide Generated mouse trajectory Algorithm 1 Pseudo-code for training the GAN-Aimbot.
or
Y
Context generated? Input: Dataset containing human mouse movement D,
X Movement generator G and its parameters θG , discriminator D and its
Target parameters θD , number of discriminator updates ND , Adam
Random noise Generated optimizer parameters AdamD and AdamG and weight clip
movement
parameter wmax .
Fig. 2. An illustrative figure of the discriminator D and generator G networks while training do
and their inputs/outputs, with a context size of four and two movement for n ∈ {1 . . . ND } do
steps. Note that “target" is an absolute location with respect to where the
trajectory begins, while other values are one-step changes in location. This
//Sample human data
setup corresponds to training (Algorithm 1), where “target" is taken from xD , yD ∼ D
human data. //Generate steps
z ∼ N (0, I)
g = G(z|yD )
For this paper, the scope of this cloning is limited to mouse //Update discriminator
movement. If this mimicry is combined with hardware that LD = D(xD |yD ) − D(g|yD )
emulates mouse control and captures a screen image, and a θD = θD − AdamD (∇θD LD )
neural network aimbot described earlier, this hack could not be //Clip weights
detected by any of the anti-cheats methods described above. θD = clip(θD , −wmax , wmax )
While this example is extreme, recent deep learning advances end for
enabled the generation of various realistic content that is //Sample conditions
indistinguishable from natural content, like images of faces [9] yG ∼ D
and speech [27]. Given these results, cloning human behaviour //Generate steps
in a video game does not seem unrealistic. To assess the z ∼ N (0, I)
severity of this risk, we design a proof-of-concept method in g = G(z|yG )
the context of aimbots, dubbed GAN-Aimbot, and assess both //Create generator loss + target point loss (4)
its effectiveness as an aimbot and its undetectability. We limit LG = D(g|yg ) + dist(g, t)
the scope to aimbots to focus the scope of the experiments, //Update generator
and also because an undetectable aimbot would disrupt FPS θG = θG − AdamG (∇θG LG )
games. To the best of our knowledge, we are the first to openly end while
share such a method. Although our method could be used for
malicious purposes, we believe it is better to openly share this
information to spur discussion and future work to prevent this systems, similar to how computer-generated imagery can fool
type of cheating. We further discuss the positive and negative human observers by appearing natural [28].
impact of sharing this work in Section XI. Training the hack to generate human-like mouse movement
is only one part of this task. The hack should also redirect
IV. GAN-A IMBOT: HUMAN - LIKE AIMBOT WITH aim towards potential targets. We use a conditional GAN [29],
GENERATIVE ADVERSARIAL NETWORKS where the desired target is given as a condition to both parts.
We also provide mouse movement from previous frames in
The task of an aimbot is to move the aim-point (where the
the condition (context), which allows the generator to adjust
weapon points at, illustrated by the green cross-hair in Figure
generation according to previous steps and the discriminator
4) to the desired target (e.g., an enemy player) by providing
to spot any sudden changes.
mouse movement, which would normally be provided by the
During training, we use the aim-point of the bona fide data
human player. In each game frame, the aimbot moves the
a few steps after the context as a target. The generator is then
mouse ∆x units horizontally (to change the yaw of the aim
tasked with generating these steps (movement) such that they
direction) and ∆y units vertically (to change pitch).
appear bona fide and such that the final aim-point is close to
the target. We use several steps instead of just one to provide
A. Generative adversarial networks for aimbots more generated data for the discriminator to classify, and we
GAN-Aimbot, as the name suggests, is built on GANs [13], also allow the generator to generate different steps to reach
which consists of two components. A generator G tries to the goal. See Figure 2 for an illustration.
