CN106230644B - Client acceleration detection method - Google Patents
Client acceleration detection method Download PDFInfo
- Publication number
- CN106230644B CN106230644B CN201610788564.5A CN201610788564A CN106230644B CN 106230644 B CN106230644 B CN 106230644B CN 201610788564 A CN201610788564 A CN 201610788564A CN 106230644 B CN106230644 B CN 106230644B
- Authority
- CN
- China
- Prior art keywords
- client
- function
- timing function
- timing
- acceleration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
Abstract
The application discloses a detection method for client acceleration, which comprises the following steps: the method comprises the steps that a client side obtains a function body and/or a return value of a timing function of the client side in each preset detection period; and the client determines whether the client acceleration behavior exists currently or not according to the function body and/or the return value. By adopting the invention, the client-side accelerated cheating can be accurately detected without influencing the concurrent processing capability of the server-side.
Description
Technical Field
The invention relates to a security technology of a game system, in particular to a detection method for client acceleration.
Background
In large-scale network games, acceleration cheating of a client is often prohibited, so that unfair competition occurs in the games, the reliability of a game system is seriously influenced, and a large amount of loss of clients is caused. Therefore, a method for effectively detecting the acceleration of the client is needed, so that the acceleration cheating of the client can be effectively monitored, and the reliability and fairness of the game system are ensured.
In the existing scheme for detecting the acceleration of the client, the client is detected in a server verification mode. The server side monitors the packet sending frequency of the client side, judges whether the packet sending frequency exceeds a specified frequency threshold value, if so, the frequency is considered to be too fast, and judges that the client side has an accelerated cheating behavior.
Due to the fact that the frequency of the client-side package sending is different under different game scenes, the frequency threshold value needs to be set to be larger in the client-side acceleration detection scheme, and therefore the frequency threshold value can cover all scenes. In this way, for a scene with a low frequency of client-side package sending, the frequency threshold configured by the system has an excessive problem, which results in a problem that only a player with too fast acceleration can be checked, and a player with slight acceleration cannot be checked. On the other hand, since the verification is performed at the server, the pressure of the server is increased, and the concurrent processing capability of the server is reduced.
Therefore, the existing client-side acceleration detection scheme has the problems of missed detection and adverse influence on the concurrency of the server side.
Disclosure of Invention
In view of the above, the present invention is directed to a method for detecting acceleration of a client, which can accurately detect acceleration cheating of the client without affecting concurrent processing capability of a server.
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
a detection method of client acceleration comprises the following steps:
the method comprises the steps that a client side obtains a function body and/or a return value of a timing function of the client side in each preset detection period;
and the client determines whether the client acceleration behavior exists currently or not according to the function body and/or the return value.
In summary, the client acceleration detection method provided by the present invention detects the client acceleration behavior on the client side according to the implementation process and/or the return value of the timing function, so that the acceleration behavior of the client can be accurately identified, the processing load of the server can be reduced, and the concurrent processing capability of the server can be ensured.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
The core idea of the invention is as follows: and checking the client accelerator at the client according to the implementation process and/or the return value of the timing function so as to more accurately identify the acceleration behavior of the client and ensure the reliability of the game system.
Fig. 1 is a schematic flow chart of an embodiment of the present invention, and as shown in fig. 1, the embodiment of the client acceleration detection method mainly includes:
In this step, it is necessary to acquire information related to the timing function of the client side at each detection period, so as to accurately identify the acceleration behavior of the client based on the information.
Preferably, the timing function may include: timeGetTime, QueryPerformanceCounter, and/or gettimeckcount functions.
Preferably, the following method may be adopted to obtain the return value of the timing function of the client:
the client obtains the server time from the server at a preset first time of the current detection period S1, and simultaneously obtains a return value L of each timing function from the local clienti,1(ii) a At a preset second moment of the current detection period, the server time S2 is obtained from the server, and the return value L of each timing function is obtained from the local clienti,1Wherein i is the number of the timing function.
In this step, the first time and the second time may be set as fixed time points in one detection period by those skilled in the art, or may be two different times randomly selected in one detection period. The specific arrangement mode can be set by a person skilled in the art according to actual needs.
Preferably, the following method may be adopted to obtain the function body of the timing function of the client:
the client acquires a function body of the timing function and a memory address of the timing function from a dynamic link library; and acquiring a function body of the timing function from the memory address.
