To me, the mathematical aspects of poker bot detection are a lot more interesting than many folks in the information security space appreciate. Online poker sites are conducting ongoing behavioral assessments on tens of thousands of users, employing many of the same methods used in fraud detection, insider threat assessment, and anomaly-based detection found in cybersecurity.
Many of the similarities are evident if you’re familiar with either area. Also, the back-and-forth nature of this arms race is escalating very rapidly.
The detection stack
All of the larger poker platforms have implemented a multi-layered detection model. On the client-side, they perform integrity checks on the poker client, monitor for screen capturing tools, memory injection, and unauthorized process interactions. These detect the low hanging fruit – people using obvious automation software that hooks into the poker client.
However, the more interesting detection occurs on the server-side where the room has full visibility into your entire behavioral history of every hand you have ever played.
Detection systems now commonly analyze patterns across five different dimensions.
Timing Analysis: This is the most obvious of the five areas of analysis. Obviously, a bot acting in the exact same 1.2 seconds every time will be caught. However, the interesting timing analysis goes further. Timing analysis identifies predictable timing distributions from human behavior. Humans consistently tank longer on marginal decision-making and act quicker on obvious spots. Moreover, the timing of human reactions follows a log-normal distribution with a unique right-tail. Injection of random delays by a bot to mimic human timing generally produces incorrect distributions. Statistical tests are able to identify synthetic variance.
Action Frequency Distributions: Each player will develop a statistical signature over a large sample size. What percent of hands does the player play before the flop? How frequently does he continuation bet? His fold to three-bet frequency? His check raise frequency on various board textures? Human players will display varying degrees of frequencies over time. Humans will tilt, get tired, and/or alter their strategy based upon their opponents. Bot players’ frequencies will appear to be abnormally stable.
While the question is not “Is this frequency typical?” — it is “Is this frequency too consistent?” A player who folds to a three-bet 62% of the time over 50,000 hands is more suspect than one who folded 60% one month and 65% the next.
Session Patterns: Humans have biological needs. Humans take breaks. Humans play fewer hands/hour at 3 AM than at 8 PM. Humans will have losing sessions where they quit early. While bots can be programmed to mimic these behaviors, the combined distribution of session length, time of day, break frequency, and number of tables provides a high-dimensional fingerprint that is difficult to convincingly replicate.
Game Selection Behavior: This is an under-appreciated area. Humans select tables based on a mixture of rational and irrational reasons. Humans track fish. Humans avoid well-known regulars. Humans prefer certain seat locations. Humans have favorite table sizes. Automated systems select games based solely on expected value, which generates a distinct pattern. If a player always sits at the most profitable table within seconds of a weak player sitting down, on dozens of tables at the same time, then this is a signal.
Cross Player Correlation: The most advanced detection method analyzes correlated play between multiple user accounts. Are two “different” players always at the same tables? Do they avoid playing against each other? Do their timing patterns correlate (both pause at the same moment)? This is essentially the same problem as identifying collusive play in financial markets, and the solutions are similar: Network analysis, correlation metrics, and Behavioral Clustering.
The statistical methods
At the heart of virtually all detection systems are combinations of:
Hypothesis Testing. For each of the behavioral metrics, the system maintains a distribution of “typical” human values. Players are individually evaluated against these distributions. The main challenge is accounting for the population of actual players that are outliers – e.g. Professional players that play 12 tables at extremely consistent frequencies may appear like a bot to a naive detector.
Markov Chain Analysis. The sequence of actions is as important as the frequencies. Humans demonstrate predictable patterns in their sequence of actions. After being check-raised twice, humans will adjust (stop continuing to continuation bet as much). The speed and magnitude of these adjustments are also indicative. Bots that never adjust are obviously detectible. Bots that perfectly adjust (adapt instantly optimally) are suspicious in a different manner.
Ensemble Anomaly Scoring. No single metric will definitively indicate whether a player is a bot or not. Multiple detection systems combine dozens of features into an anomaly score, usually utilizing some form of Ensemble Method (e.g., Gradient Boosted Trees). A player may be in the 95th percentile for timing consistency (slightly suspicious) and the 90th percentile for session regularity (not notably suspicious), however, the combination of being in the 90th+ percentile across five independent dimensions simultaneously is extremely unlikely for humans.
Why this matters for cybersecurity
Several cybersecurity domains benefit from the analytical methodologies currently being developed in Poker Bot Detection.
Insider Threat Detection addresses the same basic problem – separating legitimate human activity from automated/malicious activity, based upon behavioral data. The timing analysis, session pattern analysis, and anomaly scoring methodologies can be directly transferred to Insider Threat Detection. Any compromised account that is being operated by a script will exhibit many of the same statistical characteristics as a Poker Bot.
Fraud Detection in Financial Services utilizes essentially the same methodologies. Was this sequence of transactions generated by humans or automation? Are these two accounts operating independently or in coordination? The experience gained by the Poker Industry in combating adversaries that attempt to evade detection are directly applicable – Financial Fraudsters also attempt to evade detection.
Client-side anti-bot systems for web applications can also draw upon the poker industry’s experience. Client-side checks (CAPTCHAs, etc.) are analogous to poker’s client-side integrity verification — easy to circumvent. Server-side behavioral analysis of timing distributions and action patterns is significantly more robust and represents where the poker industry has focused the majority of its detection efforts.
The adversarial arms race
From a Security Perspective, the adversarial relationship of Poker Bot Detection is what makes it so fascinating. Detection improves – bot developers reverse-engineer the detection methods and adapt. Bot Developers occasionally publish their discoveries – Detection Teams update their models.
Currently, the frontiers include Biometric-type Analysis – mouse movement patterns, click-dynamics, and scrolling behavior that are difficult to reproduce convincingly. Some rooms are testing occasional required interactions (Verification Prompts, CAPTCHAs initiated by anomaly scoring) that will interrupt automated play.
However, the most successful current defense is not technological. It is economic. Rooms that detect bots not only ban the account, but confiscate the funds. This changes the Risk Calculation for bot operators. The Expected Cost of Detection must now be included in the Expected Value of Running the Bot. At sufficiently high levels of detection, and sufficient penalties for confiscation, the economics of running a bot no longer make sense.
This is a Security Lesson that has broader applicability than Poker. Sometimes the Best Defense is Not Preventing the Attack, But Making the Attack Unprofitable
