CN107866072B - A system for plug-in detection using incremental decision tree - Google Patents

Abstract

The invention discloses a system for detecting plug-in by adopting an incremental decision tree, which comprises the following steps: the data preprocessing module is used for cleaning the original data of the actions of the player and extracting the feature vectors; the model generation and interaction module is used for generating and outputting a model by taking the characteristic vector of the data preprocessing module as the input of the model, and receiving feedback to adjust the model; the high-level view visualization module is used for generating a dynamic tree diagram, a recommendation and display panel and an accuracy/recall rate line diagram according to the output model of the model generation and interaction module; the invention utilizes the dynamic decision tree to show decision processes in different time periods, analyzes the characteristics of the plug-in and the reason of being judged as the plug-in, and finds out some characteristics obviously distinguished from normal players; and because of the model characteristics, some characteristics of plug-in evolution can be explored; in addition, the user can also add own knowledge to prune the decision tree and perform other analysis processes through combination of various views.

Description

A system for plug-in detection using incremental decision tree

technical field

The invention relates to the technical field of game plug-in detection, in particular to a system for plug-in detection using an incremental decision tree.

Background technique

Multiplayer online role-playing games create virtual social worlds in which players from all corners of the globe participate. Players can interact with each other and spend a lot of time, energy and money developing and leveling up their game characters. The survey found that in 2016 alone, global multiplayer online role-playing games brought in $19.8 billion in revenue. However, because of the popularity of the game, it has also become a hotbed for some cybercrimes. One of the most important behaviors is unofficially permitted, approved cash transactions, which are transactions for certain virtual items with real money. Some advanced game plug-ins now specialize in this type of related violations and gain profits, but they have seriously affected the game balance, hurting game operations, game company revenue and player experience, the game economic system, and even the sustainable development of the entire game.

To this end, game operators have taken a lot of measures. There are three common detection methods for plug-ins, which are divided into client-side, network-side and server-side detection methods. The client side uses the principle similar to the antivirus software embedded in the game client of the user console to detect plug-ins. However, some well-made plug-ins can no longer be detected by this kind of detection; the network side needs to analyze the network traffic, which will cause Problems such as excessive network load and network delay; the server-side detection method analyzes the log data of players on the server. This method is a more popular method now, and they often regard the plug-in detection problem as an anomaly detection problem. However, the existing methods have some shortcomings. For example, the plug-in design is becoming more and more complex, and it is very difficult for analysts to understand the input and output of simple algorithms. On the other hand, advanced plug-ins also have the update and upgrade function, which makes plug-in detection more difficult. At this time, the introduction of visual analysis technology is particularly important.

There are already some visual analytics systems for anomaly detection. For example, the #FluxFlow system by Jian Zhao et al. visualizes the retweeting behavior of Twitter users, combined with contextual information such as user attributes, to study the characteristics of abnormal information diffusion on Twitter. TargetVue by Nan Cao et al. helps analysts understand potential social bots (such as those spamming bot accounts) on social media platforms, including their communication activities, behavioral characteristics, through a model that assigns user suspicion levels over time and social interaction, etc. These systems optimize the process of anomaly detection by integrating human domain knowledge, but still treat the internal process of the algorithmic model as a black box, and analysts cannot understand the relevant information of the algorithmic model through their systems.

Although existing methods provide rich contextual information, researchers are still not deeply involved in the model building process. Therefore, the desired system can allow users to participate in model building to better help understand the model and find potential explanations for some phenomena.

SUMMARY OF THE INVENTION

The present invention provides a system for detecting plug-ins using an incremental decision tree, which can help analysts detect plug-ins, understand plug-in detection models, discover characteristics of plug-ins and normal players' behavior or actions over time, and allow analysts to interact with Model interaction for interactive visual analysis and exploration.

A system for plug-in detection using an incremental decision tree, including:

The data preprocessing module cleans and extracts feature vectors from the original data of player actions;

The model generation and interaction module uses the feature vector of the data preprocessing module as the input of the model to generate and output the model, and simultaneously receives feedback to adjust the model;

The high-level view visualization module mainly uses side-by-side icicle diagrams to represent the tree structure of the decision tree that changes with each other, and generates dynamic tree diagrams, recommendation and display panels, and precision/recall rates based on the output model of the model generation and interaction modules. line chart;

The dynamic tree diagram displays the tree structure of the decision tree in a compact way (using an icicle diagram), where each node in the icicle diagram represents a split node of a decision tree, and multiple icicle diagrams are placed side by side to form a split node. Reflect the change of the decision tree over time;

In the recommendation and display panel, the recommendation panel uses a sortable table to display the information of all nodes (the rectangle of the decision tree) of the selected (one or more) icicle diagram in the dynamic tree diagram, including accurate information. rate, recall rate, precision rate, frequency of occurrence, etc.; switch to the display panel, if a node is selected in the dynamic tree diagram, the situation that this node contains players is displayed in the form of a radar distribution map;

The accuracy/recall rate line graph and the dynamic tree graph are arranged up and down according to the time correspondence, indicating the accuracy/recall rate predicted by each decision tree over time.

The raw data of the player's actions are stored according to various actions, and each action is one file per day (for example, the log on January 1, 2017). There are hundreds of actions in the game. The frequency of each person's actions on different time slices during the time period of interest is counted. Note that the time period here can be either natural time (year, month, day, hour, minute, second), or game time (level 1, level 2...what actions are performed, and what is the corresponding frequency). In this way, each player has a corresponding feature vector for each time slice. In addition, because the number of actions is too large, the actions are classified into a category (task-related, attribute-related, combat-related, and item-related). This classification can either be specified by users (such as game analysis experts), or can be some complete inductive classification methods in some existing literature.

The decision tree shows a decision-making process. From the root node down, each non-leaf node is a judgment condition. According to the incoming instance, it will be judged whether one of its attributes satisfies the condition of the non-leaf node. After the instance has reached the leaf node, the leaf node will give a classification label to tell you which class the instance belongs to. The traditional decision tree training process is to recursively and recursively determine the attributes of the child nodes under the leaf node according to certain indicators (such as information gain, Gini index, etc.) as a split.

As shown in Figure 1, the decision tree refers to such a decision-making process if you want to consider whether you can go out and climb a mountain today. Each box here is a node, and there are several judgment conditions under it, and decisions are made according to different conditions. The nodes of the tree can be represented by rectangles, but each node has several options, such as high humidity or normal humidity, strong wind or light wind, and go down the tree until the leaf node has the judgment result, so there is no path to climb. Yes (weather: rain) → no climbing, (weather: sunny) → (humidity: high) → no climbing, (weather: cloudy → windy: strong wind) → no climbing.

The model that can be used in the present invention is a Hoeffding adaptive tree with Gaussian discretization using Gaussian discretization. This is an online algorithm that uses the characteristics of the Hoeffding world to enable online training of decision trees, that is, the data can be used for training as soon as it comes, and it is only used once in the decision tree; instead of the traditional decision tree that requires a The entire batch of data, each of which is used to determine the split condition multiple times.

当在判定一个节点要用那种属性做分裂时候，找到信息增益最大的和第二大的两个属性，计算他们信息增益的差，若大于这个∈，则能保证一个积极的树节点分裂效果。这样一个界能够帮助在只有部分或者少量数据时候，训练树出来，而不必要非得等到所有数据都来全了才做训练。这种决策树被称为Hoeffding决策树。Hoeffding defines that, for a random variable in the range R, after n independent observations, the true mean deviates from its estimated value with probability 1-δ not greater than

When determining which attribute to use for splitting a node, find the two attributes with the largest information gain and the second largest, and calculate the difference between their information gains. If it is greater than this ∈, a positive tree node splitting effect can be guaranteed . Such a bound can help the training tree come out when there is only some or a small amount of data, instead of having to wait until all the data is available before training. Such decision trees are called Hoeffding decision trees.

On the basis of this method, the present invention makes some improvements by utilizing the prior art. First, since the Hoeffding decision tree only supports discrete-valued attributes, a robust incremental Gaussian discretization method is adopted to support continuous-valued attributes. Secondly, there is also the characteristic of concept drift in the data. The so-called concept drift refers to such a situation: the data generation may not be stable, and the generation process may change. Corresponding to the game data, there may also be some changes in the behavior of the plug-in, because the plug-in company will change some characteristics after realizing that the plug-in has been banned, so as to prevent the plug-in from being blocked. In this regard, ADapative WINdowing (ADWIN) technology is adopted, which adds a window and corresponding estimator, change detector, etc. to the original Hoeffding decision tree to discover the above-mentioned concept drift phenomenon.

In this way, the whole method is called Hoeffding adaptive decision tree using Gaussian discretization. Using this method for the right data, with the continuous inflow of data, the decision tree will continue to grow. When some obvious changes are detected, some subtrees of the decision tree will be replaced and become another subtree. So a tree that changes with time is obtained, and in each time slice, a person will have a judgment result of being a cheater or a normal person (0 normal player, 1 cheater).

Specifically, the model building process is as follows:

Step 1: Initialize the state of the decision tree:

Create a root node and initialize a statistic at the root node, named A _ijk , which is part of the ADWIN method (in step 2). For each instance (instance (x, y), x is also the feature vector of a certain person's action in a period of time, and the judgment value y of whether it is a plug-in, 0 is a normal person, 1 is a plug-in), use the The generated tree is tested first, and then enters the Hoeffding adaptive tree growth step in step 2 below.

Step 2: Growth of the decision tree

First, return the above (x, y) to a certain leaf node along the existing decision tree through a decision path, and update all the nodes passed by this path and the estimator A _ijk of the leaf node. If the current leaf node l has a replaceable tree T _alt , this replaceable tree also executes the corresponding Hoeffding adaptive tree growth step (that is, the Hoeffding adaptive tree of the current step). Calculate the information gain G of each action (of course, it can also be an indicator commonly used in other decision trees). The function of this step is to evaluate whether the current conditions of the leaf nodes are suitable for splitting.

若集合N＝{1,2,3,…,n}那么∑_i∈Ni就等于1+2+3+…+n。The calculation method of information gain is as follows: First, there is a common concept called information entropy. For a distribution, for example, there are three categories A, B, and C in a data set, and the proportion of each category is p(A) =0.2, p(B)=0.3, p(C)=1-0.2-0.3=0.5, then the information entropy H=-∑ _i p _i log( _pi ). Here, it is 0.2log(0.2)+0.3log(0.3)+0.5log(0.5)=0.301. Generally speaking, the smaller the entropy, the more ordered: for example, when the dataset has only one category, the entropy is 0, which is the minimum value of entropy, indicating that the dataset is completely ordered. On this basis, there is also a conditional information entropy, H(Y|X)=∑ _x∈X p(x)H(Y|X=x). Y here is to judge whether it is a plug-in. This conditional entropy is a description of the division, and X is a certain action, such as the number of times of entering the copy in the game. For the difference of entropy before and after a certain action is divided, H(X)-H(Y|X) is the information gain. The above i is a traversal method, i represents the three categories of A, B, and C. The common ones are

If the set N={1,2,3,...,n} then ∑ _i∈N i is equal to 1+2+3+...+n.

那么对最大信息增益那个动作进行分裂，并且对每个分裂分支都初始化一个估计器。分裂采用二分的方法，即将连续值区间划分为大于分裂点和小于等于分裂点两部分。这里用到了一个Hoeffding界的概念，其含义是一个随机变量，范围为R，在n次独立观测后真实均值偏离其估计值以概率1-δ不会大于

如果变化检测器(change detector，也采用ADWIN作为变化检测器)发现了数据产生的分布有了变化，若叶子节点l没有可替换树，则在叶子节点创建一个可替换树T_alt；如果已经存在可替换树更精确，那么就把当前节点l替换为可替换树T_alt。When calculating the information gain, a discretization step must be used. If the value of this action is a continuous value instead of a discrete value, it is easy to split. A robust incremental Gaussian discretization method is used here. After using this method, the continuous values are discretized and the following splits are performed. If the information gain of the attribute with the largest information gain is greater than the information gain of the attribute with the second largest information gain subtracted

Then split the action with the largest information gain and initialize an estimator for each split branch. The splitting method adopts the bisection method, that is, the continuous value interval is divided into two parts greater than the splitting point and less than or equal to the splitting point. The concept of a Hoeffding bound is used here. Its meaning is a random variable with a range of R. After n independent observations, the true mean deviates from its estimated value with a probability of 1-δ that will not be greater than

If the change detector (also using ADWIN as the change detector) finds that the distribution of the data has changed, if the leaf node l does not have a replaceable tree, create a replaceable tree T _alt at the leaf node; if it already exists The replaceable tree is more precise, then replace the current node l with the replaceable tree T _alt .

Step 3: ADWIN Method

Initialize sliding window W, variance, total.

a. When a new instance arrives, add it to the window W;

不满足，则扔掉窗口里的最后一个元素，直到此式子满足为止，其中，

(n₀和n₁的调和平均数)，

和

是窗口W0和W1里的数据平均值，n₀和n₁是窗口的长度。b. For any partition of window W, W=W0+W1, if

If it is not satisfied, throw away the last element in the window until this formula is satisfied, where,

(the harmonic mean of n ₀ and n ₁ ),

and

is the average of the data in windows W0 and W1, and n ₀ and n ₁ are the lengths of the windows.

c. If there are discarded instances in step b, then as a change detector, tell the external program that the data distribution has changed.

According to the above model, and in each time slice, a person will have a judgment result that is judged to be a plug-in or a normal person. The degree of suspicion uses the average value of all judgment results in the current time slice. For example, a person's judgment result in time slices 1 to 7 is 0, 0, 0, 0, 1, 1, 0, then his suspicion degree in the seventh time slice is set as 2/7.

In the table in the recommendation tab of the recommendation and display panel, each column represents a kind of information, such as precision rate, recall rate, precision rate and frequency of occurrence; each row represents a certain node in the selected icicle diagram. The length of the gray band in the table is proportional to the relative size of its value in this column. Click the table header, that is, precision, recall, precision, and frequency of occurrence, to sort the columns from high to low or from low to high.

Algorithm for radar map:

Projection is some high-dimensional points (that is, multi-dimensional vectors. The reason why we say high-dimensional is because generally more than three-dimensional things cannot be drawn directly. People can't imagine four-dimensional and more than four-dimensional things, so they must be converted into low-dimensional ones. , draw it for people to see), I want to turn it into two-dimensional and draw it on the plane, and each point represents a multi-dimensional feature vector of a player in a certain time period.