Specifically, the dynamic link library may include: winmm. dll and/or kernell 32. dll. The dynamic link library used in practice is determined by the timing function used.
And 102, the client determines whether the client acceleration behavior exists currently according to the function body and/or the return value.
In this step, whether the client acceleration behavior exists currently may be determined according to the function body of the timing function or the return value of the timing function acquired in the current detection period in step 101, or may be determined according to the function body and the return value, so that the client acceleration behavior may be identified more accurately.
When whether the client acceleration behavior exists or not is determined according to the function body of the timing function, the client acceleration realized by illegal tampering of the timing function in the memory by using the HOOK technology can be effectively identified. Preferably, the following method can be adopted to determine whether the client acceleration behavior exists currently according to the function body of the timing function:
and for each timing function, comparing the function body of the timing function acquired from the dynamic link library with the function body of the timing function acquired from the memory address, and if the function bodies are not consistent, judging that the acceleration behavior of the client exists currently.
When whether the client acceleration behavior exists or not is determined according to the return value of the timing function, the illegal tampering of the timing function in the memory by using the HOOK technology can be effectively identified, and meanwhile, the condition that the time function of the kernel layer is modified by using the HOOK technology can be identified, so that the accuracy of identifying the client acceleration behavior can be further improved. Preferably, the following method may be adopted to determine whether the client acceleration behavior exists currently based on the method of obtaining the return value of the timing function in step 101:
calculating an interval Δ t between the server time S2 and the server time S1 according to the Δ t-S2-S1;
for each of said timing functions, in terms of Δ Li=Li,2-Li,1Calculating a difference Δ L between the return values of each of the timing functions at the second time and the first timei;
Judging whether the following steps exist: Δ Li- Δ t ≧ a, a > 0; and if so, judging that the client acceleration behavior exists currently, wherein a is a preset acceleration threshold.
In the method, whether the client has acceleration behavior is determined by judging whether the timing interval of the client is consistent with the time interval of the server within a certain time interval. Therefore, all behaviors accelerated by adopting the HOOK technology in the application layer or the kernel layer of the client can be accurately identified, so that the detection accuracy of the acceleration of the client can be greatly improved, and the concurrency performance of the server cannot be adversely affected.
In an ideal case, Δ L if the client has no acceleration behavioriΔ t should be 0, but Δ L when the client has no acceleration behavior in consideration of the influence of the actual application environmentiIt is also possible that the value of Δ t is greater than 0, and a is used to indicate the degree of difference that the system can tolerate. The a is a preset acceleration threshold, and if the value is too small and too large, the problem of false detection exists, specifically, a suitable value can be set by a person skilled in the art through simulation according to actual needs, so that the value is matched with an actual scene.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (4)
1. A method for detecting client acceleration is characterized by comprising the following steps:
the method comprises the steps that a client side obtains a function body and/or a return value of a timing function of the client side in each preset detection period;
the client determines whether a client acceleration behavior exists currently according to the function body and/or the return value;
wherein, the obtaining of the return value of the timing function of the client includes:
the client obtains the server time from the server at a preset first time of the current detection period S1, and simultaneously obtains a return value L of each timing function from the local clienti,1(ii) a At a preset second moment of the current detection period, the server time S2 is obtained from the server, and the return value L of each timing function is obtained from the local clienti,2Wherein i is the number of the timing function;
when the client determines whether the client acceleration behavior exists currently according to the return value, determining whether the client acceleration behavior exists currently comprises the following steps:
calculating an interval Δ t between the server time S2 and the server time S1 according to the Δ t-S2-S1;
for each of said timing functions, in terms of Δ Li=Li,2-Li,1Calculating a difference Δ L between the return values of each of the timing functions at the second time and the first timei;
Judging whether the following steps exist: Δ Li- Δ t ≧ a, a > 0; if so, judging that the client acceleration behavior exists currently, wherein a is a preset acceleration threshold;
when the client determines whether the client acceleration behavior exists currently according to the function body, determining whether the client acceleration behavior exists currently comprises the following steps:
and for each timing function, comparing the function body of the timing function acquired from the dynamic link library with the function body of the timing function acquired from the memory address, and if the function bodies are not consistent, judging that the acceleration behavior of the client exists currently.
2. The method of claim 1, wherein the timing function comprises: timeGetTime, QueryPerformanceCounter, and/or gettimeckcount functions.
