Current schemes to detect cheating in on-line games often build on the assumption that the applied cheat takes actions that are drastically different from normal behavior. For instance, an Aimbot for a first-person shooter is used by an amateur player to increase his/her capabilities many times over. Attempts to evade detection would require to reduce the intended effect such that the advantage is presumably lowered into insignificance. We argue that this is not necessarily the case and demonstrate how a professional player is able to make use of an adaptive Aimbot that mimics user behavior to gradually increase performance and thus evades state-of-the-art detection mechanisms. We show this in a quantitative and qualitative evaluation with two professional "Counter-Strike: Global Offensive" players, two open-source Anti-Cheat systems, and the commercially established combination of VAC, VACnet, and Overwatch.
To foster future research and improve existing Aimbot detectors, we make all our implementations for recording player profiles and mimicking user behavior publicly available at:
https://github.com/intellisec/aimbot
A detailed description of our work is going to be presented at the 13th European Workshop on Systems Security (EuroSec 2020) in April 2020. If you would like to cite our work, please use the reference as provided below:
@InProceedings{WitWre20,
author = {Tim Witschel and Christian Wressnegger},
title = {Aim Low, Shoot High: Evading Aimbot Detectors by Mimicking User Behavior},
booktitle = {Proc. of the {ACM} European Workshop on Systems
Security ({EuroSec})},
year = 2020,
month = april,
day = {27.}
}
A preprint of the paper is available here.