他们投影下来变成二维的点的距离则就是平时熟知的那种距离表达方式。Constraint 1: Make sure that the distance in the high-dimensional space and the distance in the low-dimensional space are as close as possible. The distance here is generally the Euclidean distance, which is calculated like this. Suppose, for example, that there are two 4-dimensional points, x ₁ (x ₁₁ ,x ₁₂ ,x ₁₃ ,x ₁₄ ),x ₂ (x ₂₁ ,x ₂₂ ,x ₂₃ ,x ₂₄ ), their distance is

The distance of their projected two-dimensional points is the well-known way of expressing distance.

Constraint 2: In addition, consider that it is a radar projection, is circular, and the distance from the point to the center of the circle is the size of the suspect index. So this projection has such a radius constraint.

Consider polar coordinates to represent points on the projected 2D plane:

p _i =(r _i ·s( _{ki ),θ i )}

soft是一个参数，指导扰动的大小，这里用的0.2，也可以根据需要进行选择。The polar coordinates are (ri _i , θ _i ), the former is the radius and the latter is the central angle. Converting to xy coordinates (Cartesian coordinates) is ( _{ri cosθ i , ri sinθ i ) , but} there is something more here, the reason why s(ki _i ) exists here is because "to ensure the distance in high-dimensional space It is as close as possible to the distance in the low-dimensional space”, here is as close as possible, in fact, it is a bit difficult to achieve because there is also a radius constraint, so this is a disturbance term of polar coordinates. here

soft is a parameter that guides the size of the disturbance. The 0.2 used here can also be selected as needed.

It imitates the projection calculation method of multidimensional scaling (MDS), so that the difference between the distance between the projected points and the original high-dimensional space distance is minimized, that is, the function is minimized: ∑ _ij (dist _ij - |p _i -p _j ||) ²

Here ||p _i -p _j || is also a distance, and the Euclidean distance is used here. The reason for this is to distinguish the dist _ij above. Substitute polar coordinates in, and finally the function to be minimized above becomes like this.

Then the gradient descent method can be used to obtain the values of k _i and θ _i , and then it can be drawn on a two-dimensional circle. The coordinates (ie xy coordinates) in the Cartesian coordinate system are (r _i s( _ki ) cosθ _i ,r _i s(k _i )sinθ _i ).

The distance from the point on the radar map to the center of the circle generally represents the risk, but as mentioned above, since Constraint 1 and Constraint 2 must be satisfied at the same time, some points will deviate from the actual and accurate position of the suspect index. So sometimes it is possible to see some points (a cluster of points) that are relatively close to the center of the circle but not completely on the center of the circle, and these points can be used as objects of observation.

Preferably, there are many points in the radar distribution diagram, each point represents the state of a player at the current time, and the various action frequencies of each player are used as multi-dimensional vectors, with a mark (0 or 1) indicating whether it is a plug-in or not. , 0 means normal player, 1 means plug-in);

Project these multi-dimensional vectors on a two-dimensional circle to show the relationship between players and the level of danger of players;

On the circular surface, the Euclidean distance between players keeps the distance of the original multi-dimensional vector as much as possible; and the distance from the player to the center of the circle is represented by 1 minus the suspect degree (the suspect degree is a value between 0 and 1, which is the current value between 0 and 1). The time period model outputs the mean of the player's tag values);

Preferably, the dots are circular dots with transparency. The dots are semi-transparent so that the more the dots are clustered, the darker the color will be. Such a design is actually a reference to the design of military radars, because the closer the radar is to the center of the circle, the more dangerous it is.

Preferably, the high-level view visualization module further includes a thumbnail of the tree, as the thumbnail of the dynamic tree diagram, arranged between the dynamic tree diagram and the accuracy/recall line graph. (Useful when there are many decision trees); the thumbnail of the tree can be viewed as a timeline, and the user can select different thumbnails on it, so that the upper tree will also be limited to the range of these framed trees.

Preferably, it also includes a detail view visualization module, including a personal panel and a grouping panel; multiple columns of interrelated interactive views;

The personal panel is used to display the changes of individual player behaviors, actions and suspicions over time;

The grouping panel is used to display the distribution of attribute values of the selected two groups of players (for example, one group is a plug-in player, the other group is a normal player; or the two groups selected in the radar distribution chart) change over time.

In order to better display the data and facilitate the user to find the plug-in players, preferably, each time period of each person in the personal panel is represented by a rectangular box and its inner bar graph, and the information of each person's change over time is represented by a whole Lines to represent, one bar of each bar represents the accumulation of the number of various actions under a behavior, and each bar has 4 to represent the player behavior is divided into 4 types here.

In order to better display the data and facilitate the user to find the plug-in players, preferably, double-click the bar graph of a certain color on the personal panel to display the detailed line graph of each action classified under this action. , showing how each action changes over time.

In order to better display the data and facilitate the user to find the plug-in players, preferably, in the grouping panel, each row represents an action, the situation of the two groups of players changing over time, and each group of players is a horizontal bar shape, showing the interval of maximum and minimum values.

The operation content of the system of the present invention is as follows:

User interaction

Focus and context: Swipe on the tree thumbnail (timeline), and the dynamic tree display range above will also change accordingly. Select a few trees with the mouse in the dynamic tree diagram, these trees will be expanded horizontally, and those that are not selected will be reduced horizontally, which is convenient for observing the details. And the recommendation panel will then display various information about the nodes in the selected tree. After double-clicking in the radar distribution map, the local radial magnification mode is turned on; the points around the mouse will be enlarged in the radial direction, and other points will be compressed correspondingly.

When the mouse hovers over a node in a tree, the corresponding nodes will be connected with a line

Click the grey dot in the personal panel to shrink (squeeze into a grey band). When the bar graph is expanded, double-clicking the bar graph of a certain color can show the situation of all actions under this behavior in more detail, which is represented by the corresponding color line graph. All actions are identified with the id of the beginning action.

Search: In the search box in the upper right corner, you can enter one or more player IDs (separated by commas), and then they will be displayed in the personal panel in the lower left corner.

Filtering: In the personal panel, clicking a color bar will darken the bars of other colors, and the current color will remain unchanged, which is convenient for analysts to simply compare the change of this behavior over time and the relationship between people .

Drag and drop: In the personal panel, for the convenience of comparison, you can hold down the small gray dots and drag to swap positions to compare two or more players that analysts are interested in.

View linkage: When the mouse hovers over a node, the node corresponding to the display panel on the right will also be displayed.

Zoom in: When you left-click a node in the dynamic tree diagram, the corresponding individual and group panels will be displayed; at the same time, the radar distribution map will appear in the display panel.

Interact with the model: The system supports the function of interacting with the model - pruning. Decision tree pruning is a common interaction that controls the progress of tree growth by stopping certain nodes from splitting.

The analysis content of the system of the present invention is as follows:

1. Show the dynamic evolution process of the decision tree, show the decision-making process of the decision tree, and how a person will be judged as a plug-in or a non-plug.

2. Analyze the evolution of player behaviors and actions of different granularities.

3. Provide timely feedback, prompts, and appropriate contextual information for analyst interactions. Based on this information, it can help users find the reasons for some patterns.

4. Analysts can interact with the model itself. The analyst's expertise should be added to the decision analysis process to tune the model. It also helps to analyze other patterns.

The operation process of the system of the present invention:

First enter the model training.

After training, a series of trees will be generated, arranged from left to right in the dynamic tree diagram.

Hover the mouse over a tree node, you can see the existence of the same node in different trees; box-select an area, you can see that the selected tree is enlarged, while the surrounding trees are reduced. There is a row of small tree thumbnails below the tree, which can be used as a timeline, and there is a retractable time selection box to help select the tree to be displayed in the dynamic tree map.

)和出现频次等等。For the tree with the box selected and enlarged, the recommendation panel on the right will display various indicators of the nodes in the tree, such as precision rate, recall rate, F1 (the calculation method is

) and frequency of occurrence, etc.

Click a node in a tree, and a radar distribution graph will appear in the edged display panel, showing the player-player relationship information and player risk information that appear in the node. At the same time, the personal and group panels are updated. Its display content has been described above. When using, since the time axis is aligned, it is very convenient to compare. At the same time, the details of each level will be displayed. At the same time, select the area in the radar distribution map, and the personal panel will correspond to the player information in the display area.

The grouping panel generally displays the aggregated information of the frequency distribution of plug-ins and ordinary players in the personal panel under each action. However, if you click the compare button in the personal panel, you can select another piece in the radar chart, and then the detailed view of another batch of people will also appear in the personal panel, and compare the rectangular selection part in Figure 8.

Beneficial effects of the present invention:

The system of the present invention adopts the incremental decision tree to detect the cheating, uses the dynamic decision tree to show the decision-making process in different time periods, analyzes the characteristics of the cheating and the reason for being judged as cheating, and finds that it is obviously different from some characteristics of normal players; Model features can explore some features of plug-in evolution; in addition, users can add their own knowledge to prune the decision tree, and perform other analysis processes through the combination of various views.

Description of drawings

FIG. 1 is an imaging schematic diagram of a dynamic tree diagram, a thumbnail of the tree, and a line graph of precision/recall in the high-level view visualization module of the system of the present invention.

FIG. 2 is an imaging schematic diagram of the personal panel of the system of the present invention.

FIG. 3 is a schematic diagram showing the result of the line graph of the action displayed by double-clicking the bar graph in FIG. 2 .

FIG. 4 is an imaging schematic diagram of a grouping panel of the system of the present invention.

FIG. 5 is an imaging schematic diagram of a recommended panel of the system of the present invention.

FIG. 6 is an imaging schematic diagram of the display panel of the system of the present invention.

FIG. 7 is an enlarged schematic diagram of the three trees in the black box selected in FIG. 1 .

FIG. 8 is an imaging schematic diagram of a radar distribution diagram under a certain data situation of the display panel of the system of the present invention.

Detailed ways

The present invention will be described in detail below with reference to the accompanying drawings, and the objects and effects of the present invention will become more apparent.

As shown in FIGS. 1 to 7 , the structure and structure of the system for detecting plug-ins by using an incremental decision tree in this embodiment include the following steps and contents:

Step 1: Visual Design:

Data preprocessing module, cleans original log data and extracts feature vectors;

The model generation and interaction module uses the above feature vector as the input of the model to generate and output the model; at the same time, it can receive feedback from the visualization module to adjust the model;

The high-level view visualization module mainly uses side-by-side icicle diagrams to represent the tree structure of the decision tree that changes with each other, including:

The dynamic tree diagram, the upper part of Figure 1, the main part, displays the tree structure of the decision tree in a compact way (icicle diagram), in which each node represents a split node of a decision tree; multiple icicle diagrams They are placed side by side to reflect the change of the decision tree over time, as shown in Figure 7.

The recommendation and display panel, as shown in Figure 5, uses a sortable table to display the information of all nodes of the selected (one or more) tree in the dynamic tree diagram, including precision, recall, and precision. and occurrence frequency, etc.; as shown in Figure 6, switch to the display panel, if you select a node in the dynamic tree diagram, you can display the relationship and risk of the players included in the node here; A rectangle (that is, a node) is equivalent to an action, for example, 5300040 is to accept a task. The numbers after the colon are equivalent to the options mentioned above. If 5300040 times is greater than 6.4, it is classified into one category, and less than 6.4 is classified into another category.

The thumbnail of the tree, the middle part of Figure 1, can be viewed as a timeline, and the user can select different thumbnails on it, so that the upper tree will also be limited to the range of these framed trees;

Line chart of precision/recall rate, the lower part of Figure 1, with the change of time, the precision rate/recall rate predicted by each decision tree will also change with time, and these values are displayed in a line chart;

Detail view visualization module, multi-column interconnected interactive views, including:

The personal panel, shown in Figure 2, is used to display individual player behavior, actions, and suspicion over time.

Double-click the bar graph of a certain color on the personal panel, then the detailed line graph of each action is classified under this behavior, showing the change of each action over time, as shown in Figure 3.

The grouping panel, as shown in Figure 4, is used to display the distribution of attribute values of two groups of players (for example, one group is a plug-in player, one group is a normal player; or the two groups selected in the radar distribution chart) change over time. Case.

The original data is stored according to various actions, one file for each action every day (such as the log on January 1, 2017), and there are hundreds of actions in the game. The frequency of each person's actions on different time slices during the time period of interest is counted. Note that the time period here can be either natural time (year, month, day, hour, minute, second), or game time (level 1, level 2...what actions were performed, and what is the corresponding frequency). In this way, each player has a corresponding feature vector for each time slice. In addition, because the number of actions is too large, the actions are classified into a category (task-related, attribute-related, combat-related, and item-related). This classification can be specified by the user, or it can be some complete inductive classification methods in some existing literature.

The decision tree shows a decision-making process. From the root node down, each non-leaf node is a judgment condition. According to the incoming instance, it will be judged whether one of its attributes satisfies the condition of the non-leaf node. After the instance has reached the leaf node, the leaf node will give a classification label to tell you which class the instance belongs to. The traditional decision tree training process is to recursively and recursively determine the attributes of the child nodes under the leaf node according to certain indicators (such as information gain, Gini index, etc.) as a split.

The model used here is a Hoeffding adaptive tree with Gaussian discretization. This is an online algorithm that uses the characteristics of the Hoeffding world to enable online training of decision trees, that is, the data can be used for training as soon as it comes, and it is only used once in the decision tree; instead of the traditional decision tree that requires a The entire batch of data, each of which is used to determine the split condition multiple times.

当在判定一个节点要用那种属性做分裂时候，找到信息增益最大的和第二大的两个属性，计算他们信息增益的差，若大于这个∈，则能保证一个积极的树节点分裂效果。这样一个界能够帮助在只有部分或者少量数据时候，训练树出来，而不必要非得等到所有数据都来全了才做训练。这种决策树被称为Hoeffding决策树。Hoeffding defines that, for a random variable in the range R, after n independent observations, the true mean deviates from its estimated value with probability 1-δ not greater than

When determining which attribute to use for splitting a node, find the two attributes with the largest information gain and the second largest, and calculate the difference between their information gains. If it is greater than this ∈, a positive tree node splitting effect can be guaranteed . Such a bound can help the training tree come out when there is only some or a small amount of data, instead of having to wait until all the data is available before training. Such decision trees are called Hoeffding decision trees.

On the basis of this method, some improvements are made by using the existing technology. First, since the Hoeffding decision tree only supports discrete-valued attributes, a robust incremental Gaussian discretization method is adopted to support continuous-valued attributes. Secondly, there is also the characteristic of concept drift in the data. The so-called concept drift refers to such a situation: the data generation may not be stable, and the generation process may change. Corresponding to the game data, there may also be some changes in the behavior of the plug-in, because the plug-in company will change some characteristics after realizing that the plug-in has been banned, so as to prevent the plug-in from being blocked. In this regard, ADapative WINdowing (ADWIN) technology is adopted, which adds a window and corresponding estimator, change detector, etc. to the original Hoeffding decision tree to discover the above-mentioned concept drift phenomenon.

In this way, the whole method is called Hoeffding adaptive decision tree using Gaussian discretization. Using this method for data, with the continuous inflow of data, the decision tree will continue to grow. When some obvious changes are detected, some subtrees of the decision tree will be replaced and become another subtree. So a tree that changes with time is obtained, and in each time slice, a person will have a judgment result of being a cheater or a normal person (0 normal player, 1 cheater).

According to the above model, and in each time slice, a person will have a judgment result that is judged to be a plug-in or a normal person. The degree of suspicion uses the average value of all judgment results in the current time slice. For example, a person's judgment result in time slices 1 to 7 is 0, 0, 0, 0, 1, 1, 0, then his suspicion degree in the seventh time slice is set as 2/7.

In the table in the recommendation tab of the recommendation and display panel, each column represents a kind of information, such as precision, recall, precision and frequency of occurrence; each row represents a node in the selected icicle diagram. The length of the gray band in the table is proportional to the relative size of its value in this column. Click the table header, that is, precision, recall, precision, and frequency of occurrence, to sort the columns from high to low or from low to high.

The radar map in the display tab of the recommendation and display panel, there are many points in the radar distribution map, each point represents the state of a player at the current time. Each player's various action frequencies are used as a multi-dimensional vector with a marker (0 or 1, 0 means normal player, 1 means cheating). These multidimensional vectors are then projected on a two-dimensional circular surface to show the relationship between players and how dangerous the players are. On this circle, the Euclidean distance between players keeps the distance of the original multi-dimensional vector as far as possible; and the distance from the player to the center of the circle is represented by 1 minus the suspect degree (the suspect degree is a value between 0 and 1, which is the current time The segment model outputs the mean of player tag values).

Such a design is actually a reference to the design of military radars, because the closer the radar is to the center of the circle, the more dangerous it is. This design is borrowed from the design of military radars.

The personal panel in the detail view visualization module, each time period is represented by a rectangular box and its inner bar chart, and the information of each person over time is represented by a whole row. One bar of each bar represents the cumulative value of various actions under one action, and 4 bars of each bar represent that the player actions are divided into 4 types here.

Double-click the bar graph of a certain color on the personal panel, and then the detailed line graph of each action is classified into the actions under this behavior, showing the change of each action over time.

In the grouping panel, each row represents an action and the changes of two groups of players over time. Each group of players is a horizontal bar, and the left and right ends of the bar show the value of a certain action of the group of players. the minimum and maximum values. Displays an interval of maximum and minimum values.

Step 2: User Interaction

Focus and context: Swipe on the tree thumbnail (timeline), and the dynamic tree display range above will also change accordingly. Select a few trees with the mouse in the dynamic tree diagram, these trees will be expanded horizontally, and those that are not selected will be reduced horizontally, which is convenient for observing the details. And the recommendation panel will then display various information about the nodes in the selected tree. After double-clicking in the radar distribution map, the local radial magnification mode is turned on; the points around the mouse will be enlarged in the radial direction, and other points will be compressed correspondingly.

When the mouse hovers over a node in a tree, the corresponding nodes will be connected with a line

Click the grey dot in the personal panel to shrink (squeeze into a grey band). When the bar graph is expanded, double-clicking the bar graph of a certain color can show the situation of all actions under this behavior in more detail, which is represented by the corresponding color line graph. All actions are identified with the id of the beginning action.

Search: In the search box in the upper right corner, you can enter one or more player IDs (separated by commas), and then they will be displayed in the personal panel in the lower left corner.

Filtering: In the personal panel, clicking a color bar will darken the bars of other colors, and the current color will remain unchanged, which is convenient for analysts to simply compare the change of this behavior over time and the relationship between people .

Drag and drop: In the personal panel, for the convenience of comparison, you can hold down the small gray dots and drag to swap positions to compare two or more players that analysts are interested in.

View linkage: When the mouse hovers over a node, the node corresponding to the display panel on the right will also be displayed.

Zoom in: When you left-click a node in the dynamic tree diagram, the corresponding individual and group panels will be displayed; at the same time, the radar distribution diagram will appear in the display panel.

Interact with the model: The system supports the function of interacting with the model - pruning. Decision tree pruning is a common interaction that controls the progress of tree growth by stopping certain nodes from splitting.

Step 3: Analyze the task

1. Show the dynamic evolution process of the decision tree, show the decision-making process of the decision tree, and how a person will be judged as a plug-in or a non-plug.