3. The method according to claim 1, wherein the obtaining a functional body of the timing function of the client comprises:
the client acquires a function body of the timing function and a memory address of the timing function from a dynamic link library; and acquiring a function body of the timing function from the memory address.
4. The method of claim 3, wherein the dynamically linked library comprises: winmm. dll and/or kernell 32. dll.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610788564.5A CN106230644B (en) | 2016-08-31 | 2016-08-31 | Client acceleration detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610788564.5A CN106230644B (en) | 2016-08-31 | 2016-08-31 | Client acceleration detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106230644A CN106230644A (en) | 2016-12-14 |
| CN106230644B true CN106230644B (en) | 2020-01-21 |
Family
ID=58073767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610788564.5A Active CN106230644B (en) | 2016-08-31 | 2016-08-31 | Client acceleration detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106230644B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109753322B (en) * | 2017-08-29 | 2022-04-15 | 武汉斗鱼网络科技有限公司 | Method and device for accelerating application program on IOS platform |
| CN109464805A (en) * | 2018-10-11 | 2019-03-15 | 北京奇虎科技有限公司 | Malware detection methods, device, electronic equipment and storage medium |
| CN111124869A (en) * | 2018-10-30 | 2020-05-08 | 武汉斗鱼网络科技有限公司 | Program accelerated detection method, storage medium, device and system |
| CN109522712B (en) * | 2018-10-31 | 2020-10-16 | 武汉斗鱼网络科技有限公司 | Method, storage medium, device and system for detecting system acceleration |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049628A (en) * | 2011-10-14 | 2013-04-17 | 深圳市快播科技有限公司 | Accelerating method and system of online game |
| CN103268337A (en) * | 2013-05-16 | 2013-08-28 | 北京奇虎科技有限公司 | Playing method and device of videos in web pages |
| CN105224294A (en) * | 2014-06-06 | 2016-01-06 | 深圳市天趣网络科技有限公司 | A kind of game accelerated method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9536091B2 (en) * | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
-
2016
- 2016-08-31 CN CN201610788564.5A patent/CN106230644B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049628A (en) * | 2011-10-14 | 2013-04-17 | 深圳市快播科技有限公司 | Accelerating method and system of online game |
| CN103268337A (en) * | 2013-05-16 | 2013-08-28 | 北京奇虎科技有限公司 | Playing method and device of videos in web pages |
| CN105224294A (en) * | 2014-06-06 | 2016-01-06 | 深圳市天趣网络科技有限公司 | A kind of game accelerated method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106230644A (en) | 2016-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106230644B (en) | Client acceleration detection method | |
| CN109117250B (en) | Simulator identification method, simulator identification equipment and computer readable medium | |
| US10826684B1 (en) | System and method of validating Internet of Things (IOT) devices | |
| US10291630B2 (en) | Monitoring apparatus and method | |
| WO2021036014A1 (en) | Federated learning credit management method, apparatus and device, and readable storage medium | |
| CN110417778B (en) | Access request processing method and device | |
| US8407799B2 (en) | Software behavior modeling device, software behavior modeling method, software behavior verification device, and software behavior verification method | |
| WO2020019483A1 (en) | Emulator identification method, identification device, and computer readable medium | |
| CN104767713B (en) | Account binding method, server and system | |
| CN109062667B (en) | Simulator identification method, simulator identification equipment and computer readable medium | |
| CN106470188B (en) | Detection method, device and the security gateway of security threat | |
| CN108694320B (en) | Method and system for measuring sensitive application dynamic under multiple security environments | |
| WO2019136850A1 (en) | Risk behavior recognition method and system, and storage medium and device | |
| CN110995684B (en) | Vulnerability detection method and device | |
| CN106790189B (en) | intrusion detection method and device based on response message | |
| CN109543408A (en) | A kind of Malware recognition methods and system | |
| CN108989294A (en) | A kind of method and system for the malicious user accurately identifying website visiting | |
| CN104598820A (en) | Trojan virus detection method based on feature behavior activity | |
| CN106982151B (en) | Detection method, device and the game system of speed of service exception in a kind of game | |
| CN106529291A (en) | Malicious software detection method | |
| KR101619691B1 (en) | Method and system for analyzing program error | |
| CN107018039B (en) | Method and device for testing performance bottleneck of server cluster | |
| US7987362B2 (en) | Method and apparatus for using imperfections in computing devices for device authentication | |
| CN108768954B (en) | DGA malicious software identification method | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |