Jump to content

How to improve OSBot as a bot to prevent bans as a community


grammatoncleric

Anti-Cheat System  

27 members have voted

  1. 1. Should OSBot add the purposed anti-cheat system?

    • Yes
      21
    • No
      6


Recommended Posts

Synopsis:
Please do not vote until you have read the thread unless you have already done so.
Should OSBot add analytics and use them for determining features that are increasing bans

Background: 
So recently, I saw that a runelite plugin that is using machine learning and highscores to detect bots. Jagex IS supporting this and sends confirmations to better train the model making the detection better and the detector is being updated every single day. There is over 100M reports so far, and this bot may be 90% accurate. I personally have gotten far less, more around 5% accurate. This plugin runs in the background of runelite, so whenever an account is logged in, and this plugin is installed, it is running the model against whoever comes within range of the account that is running the plugin. It automatically sends reports to jagex if the model thinks that there is a 75% chance or greater of the rsn being a bot.

The Problem:
So with learning about this new bot detector and thinking of why this hasnt been done alot sooner as I myself even posses the knowledge of how to write the machine learning code to do this. I am also thinking about why OSBot, and all the other major botting clients have not implemented any sort of tracking feature(s). Many of the botting clients have a feature(s) suchas improving the mouse by using a hardware mouse, but there is no evidence that using the mouse is used as part of Jagex's bot detection system. There is no point in developing such things if there is nothing to verify that it will actually be beneficial. A guess an check approach is a rough way to go, and it has largely, been this way forever. There is no pre-check or after-check of such systems that can confirm or deny the results of any feature(s). This would be more powerful than Jagex's bot detection itself. Even as Jagex increases their ability to detect bots, this will still be more powerful as it is giving us confirmation of a sequence of events and features that lead to a ban, meaning that no matter how powerful their detection is, there will always be a way of countering it.

Reality:
This would also answer the age old question, is this client detectable? Jagex claims that they can detect when someone uses a third party client, suchas botting software, and this is very likely that they can detect a third party client, but can they detect a third party botting client? It would take some time, but it wouldnt be long before this question is answered. If there is no pattern to how accounts are being banned, there can only be a few reasons why. A: The third party client is being detected B: There are unknown variables that are effecting the bans. [as an example: Jagex is reading the HWIND of computers]. A is a dangerous thing to say because it may extinguish a community if improperly verified, however, prolonging the result indefinitely is also counter productive. B Can be solved. When you download a program from the internet, there is no encryption that exists today that cannot be reverse engineered. This is why SaaS exists [software as a service / an app on a website that provides a service for you that you access from a website]

Possible Solution:
Now, with my programming experience I could write my own botting manager, while it may take me awhile, I could still do it. However, lets take NotABot's botting manager as an example. NotABot has a guide on how to use OSBot for the inexperienced. With this inexperience, it is far more likely for the people using this botting manager to follow in the footsteps of the guides that NotABot provides. So, it would probably be safe to conclude that the majority of users would be generally using the same formula, proxies, scripts script duration, breaks. In order to get a proper, and accurate gauge on how effective the botting client is, the botting client itself needs to implement this kind of tracking. Even if NotABot has his developers implement tracking of the proxies and scripts being used within his botting platform, he still only represents a fraction of the entire botting clients being used [OSBot].
I personally wouldnt be phased at all to have to provide a bit of extra information [proxy provider] to the botting client for this kind of feature, but I am biased, so perhaps a poll would be better, however, having a poll may be a better solution than my sole opinion, but it still may not be the best. How can botters that are currently profiting and content with their current botting status, and botters that are newer, improve? After this is solved, then we can figure out how to proceed.
A problem that I have not solved is the anonymity of botters success. This would more than likely level the playing field. While, experienced botters may always have an edge, this would more than likely significantly lessen that edge.
Botting will eventually be undetectable as machine learning / ai advances, but how long till then is unknown, and when that time is reached, the profitability may be non-existent by then.

How scripting would change:
This would put massive amounts of pressure on developers to provide better programs / scripts for customers in one of the most important aspects of the botting community; the longevity of accounts. Currently scripters are not competitive as there is no incentive to do so, and this is confirmed by pricing. This possibly would reduce the number of scripts that are not doing well and using other people as leverage to test their scripts. Currently, this is a problem in all botting communities, and they have all put bandaids on as a temporary fix. [Removing all scripts from the repo, and forcing developers to follow new guidelines in order for their script(s) to be approved/shown on the new "cleaned" repo]. This is not a solution. This would also more than likely collapse newer developers as they do not have the experience in writing code for this purpose, and without small successes are likely to turn away from continuing to code for the community. This is a good and bad. New scripters means variety, and more importantly, better scripts. More variety is good for goldfarmers, and better scripts are better for goldfarmers and the casual botter [botters who are not selling the gold gained by their account(s)]. The better scripts will not be because the new scripters are writing them, but because there is more competition to do so. 

Important:
This method is to figure where the bans are coming from, and where to shift the focus of improvement. This will likely reduce bans, but there are still many factors.
The only way this would work is if this feature was forced upon the entire botting community, otherwise this is entirely pointless

Thank you for your time
~grammatoncleric

Really interested in what you thoughts are:

Edited by grammatoncleric
Link to comment
Share on other sites

54 minutes ago, stanleylai1 said:

I'm not sure what you mean by a tracking feature? You mean something that could track user's botting habits like breaks, proxies, etc? I'm sorry but although I see why someone would want that info, I don't see it drastically decreasing ban rates.

 

It could determine which scripts, proxies, breaks, and botting durations that have the most success of not being banned. This would also not be limited to these features, but whatever the features we can think of that might impact bans that we can qualitative and quantity.

I would ask that you re-read my thread in order to understand why this would be useful in reducing bans.

As an example, if someone is experiencing bans with a script, proxy or any other feature, it could accurately said to be true or false based upon the majority

This method is to figure where the bans are coming from, and where to shift the focus of improvement. This will likely reduce bans, but there are still many factors.

As the title has the word "improve", meaning that there is a chronological order in which something becomes better, meaning, its going to take some time.

Edited by grammatoncleric
Link to comment
Share on other sites

  • grammatoncleric changed the title to How to improve OSBot as a bot to prevent bans as a community
1 hour ago, grammatoncleric said:

It could determine which scripts, proxies, breaks, and botting durations that have the most success of not being banned. This would also not be limited to these features, but whatever the features we can think of that might impact bans that we can qualitative and quantity.

I would ask that you re-read my thread in order to understand why this would be useful in reducing bans.

As an example, if someone is experiencing bans with a script, proxy or any other feature, it could accurately said to be true or false based upon the majority

This method is to figure where the bans are coming from, and where to shift the focus of improvement. This will likely reduce bans, but there are still many factors.

As the title has the word "improve", meaning that there is a chronological order in which something becomes better, meaning, its going to take some time.

As soon as best proxies/scripts/botting locations/breaks etc. is known they will stop being best as people would start using them and they would create an easily detectable patterns

  • Like 1
Link to comment
Share on other sites

2 hours ago, grammatoncleric said:

but there is no evidence that using the mouse is used as part of Jagex's bot detection system.

I think the only way botting is ever going to be successful again is to leave no stone unturned. Mouse movement is a very easy way to detect a human from a bot, so it's better to assume they do consider it to some extent, rather than not. Even all parts of a mouse click event should be considered. What's the average ms it takes to enter the target area and press down the mouse? To release the mouse? What's the chance of dragging the mouse after a mouse press before the release? What's the mean pixel distance of a click-drag? Are human clicks actually normally distributed within rectangle bounds? These are parts of human nuance that are easy to detect for that I'd bet nobody implements. The mouse is just one part though. The biggest factor is bot behavior. Like you said though, there's just no incentive for anyone who puts in the time and money to solve these problems to give them to the public. The only way it would get into the public is if they need something from the public, such as their human data.

One way to test scripts for detectability would be to run it through some of the bot detection methods from research papers, but that's obviously not going to be exactly like RS's detection methods. It would give you an idea though.

 

2 hours ago, grammatoncleric said:

This would also answer the age old question, is this client detectable?

Injection mode is 100% detectable. You can test this yourself making F2P accounts that only ever login through injection mode and not even botting. I don't think this is really news, but rarely ever anyone talks about it.

 

 

Link to comment
Share on other sites

38 minutes ago, Hawk said:

I think the only way botting is ever going to be successful again is to leave no stone unturned. Mouse movement is a very easy way to detect a human from a bot, so it's better to assume they do consider it to some extent, rather than not. Even all parts of a mouse click event should be considered. What's the average ms it takes to enter the target area and press down the mouse? To release the mouse? What's the chance of dragging the mouse after a mouse press before the release? What's the mean pixel distance of a click-drag? Are human clicks actually normally distributed within rectangle bounds? These are parts of human nuance that are easy to detect for that I'd bet nobody implements. The mouse is just one part though. The biggest factor is bot behavior. Like you said though, there's just no incentive for anyone who puts in the time and money to solve these problems to give them to the public. The only way it would get into the public is if they need something from the public, such as their human data.

One way to test scripts for detectability would be to run it through some of the bot detection methods from research papers, but that's obviously not going to be exactly like RS's detection methods. It would give you an idea though.