create content that looks as realistic as possible (i.e. similar to This method is similar to imitation learning methods using
the training data), while a discriminator D tries to distinguish adversarial training setup [11], [12], where the discriminator
between data from the training set and data from the gener- attempts to distinguish between the computer agent being
ator. In GAN-Aimbot, the generator generates human-like trained and the demonstration data. The discriminator is
mouse movement and a discriminator tries to distinguish this then used to improve the agent. However, we have notable
movement from the recorded, bona fide human data. After differences in our proposed setup:
training, we can use the generator as an aimbot in the game. 1) We train the system much like the original GANs [13]
If the generator is able to fool the discriminator at the end of on a fixed dataset (we do not need the game as a part
the training, we assume the same applies to other anti-cheat of the training process) and use the generator directly as
6
TABLE III
S ETTINGS OF THE DIFFERENT AIMBOTS
C. Results for detection rates of aimbots D. Impact of player skill on detection rate
The DET curves in Figure 5 highlight the major differences To study if the player’s skill in the game affects the detection
between the heuristic and the GAN aimbot in detectability: even rate of the aimbot, we computed the correlation between
when trained on the testing data, the FPR began to increase players’ bona fide performance (kills and accuracy) and the
instantly when FNR decreased (left-most side in the figures). average detection scores, using data from the Performance
This result indicates that a large portion of samples from Collection in the oracle scenario. We found virtually no
heuristic aimbots are separable from human data, while GAN- correlation when GAN-Aimbot was used, neither with kills
Aimbot samples are confused with bona fide data. In more nor accuracy (−0.087 and −0.037, respectively). Note that,
realistic scenarios, the error rates increased notably (note the because of how the collection was performed, data of the same
normal-deviate scale of axis). player may have been used to train the classifier and in this
Table VI presents the EER and DCFmin values of these evaluation, thus skewing the results. As such, these results are
same scenarios. Although a GAN-Aimbot improved players’ preliminary.
11
5
0
aimbot
GAN
0 10 20 30 40 50 60 70 80
Number of features per game
Fig. 6. Randomly selected examples of mouse trajectories. Green marks the
beginning of the trajectory, purple is the point where the player fires the gun Fig. 7. EERs of classifying whole games, using a varying number of randomly
and red is where the trajectory ends. Axis ranges are not shared between sampled feature vectors (x-axis) and averaging the score over all these vectors.
figures but are equal per figure (aspect ratio is one). The line is the average EER over 200 repetitions, and the shaded region is
plus/minus one standard deviation.
TABLE VII
S TATISTICS OF THE MOUSE MOVEMENT WITH DIFFERENT AIMBOTS : F. Classifying whole games with multiple feature vectors
AVERAGE MOUSE MOVEMENT PER AXIS , P EARSON CORRELATION BETWEEN
While classifying individual feature vectors simplifies the
MOVEMENT PER AXIS AND CORRELATION BETWEEN SUCCESSIVE STEPS
PER AXIS . T HE FIRST THREE ROWS ARE COMPUTED ON ABSOLUTE UNITS . experiments, practical applications may aggregate data over
multiple events. To study how this affects classification re-
Measure None Heuristic GAN sults, we use the classifiers trained in the Oracle scenario
Avg. yaw 1.47 ± 3.07 1.70 ± 3.12 1.58 ± 3.08 (Section VIII-B) to score individual feature vectors and then
Avg. pitch 0.13 ± 0.27 0.25 ± 0.58 0.19 ± 0.29 average the scores per game. We then compute the EER (bona
Axis corr. 0.392 0.255 0.342
Step corr. (yaw) 0.742 0.749 0.728 fide vs. cheating) of classifying whole games based on these
Step corr. (pitch) 0.658 0.042 0.648 averaged scores. We repeat this for a different number of feature
vectors, randomly sampling the vectors per game, and repeat
the process 200 times to stabilize the noise from sampling.
Figure 7 show the results. Light and strong aimbots are
E. Analysis of mouse movement easily detected with less than ten feature vectors (roughly 7
seconds of game time). GAN-Aimbot becomes increasingly
Since the classifier was trained to distinguish bona fide
detectable with more data, approaching zero EER but not
players from hacking players, one could assume that an aimbot
reaching it reliably. This indicates that the correct aggregation
that evades detection behaves like a bona fide player. This is
of detection scores over individual events will likely work as a
not necessarily true, however, as the machine learning aimbot
good detection mechanism, assuming the GAN-Aimbot cheat
could have simply found a weakness in the classification setup
is available to the anti-cheat developers.
akin to adversarial attacks [39].
