Client-Side vs Server-Side Anti-Cheat
This topic is not an easy one to talk about, I will not approach it by telling which one is better, but only compare the two contexts in practice and describe the fundamentals, pros, and cons of the anti-cheat solutions and some techniques that are in the gaming industry right now.
Nowadays any big and competitive game is “protected” by its own solution or they are using the most well-known anti-cheats in the industry. These types of systems have the main objective of deterring and detecting bad actors, such as hackers and cheaters. By itself, a game using an AC (anti-cheat) always has an impact that goes through stopping the most traditional cheaters, however, this does not happen in all games out there. But the perception of a game being protected by an anti-cheat, I believe always has that positive impact in this fight against cheaters.
Hacking and developing cheats is a growing reality, and it’s not easy to stop or just end it. There are communities, forums, and groups of organized people who have a lot of motivation to develop hacks and cheats for games. Cheaters will always exist, and it will always be the endless game of cat and mouse. Hackers will always try to hack games and anti-cheats if only for the monetary value they can get out of it by selling exploits and cheats on the internet. And of course, with our gaming industry growing, the effort to stop needs to be even bigger.
Understanding the client-side…
Cheating is a problem that plagues every event that involves one human competing with another, whether it’s poker, sports, or online gaming. In most cases, you can avoid cheating by reducing all forms of privacy and having some person check every player for cards, opponents, or whatever. However, when playing online, you must inherently trust the client.
Gamers wonder why companies that run large competitive games rely solely or primarily on client-side verification, and of course, there is an answer to that. It is not so much why to rely on the client-side, but why there is no other viable model to protect the game from some known ways of modifying the game. For example, digital rights management (DRM) is the use of technology to control and manage access to copyrighted material. Another meaning of DRM is to take control of digital content from the owner and hand it over to a computer program, using a secret key, encrypting the content to make it impossible to access so that only those who have the key can decrypt and watch it. This type of software has mitigations to prevent the client from pooking too much, but of course, this must be implemented on the client-side to prevent the client from accessing or doing things the company doesn’t want them to do.
The technology of an anti-cheat is based on the same foundation, information that is collected from the client-side, and if it is detected doing things it shouldn’t, through sophisticated routines that are checked during the use of the application, that information about the client’s bad behavior is sent to the server which subsequently applies the ban. You can put all the protections in the world on the client, but hackers can exploit these protections, allowing themselves to cheat.
Windows 11 new security features
There are other things that can help reduce the impact of cheaters in video games. Microsoft recently released Windows 11 with at least one interesting thing called TPM security that I think can really help and increase the level of security when developing a game, and make it harder to bypass it.
Trusted Platform Module, or TPM, is a secure cryptoprocessor that secures a computer via an integrated cryptographic key. But in more basic terms, it’s like a security alarm for your computer to prevent hackers or malware from accessing data. (source)
The new Windows 11 TPM feature may actually help developers in the future to solve the privilege problem by adding some assurance of trusted computing and not having strange things running in the kernel, there is a completely safe state in user mode that you can trust. And it will also help with the privacy concerns that exist with anti-cheats accessing at the kernel level.
So, in summary, having a good client anti-fraud solution is good because it can get the job done most of the time, but relying on client-side security alone may not be the best position to be in. Since a breach can happen with the right tools and expertise, it is only a matter of time. And when it happens, an update needs to be patched, and in that time, some players will abuse and take advantage.
However, there is also a need for client-side cheating detection due to the fact that games depend on the skill of the player. This means that cheating can happen on several levels: hardware, input, and software. Software is only the most convenient, there is usually very little that can be done to protect against a proficient bot, but here at Anybrain we have the right tools to efficiently detect bots and input changes. If there is no protection on the client-side, this eliminates all chances that may exist to stop or detect any hacker. At Anybrain, through behavioral analysis sent to the server, it is possible to detect these types of cheats through hardware or input modifications, and we are very proud of that.
Developing hacks and cheats requires a lot of trial and error and even having full access to the source code, every time there is an update all this work needs to be done again, so client-side protection works in general because the amount of skill and effort that needs to be put in is enormous and if you are found the consequences are severe.
领英推荐
Is server-side the solution?
Other types of approaches can protect the game in a more subtle way, without having to rely so heavily on the anti-cheat client side. There is the possibility to limit the use of cheats, a good example of this is the cheat wallhack type for FPS games. I will explain that this is achieved by the simple way of not feeding the client with so much information, if the client does not have this information, it is impossible to hack and create the cheat by manipulating this data.
So there is no need to send data about things that the player cannot see or hear, such as their location. This can reduce the amount of data that the game client needs to manipulate. So by design, this will reduce the mechanisms by which they can hack or create a cheat. It should not be reasonable to use the client to tell which enemy I have shot, because that way it would be easy to exploit my client and say I shot another player. Instead, the client should send the position when shooting, and the server can validate if the player hit.
But is it really that simple? What is the cost of strengthening the server-side and preventing the client from receiving data?
For example, in an online poker game, you simply must not send the value of any cards to the player that he cannot know. So even if he does hack the client, there is nothing hidden that he can reveal and no cheat he can do that he cannot do with a normal client. But does this work for all games? Of course not, modern games are much more complex.
In an FPS game, it is not so easy to decide if and how well you can see another player. You can say that it is easy, if there is a wall between the two of you, you can’t see. And for those simple cases, modern games can already select the enemy player from your view, so you can’t get the position where he is. But once the enemy is in a dark, barely visible corner, the game still needs to send his position to you so that your graphics device can paint him there.
LAG can also be a problem, in a first-person shooter game, you will normally move the mouse very fast and see the screen rendering super fast. But sending this action over the network and waiting for the result to appear on the screen will take longer than rendering locally. With a fast internet connection, you may be lucky, but not all connections are stable and the delay can sometimes increase. And a game that reacts slowly will not be a very fun game for sure, the experience would be horrible.
Another example is sound, a stereo sound requires a 3D localization of the source. To play a step sound, your client needs to know exactly where the step came from, you could convert it into a wallhack, right? Restricting server-side protection is not enough, you need more than that.
ML server-side can help?
Absolutely yes, we love it! For a AAA with millions of players, it is crucial to have an ML (machine learning) system that monitors analytics to identify cheating and enhanced investigation processes to detect and deter cheaters. There is no one solution, you need everything combined, and ML is part of that. Nothing is a silver bullet, but ML can help a lot especially when you are a AAA game.
Final thoughts
Passing all calculations to the server can be exorbitantly expensive. Therefore, the client would need to save all user interactions and the time they occurred. Moving all this information to the server to do the analysis may not be reasonable, so instead some of the computation is sent to the client. So it is really necessary to perform a cost-benefit analysis and find the right balance between computing costs and risk management.
Investing in sophisticated server-side routines will definitely increase the security level in many ways, and cloud gaming is a good example of this, but is this enough? If a bad actor tries to access a streaming game, by design, it is very limited what you can do. You don’t have access to the exe/dll files and their inputs, and there is no modifiable code either. This is what cloud game security offers, a significant leap forward in fraud protection. But there are always a ton of opportunities to cheat which cannot easily be defeated by traditional anti-cheat software. What about letting a robot play for you? Or even things like DDoS attacks from a botnet on your enemy team to disturb their communications?
So, having an anti-cheat client-side with an extra layer of security where the code cannot be touched and applying data science can be a scenario that can ensure you don’t have honest players to be punished, but as I said before nothing is a silver bullet and there is no perfect solution.