 

Injection mode is 100% detectable. You can test this yourself making F2P accounts that only ever login through injection mode and not even botting. I don't think this is really news, but rarely ever anyone talks about it.

 

 

I have previously created an impossibly simple clicking script that just clicks as fast as it can at the exact same pixel and this account is still unbanned, perhaps this is only relevant to timing [2 years ago]

Edited by grammatoncleric
Link to comment
Share on other sites

1 hour ago, Kramnik said:

As soon as best proxies/scripts/botting locations/breaks etc. is known they will stop being best as people would start using them and they would create an easily detectable patterns

^^ This exactly. Once you find the so called "optimal" (scripts, proxies, breaks, and botting durations) and everyone starts copying the optimal botting habit, it will no longer be viable anymore lol. Look at what happened to birdhouses. The optimal situation is to find something that works and keep it a secret. Once Jagex detects thousands of bots doing the same activity with the same breaks, same botting sessions, the activity you're doing is done for. 

Edited by stanleylai1
spelling
  • Heart 1
Link to comment
Share on other sites

39 minutes ago, Hawk said:

I think the only way botting is ever going to be successful again is to leave no stone unturned. Mouse movement is a very easy way to detect a human from a bot, so it's better to assume they do consider it to some extent, rather than not. Even all parts of a mouse click event should be considered. What's the average ms it takes to enter the target area and press down the mouse? To release the mouse? What's the chance of dragging the mouse after a mouse press before the release? What's the mean pixel distance of a click-drag? Are human clicks actually normally distributed within rectangle bounds? These are parts of human nuance that are easy to detect for that I'd bet nobody implements. The mouse is just one part though. The biggest factor is bot behavior. Like you said though, there's just no incentive for anyone who puts in the time and money to solve these problems to give them to the public. The only way it would get into the public is if they need something from the public, such as their human data.

One way to test scripts for detectability would be to run it through some of the bot detection methods from research papers, but that's obviously not going to be exactly like RS's detection methods. It would give you an idea though.

 

Injection mode is 100% detectable. You can test this yourself making F2P accounts that only ever login through injection mode and not even botting. I don't think this is really news, but rarely ever anyone talks about it.

 

 

The purpose of this thread is NOT for discussing techniques for anti-ban, nor discussing techniques on how to impliment anti-cheat.
The purpose of this thread is to determine the direction the community wants to go.

Link to comment
Share on other sites

I think you're on the right track, but I believe detection come not only from botting habits, but from input itself, like reaction times, click-points, mouse speed, etc. And to add on to the bot detection plug-in, I would like to point out that it's BS. I currently have over 10 accounts with 95% plus bot certainity, and I always bot in populated worlds, and I'm certain the plug-in sent those accounts to Jagex. It's been over a month, and I've already sold off a couple. A number of no-life OSRS players or players who make money on their alts have super high bot certainity ratings. They won't get banned. The plug-in sounds good on paper but you can't ban players based on their exp gains.

Link to comment
Share on other sites

9 minutes ago, stanleylai1 said:

^^ This exactly. Once you find the so called "optimal" (scripts, proxies, breaks, and botting durations) and everyone starts copying the optimal botting habit, it will no longer be viable anymore lol. Look at what happened to birdhouses. The optimal situation is to find someone that works and keep it a secret. Once Jagex detects thousands of bots doing the same activity with the same breaks, same botting sessions, the activity you're doing is done for. 

Again, more assumptions.
What makes the optimal settings optimal?
Lets say you and I want to make a zulrah bot. I can almost guarantee that we will not take the same botting route of creating a zulrah bot. We may run the same scripts at the same time, maybe even using the same proxy provider, it is very unlikely that we will both be using bot at the same place.
The purpose of this is to not find out right off the bat, whats the best script to use 100% for everyone, absolutely not... The purpose of this is to find out what contributes to a ban and how to counter it.
Lets say Jagex uses the focus of a window to determine if the account is a bot or not. The bot would simply need to focus the window until jagex changed the way that they detect bots. Lets say that Jagex starts using mouse data instead of window focus to detect bots. As soon as Jagex makes this switch for bot detection, the anti-cheat will pickup on this.

Khaleesi has quite the edge on OSBot, but he still has low banrates with plenty of users using his scripts.

Edited by grammatoncleric
Link to comment
Share on other sites

3 minutes ago, grammatoncleric said:

Again, more assumptions.
What makes the optimal settings optimal?
Lets say you and I want to make a zulrah bot. I can almost guarantee that we will not take the same botting route of creating a zulrah bot. We may run the same scripts at the same time, maybe even using the same proxy provider, it is very unlikely that we will both be using bot at the same place.
The purpose of this is to not find out right off the bat, whats the best script to use 100% for everyone, absolutely not... The purpose of this is to find out what contributes to a ban and how to counter it.
Lets say Jagex uses the focus of a window to determine if the account is a bot or not. The bot would simply need to focus the window until jagex changed the way that they detect bots. Lets say that Jagex starts using mouse data instead of window focus to detect bots. As soon as Jagex makes this switch for bot detection, the anti-cheat will pickup on this.

Khaleesi has quite the edge on OSBot, but he still has low banrates with plenty of users using his scripts.

Apologies, allow me to correct my wording.

Instead of optimal, let me use unique. I correctly have my own set of breaks, settings, scripts, that I use, that are unique to me and my bots. Jagex's detection system is like a web, they use lots, and lots of variables. One thing I know they use is reaction timing in between actions, which I tested a while back. They may also use mouse movements, click-points, but who knows.

Khaleesi has great anti-pattern built within the script like human-idles, but his scripts are still not invincible.

 

Also, I don't want to sound aggressive in anyway, I love these discussions. Not trying to be an asshole. I think this is an interesting thread.

Link to comment
Share on other sites

13 minutes ago, stanleylai1 said:

I think you're on the right track, but I believe detection come not only from botting habits, but from input itself, like reaction times, click-points, mouse speed, etc. And to add on to the bot detection plug-in, I would like to point out that it's BS. I currently have over 10 accounts with 95% plus bot certainity, and I always bot in populated worlds, and I'm certain the plug-in sent those accounts to Jagex. It's been over a month, and I've already sold off a couple. A number of no-life OSRS players or players who make money on their alts have super high bot certainity ratings. They won't get banned. The plug-in sounds good on paper but you can't ban players based on their exp gains.

Going offtopic...

I didnt say the plugin worked, in fact I said that I personally had a 5% or less success rate when using the plugin, but the reason I mentioned the plugin had nothing to do with whether it worked or not...

I did not mention the plugin to provide a method of implementing an anti-cheat system, it's merely what gave me the idea on how to go about it.

I would like to throw everything out the door on what is "known" by Jagex's bot detection and start from scratch. Not to worry, traction should be gained with increasing speed using this approach.

There are still other variables that need to be taken into consideration before concluding that input is a deterministic feature, suchas local files.

Results cannot be compared from player to player, as this is not reproducible and therefore un-determinalistic.

Environments need to be near identical, and confirmed with a large scale replication, and perhaps repeated in order to accurately determine if a feature has an effect on a ban, without doing so, this is just more speculation, which is useless to the community.

Link to comment
Share on other sites

3 hours ago, stanleylai1 said:

Apologies, allow me to correct my wording.

Instead of optimal, let me use unique. I correctly have my own set of breaks, settings, scripts, that I use, that are unique to me and my bots. Jagex's detection system is like a web, they use lots, and lots of variables. One thing I know they use is reaction timing in between actions, which I tested a while back. They may also use mouse movements, click-points, but who knows.

Khaleesi has great anti-pattern built within the script like human-idles, but his scripts are still not invincible.

 

Also, I don't want to sound aggressive in anyway, I love these discussions. Not trying to be an asshole. I think this is an interesting thread.

Dw, your not going to offend me, I am just trying to prevent the thread from dilution, and I believe the only way to do that is to redact any discussion of speculation. 
Your usage of 'lots and lots of variables' means you haven't the clue, and I dont either and I don't think many do, which is why this thread exists in attempt to combat this.
You can tell me you know this or know that, but I doubt there is evidence to support what you think you know. If there is evidence it will come from the collective, which is also the point that I am trying to make with this thread.

I am not trying to be negative, I simply just dont care, I am looking for results and results alone.

Edited by grammatoncleric
Link to comment
Share on other sites

12 hours ago, grammatoncleric said:

If there is no pattern to how accounts are being banned, there can only be a few reasons why.

I know it's conjecture, but in my experience majority of my bans come from either a bad script that messes up (clicks repeatedly), bad proxy/VPN (NordVPN), or the random.dat + HWID not being isolated properly.

As far as a general direction in terms of botting evolution, I don't think one software solution will ever be enough to overcome Jagex anti-ban. Plus, if it's all consolidated to one platform/manager that now 1000's of people use instead of 100's, or 10's, it will become saturated and easily detected. 

I really like the idea of OSBOT 3.0 with AI integration to allow for truly human-like playstyles and patterns. With any software comes some extent of repetitiveness, where an AI could differentiate itself every single time. 

 

 

Edited by Coin4Coin
Link to comment
Share on other sites

4 hours ago, Malcolm said:

I hate to ask but can we get a tldr @grammatoncleric

I ask that you do not vote until you have read the thread if you have not done so already.

Synopsis or if I were to change the title:
Should OSBot add analytics and use them for determining features that are increasing bans

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...