Figure 6 outlines how the GAN-Aimbot moves the mouse IX. E VALUATING HUMAN DETECTION RATES
during gameplay; the network has learned to move in small
In addition to automatic detection systems, we are interested
steps. If one views videos of the gameplay, GAN-Aimbot also
in whether humans are able to distinguish users of aimbot from
occasionally “overshoots” the target point and intentionally
bona fide players by watching video replays of the players or
misses the target, unlike heuristic aimbots that stick to the
not.
target.
Looking at the average, absolute per-step mouse movement
A. Data collection for video recordings
in Table VII (first and second rows), we see that the heuristic
aimbots had the most movement on the vertical axis (pitch), To gather video recordings of gameplay (Video Collection),
followed by GAN-Aimbots and finally by bona fide players. we organised a data collection procedure similar to the Heuristic
This result is expected, as moving the PC mouse vertically Collection and GAN Collection with different aimbots (none,
is less convenient than moving it horizontally (give it a try). light, strong and GAN Group 1), in a randomised order to
Heuristic aimbots may not take this into account, but the GAN- avoid constant bias from learning the game mechanics. We
Aimbot learned this restriction from human data. The same asked five participants from the previous data collection process
can be seen in the correlation of the two variables (third row, (GAN Collection) to participate as they were already familiar
significantly different from zero with p < 0.001), where no with the setup, and had these participants record videos of their
aimbot and GAN aimbots move the mouse in both axes at the gameplay.
same time more than the heuristic aimbot does. We then obtained three non-overlapping clips 30s in length
at random from each recording, where each clip contained at
Finally, the last two rows show the correlation between the
least one kill. In total, we collected 60 video clips, 15 per
successive mouse movements, measured as Corr(∆yt+1 , ∆yt ),
aimbot including the no aimbot condition.
averaged over all data points. Heuristic aimbots also have a near-
zero correlation on the vertical axis. If the target moves closer or
further away from the player, the target point moves vertically B. Setup for collecting human grading
on the screen, and heuristic aimbots adjust accordingly. GAN- We let human judges grade the recordings (Grade Collection)
Aimbot has learned to avoid this. with one of the following grades and instructions:
12
Experienced X. D ISCUSSION
Cheating judges
FPS players The results provide direct answers for our RQs: the data-
based aimbot does improve players’ performance (RQ1) while
Suspicious remaining undetectable (RQ2). This indicates that the risk of
data-based aimbots to the integrity of multiplayer video games
exists, especially considering that the evaluated method only
Not required less than an hour’s worth of gameplay data to train.
Suspicious
Beyond the field of gaming, the same human-like mouse
None GAN Light Strong control could be used to attack automated Turing tests, or
CAPTCHAs [40], which study a user’s inputs to determine
Fig. 8. Average grading (y-axis) given by human graders for different aimbots
(x-axis), with a black line representing plus-minus one standard deviation,
whether a user is a bot. Previous work has already demonstrated
computed over 90 samples. For strong aimbot, all FPS player judges voted effective attacks against image-based CAPTCHAs [41] and
cheating, hence the standard deviation is zero. systems that analyse the mouse movement of the user [42].
The latter work simulated the CAPTCHA task and trained a
TABLE VIII computer agent to behave in a human-like way, whereas our
R ATIO OF GRADES PER AIMBOT PER GRADER GROUP, IN PERCENTAGES (%).
system only required human data to be trained.
Experienced judges None GAN Light Strong However, our results have some positive outcomes. As the
trained aimbot was harder to distinguish from human players,
Not suspicious 84.4 71.1 42.2 13.3
Suspicious 11.1 17.8 24.4 35.6 it is reasonable to assume its behaviour was closer to human
Cheating 4.4 11.1 33.3 51.1 players. Such a feature is desired in so-called aim-assist features
FPS players of video games, where the game itself helps player’s aim by
Not suspicious 88.9 62.2 8.9 0.0
gently guiding them towards potential targets [43]. Our method
Suspicious 11.1 31.1 20.0 0.0 could be used for such purposes. As it does not set restrictions
Cheating 0.0 6.7 71.1 100.0 on types of input information, it could also be a basis for a more
generic game-assist tool that game developers could include in
their games to make learning the game easier. Alternatively, this
1) Not suspicious. I would not call this player a cheater. methodology could be used to create human-like opponents to
2) Suspicious. I would ask for another opinion and/or play against, similar to the 2K BotPrize competition [44], where
monitor this player for a longer period of time to participants were tasked to create computer players that were
determine if they were truly cheating. indistinguishable from human players in Unreal Tournament.
3) Definitely cheating. I would flag this player for cheating Such artificial opponents could be more fun to play against as
and use the given video clip as evidence. they could exhibit human flaws and limitations.
The above grading system was inspired by situations in the
real world. In the most obvious cases, a human judge can flag
the player for cheating (Grade 3). However, if the player seems A. Possible future directions to detect GAN-Aimbots
suspicious (e.g., fast and accurate mouse movements but not Let us assume that hacks similar to GAN-Aimbot become
otherwise suspicious), they can ask for a second opinion or popular and hacking communities share and improve them
study other clips from the player (Grade 2). openly. How could these hacks be prevented by game develop-
We include both experienced judges who have experience in ers? Results of Section VIII indicate that GAN-Aimbots evade
studying gameplay footage in a similar setup and FPS players detection, so we need new approaches to detect hackers. The
with more than a hundred hours of FPS gameplay performance. following are broad suggestions that apply to GAN-Aimbots
We ensure that all participants are familiar with the concept but could be also applied to detect other forms of cheating.
of aimbots and how to detect them. We provide judges with An expensive but ideal approach is to restrict hackers’ access
a directory of files and a text file to fill and submit back, to the game’s input and output in the first place (e.g., game
without time constraints. We obtained the grades from three consoles that prevent the user from controlling the game
experienced judges and three FPS players. character by means other than the gamepad). An enthusiastic
hacker could still build a device to mimic that gamepad and
C. Results of human evaluation send input signals from program code—or even construct a
The results of the human evaluation are presented in Figure robot to manipulate the original gamepad—but we argue that
8 and Table VIII. Much like with automatic cheat detection, such practices are not currently a major threat, as many players
the GAN-Aimbot was less likely to be classified as suspicious would not want to exert so much effort just to cheat in a video
or definitely cheating, while the strong aimbot was always game.
correctly detected by FPS players with some hesitation from the Another approach would be to model players’ behaviour
experienced judges. The latter group commented that cheating over time. Sudden changes in player behaviour could be taken
had to be exceptionally evident from the video clip to mark as a sign of potential hacking and the player could be subjected
the player a cheater, as these judges were aware of bona fide to more careful analysis. The FairFight anti-cheat advertises
human players who may appear inhumanly skilled. similar features [19].
13
Extending the idea above, anti-cheat players could create video games. Cheating is already prevalent (Section II-B), and
“fingerprints” of different hacks, similar to byte-code signatures while this knowledge could make it more widespread, it would
already used to detect specific pieces of software running on not be a sudden, rapid change in the video game scene.
a machine. These fingerprints would model the behaviour of b) Imminence of harm.: High. With enough resources
the hack, not that of the players. However, this process would and IT skills, a malicious actor can use the knowledge of our
require access to hacks to build such a fingerprint. study for harm.
Finally, anti-cheats could extend beyond just modelling the c) Ease of access.: Low chance of harm. The method
gameplay behaviour of the player in terms of device inputs does not require specialized hardware but requires setting up a
and instead include behaviour in social aspects of the game. custom data collection. There are also no guarantees that the
Recent work has indicated that the social behaviour of hackers described method would work as is in other games.
(e.g., chatting with other players) differs notably from that of d) Skills required to use this knowledge: Low chance of
bona fide players [45], and combined with other factors, this harm. Using this knowledge for malicious purposes requires
information could be used to develop an anti-cheat that could knowledge in machine learning and programming. The included
reliably detect hackers with and provide an explanation of why source code only works in the research environment used
this person player was flagged [46]. here and can not be directly applied to other games. With all
the likelihood, this will also require training and potentially
B. Limitations of this work designing new neural network architectures with associated
practical training recipes.
We note that all experiments were run using one type of
e) Public awareness of the harm.: High (hidden) impact
classifier and a single set of features, both of which could be
of the harm. Given the relative simplicity of this method
further engineered for better classification accuracy. However,
and the number of active hacking communities, it is possible
the GAN-Aimbot could also be further engineered, and the
that a private group of hackers have already used a similar
discriminator element could be updated to match the classifier.
method to conceal their cheating. This would make this work
Theoretically, the adversarial-style training should scale up to
more important, as now the defenders (anti-cheat developers,
any type of discriminator, until the generator learns to generate
researchers) are also aware of the issue and can work towards
indistinguishable mouse movement from bona fide players’
more secure systems.
data. We also used a fixed target inside an enemy player sprite,
but a human player is unlikely to always aim at one very While in the short term sharing this work may support
specific spot. This target point could also be determined via cheating communities (unless it has already been used secretly),
machine learning to appear more human-like. we believe it will be a net-positive gain as researchers and
The experiments were conducted using a single game game developer companies improve their anti-cheat systems
environment and focused solely on mouse movement. While to combat this threat. If new threats are gone unnoticed, the
the results might apply to other FPS games, they may not defence systems may be ill-designed to combat them; our
necessarily generalise well to other games and other input system can detect heuristic aimbots reliably with less than ten
mechanisms. Players of a real-time strategy game (e.g. Starcraft feature vectors (seven seconds of game time), but GAN-Aimbot
II) could theoretically design a system to automatically control requires more than 70 (one minute), as illustrated by results in
the units, for example. Section VIII-F. As security is an inherently adversarial game
whereby novel attacks are being counteracted by new defences
(and vice versa), we hope our study supports the development
XI. B ROADER IMPACT
of new defences by providing information on emerging attacks.
We detail and present a method that, according to our results, In the short-term future, video game developers could employ
achieves what was deemed negative (a cheat that works and is stricter traditional methods (Section II-C) for sensitive games,
undetectable). A malicious actor could use the knowledge of such as requiring a phone number for identification. For
this work to implement a similar hack in a commercial game data-based solutions, results in Section VIII-F indicate that
and use it. For this reason, we have to assess the broader impact aggregating results over multiple events can still work as a
of publishing this work [47], for which use the framework detection measure, though detection of GAN-Aimbots was
of Hagendorff (2021) [48]. This decision framework, based found to require more data for reliable detection. For more
on similar decision frameworks in biological and chemical sustainable solutions, however, options described in Section X
research, is designed to address the question of whether the should be explored.
technology could be used in a harmful way by defining multiple
characteristics of the harm. We answer each of these with a
XII. C ONCLUSION
“low” or “high” grading, where “high” indicates a high chance
of harm or a high amount of harm. In this work, we covered the current state of cheating in
a) Magnitude of harm.: Low. The focus is on the multiplayer video games and common countermeasures used
individuals. This work could lead to players disliking games by game developers to prevent cheating. Some of these coun-
as new hackers emerge, to erosion of trust in the video game termeasures use machine learning to study player behaviour to
communities and to monetary costs to companies. However, spot cheaters, but we argue that cheaters could do the same and
no directed harm is done to individuals (e.g., no bodily harm, use machine learning to devise cheats that behave like humans
no oppression), and the nuisance is limited to their time in and thus avoid detection. To understand this threat, we designed
14
a proof-of-concept method of such an approach and confirmed [27] A. van den Oord, S. Dieleman, H. Zen, K. Simonyan, O. Vinyals,
that the proposed method is both a functional cheat and also A. Graves, N. Kalchbrenner, A. Senior, and K. Kavukcuoglu, “Wavenet: A
generative model for raw audio,” in 9th ISCA Speech Synthesis Workshop,
evades detection by both an automatic system and human 2016, pp. 125–125.
judges. We share these results, as well as the experimental [28] A. Rossler, D. Cozzolino, L. Verdoliva, C. Riess, J. Thies, and M. Nießner,
code and data (at https://github.com/Miffyli/gan-aimbots), to “Faceforensics++: Learning to detect manipulated facial images,” in
Computer Vision and Pattern Recognition, 2019, pp. 1–11.
support and motivate further work in this field to keep video [29] M. Mirza and S. Osindero, “Conditional generative adversarial nets,”
games trustworthy and fun to play for everyone. arXiv preprint arXiv:1411.1784, 2014.
[30] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein generative
adversarial networks,” in International Conference on Machine Learning,
R EFERENCES 2017, pp. 214–223.
[31] D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,”
[1] “Activision blizzard’s second quarterly results 2020,” https://investor. in International Conference on Learning Representations, 2015.
activision.com/static-files/926e411c-7d05-49f8-a855-6dc7646e84c4, ac- [32] M. Kempka, M. Wydmuch, G. Runc, J. Toczek, and W. Jaśkowski,
cessed February 2022. “Vizdoom: A doom-based ai research platform for visual reinforcement
[2] “Multiplayer game hacking,” https://mpgh.net, accessed February 2022. learning,” in Conference on Computational Intelligence and Games, 2016,
[3] “Unknowncheats,” https://unknowncheats.me, accessed February 2022. pp. 1–8.
[4] J. Yan and B. Randell, “A systematic classification of cheating in online [33] D.-A. Clevert, T. Unterthiner, and S. Hochreiter, “Fast and accurate deep
games,” in Proceedings of 4th ACM SIGCOMM workshop on Network network learning by exponential linear units,” in International Conference
and system support for games. ACM, 2005, pp. 1–9. on Learning Representations, 2016.
[5] M. Nielsen, “Game genie - the video game enhancer,” http://www. [34] M. Feurer, A. Klein, K. Eggensperger, J. Springenberg, M. Blum, and
nesworld.com/gamegenie.php, accessed February 2022, 2000. F. Hutter, “Efficient and robust automated machine learning,” in Advances
[6] L. Galli, D. Loiacono, L. Cardamone, and P. L. Lanzi, “A cheating in Neural Information Processing Systems 28, 2015, pp. 2962–2970.
detection framework for unreal tournament iii: A machine learning [35] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel,
approach,” in Conference on Computational Intelligence and Games. M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas,
IEEE, 2011, pp. 266–272. A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay,
[7] H. Alayed, F. Frangoudes, and C. Neuman, “Behavioral-based cheating “Scikit-learn: Machine learning in Python,” Journal of Machine Learning
detection in online first person shooters using machine learning tech- Research, vol. 12, pp. 2825–2830, 2011.
niques,” in Conference on Computational Intelligence and Games. IEEE, [36] A. Martin, G. Doddington, T. Kamm, M. Ordowski, and M. Przybocki,
2013, pp. 1–8. “The DET curve in assessment of detection task performance,” National
Inst of Standards and Technology Gaithersburg MD, Tech. Rep., 1997.
[8] S. F. Yeung and J. C. Lui, “Dynamic bayesian approach for detecting
[37] G. R. Doddington, M. A. Przybocki, A. F. Martin, and D. A. Reynolds,
cheats in multi-player online games,” Multimedia Systems, vol. 14, no. 4,
“The nist speaker recognition evaluation–overview, methodology, systems,
pp. 221–236, 2008.
results, perspective,” Speech communication, vol. 31, no. 2-3, pp. 225–
[9] T. Karras, S. Laine, and T. Aila, “A style-based generator architecture
254, 2000.
for generative adversarial networks, 2019 ieee,” in Computer Vision and
[38] “Steam—2020 year in review,” https://steamcommunity.com/groups/
Pattern Recognition, 2018, pp. 4396–4405.
steamworks/announcements/detail/2961646623386540827, accessed
[10] A. Sizov, E. Khoury, T. Kinnunen, Z. Wu, and S. Marcel, “Joint speaker
February 2022.
verification and antispoofing in the i-vector space,” IEEE Transactions
[39] I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing
on Information Forensics and Security, vol. 10, no. 4, pp. 821–832, 2015.
adversarial examples,” in International Conference on Learning Repre-
[11] J. Ho and S. Ermon, “Generative adversarial imitation learning,” in
sentations, 2015.
Advances in neural information processing systems, 2016, pp. 4565–
[40] L. Von Ahn, M. Blum, and J. Langford, “Telling humans and computers
4573.
apart automatically,” Communications of the ACM, vol. 47, no. 2, pp.
[12] J. Fu, K. Luo, and S. Levine, “Learning robust rewards with adversarial 56–60, 2004.
inverse reinforcement learning,” in International Conference on Learning [41] Y. Zi, H. Gao, Z. Cheng, and Y. Liu, “An end-to-end attack on text
Representations, 2018. captchas,” Transactions on Information Forensics and Security, vol. 15,
[13] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, pp. 753–766, 2019.
S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” in [42] I. Akrout, A. Feriani, and M. Akrout, “Hacking Google reCAPTCHA v3
Advances in neural information processing systems, 2014, pp. 2672–2680. using reinforcement learning,” in Conference on Reinforcement Learning
[14] N. K. Ratha, J. H. Connell, and R. M. Bolle, “Enhancing security and and Decision Making, 2019.
privacy in biometrics-based authentication systems,” IBM systems Journal, [43] R. Vicencio-Moreira, R. L. Mandryk, C. Gutwin, and S. Bateman, “The
vol. 40, no. 3, pp. 614–634, 2001. effectiveness (or lack thereof) of aim-assist techniques in first-person
[15] C. Roberts, “Biometric attack vectors and defences,” Computers & shooter games,” in Conference on Human Factors in Computing Systems,
Security, vol. 26, no. 1, pp. 14–25, 2007. 2014, pp. 937–946.
[16] J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look [44] P. Hingston, “The 2k botprize,” in IEEE Symposium on Computational
once: Unified, real-time object detection,” in Computer Vision and Pattern Intelligence and Games, 2009.
Recognition, 2016, pp. 779–788. [45] M. L. Bernardi, M. Cimitile, F. Martinelli, F. Mercaldo, J. Cardoso,
[17] B. Innovations, “Battleye,” https://battleye.com/, accessed February 2022. L. Maciaszek, M. van Sinderen, and E. Cabello, “Game bot detection
[18] Even-Balance, “Punkbuster,” https://evenbalance.com, accessed February in online role player game through behavioural features.” in ICSOFT,
2022. 2017, pp. 50–60.
[19] GameBlocks, “FairFight,” https://www.i3d.net/products/hosting/ [46] T. Jianrong, X. Yu, Z. Shiwei, X. Yuhong, L. Jianshi, W. Runze, and
anti-cheat-software, accessed February 2022. F. Changjie, “XAI-driven explainable multi-view game cheating detection,”
[20] Kamu, “Easy Anti-Cheat,” https://easy.ac, accessed February 2022. in Conference on Games, 2020.
[21] J. McDonald, “Using deep learning to combat cheating in CSGO,” GDC [47] M. Cook, “The social responsibility of game ai,” in Conference on Games,
2018, https://www.youtube.com/watch?v=ObhK8lUfIlc, 2018. 2021.
[22] Irdeto, “Denuvo,” https://irdeto.com/denuvo/, accessed February 2022. [48] T. Hagendorff, “Forbidden knowledge in machine learning reflections on
[23] “Counter strike: Global offensive. overwatch faq,” https://blog. the limits of research and publication,” AI & SOCIETY, vol. 36, no. 3,
counter-strike.net/index.php/overwatch/, accessed February 2022. pp. 767–781, 2021.
[24] R. O. Duda, P. E. Hart, and D. G. Stork, Pattern classification. John
Wiley & Sons, 2012.
[25] N. Brummer, “Measuring, refining and calibrating speaker and language
information extracted from speech,” Ph.D. dissertation, Stellenbosch:
University of Stellenbosch, 2010.
[26] “Unknowncheats—avoid fairfight bans,” https://
unknowncheats.me/forum/infestation-survivor-stories/
101840-iss-avoid-fairfight-bans-more.html, accessed February 2022.