2. Analyze the evolution of player behaviors and actions of different granularities.

3. Provide timely feedback, prompts, and appropriate contextual information for analyst interactions. Based on this information, it can help users find the reasons for some patterns.

4. Analysts can interact with the model itself. The analyst's expertise should be added to the decision analysis process to tune the model. It also helps to analyze other patterns.

Actual operation process

First enter the model training.

After training, a series of trees will be generated, arranged from left to right in the dynamic tree diagram.

Hover the mouse over a tree node, you can see the existence of the same node in different trees; box-select an area, you can see that the selected tree is enlarged, while the surrounding trees are reduced. There is a row of small tree thumbnails below the tree, which can be used as a timeline, and there is a retractable time selection box to help select the tree to be displayed in the dynamic tree map.

)和出现频次等等。For the tree with the box selected and enlarged, the recommendation panel on the right will display various indicators of the nodes in the tree, such as precision rate, recall rate, F1 (the calculation method is

) and frequency of occurrence, etc.

If you click on a node in a tree, a radar distribution graph will appear in the edged display panel, showing the player-player relationship information and player risk information that appear in the node. At the same time, the personal and group panels are updated. Its display content has been described above. When using, since the time axis is aligned, it is very convenient to compare. At the same time, every level of detail will be displayed. At the same time, select the area in the radar distribution map, and the personal panel will correspond to the player information in the display area.

The grouping panel generally displays the aggregated information of the frequency distribution of plug-ins and ordinary players in the personal panel under each action. However, if you click the compare button in the personal panel, you can select another piece in the radar chart, and then the detailed view of another batch of people will also appear in the personal panel, and compare the rectangular selection part in Figure 8.

The first method to detect plug-ins:

First, select the actions in the control panel, and these actions are divided into 4 categories. After running the model, you can see a series of trees whose structure evolves over time. The tree will grow slowly, and if the effect is not good at a certain stage, some subtrees will be replaced. Some information can be obtained from the above, such as possible strategies of the plug-in to change its behavior mode.

By hovering the mouse over the tree nodes and looking at those red lines, you can find that some nodes appear from beginning to end, and some disappear after only appearing for a period of time. The high-level nodes generally last for a long time, indicating that these are relatively good attributes that can be used for discrimination, such as accepting tasks, etc. The tasks are often to gain wealth, and gaining wealth helps the plug-in to make profits, so the plug-in tends to accept a large number of tasks. So this aspect may have a more obvious discriminative effect.

Pick a node, the one that disappears for a period of time, and think about what caused it. Clicking on the node will display the radar distribution map on the right panel, as shown in Figure 8, and you can see that there are two clusters of points on it (the so-called cluster is the points gathered in a group). You can double-click to open the local zoom interaction, and then study the two clusters of points.

Open the personal panel comparison function to see if the two batches of plug-ins start at a certain point in time, there will be different behaviors and changes in action patterns over time. On this node, it was originally used to distinguish between plug-ins and normal people (by default, there are only normal people and plug-ins). Due to the emergence of new plug-ins, this ability to distinguish is reduced. Similar conclusions can be obtained in the group panel, such as plug-in and normal coverage.

Make such a conjecture: because there are two clusters of cheaters, or cheaters with different behavior patterns, the action patterns of newly entered cheaters may not be the same. As more and more cheaters enter the game, they can be used to distinguish The action may gradually become invalid (not enough information gain), so this situation is caused.

The second way to detect plug-ins:

For the plug-ins that are concentrated in the middle of the radar, it looks very dark. Since these points are all transparent, they must be stacked together to get a deep color. It means that there are many players gathered here.

Whether it is from the projection results or from the actual selection data (box selection on the radar chart) (the column chart of the personal panel), it is highly consistent, and the plug-in is still relatively similar as a batch product. Even looking at the line graph of the personal panel can get a similar conclusion; for normal players, the distribution is relatively scattered.

The reason here is that plug-ins are generally batch products, so it is reasonable to be similar in all aspects. Because in order to maximize the benefits, the plug-in design will be mass-produced. Relatively speaking, normal players are relatively scattered.

Claims (6)

1. a system that adopts incremental decision tree to carry out plug-in detection, is characterized in that, comprises: The data preprocessing module cleans and extracts feature vectors from the original data of player actions; The model generation and interaction module uses the feature vector of the data preprocessing module as the input of the model to generate and output the model, and simultaneously receives feedback to adjust the model; The high-level view visualization module generates a dynamic tree diagram, a recommendation and display panel, and a line chart of accuracy/recall rate according to the output model of the model generation and interaction module; the high-level view visualization module includes a thumbnail of the tree as the dynamic tree diagram The thumbnails are arranged between the dynamic tree diagram and the precision/recall line graph; The dynamic tree diagram displays the tree structure of the decision tree as an icicle diagram, where each node in the icicle diagram represents a split node of a decision tree, and multiple icicle diagrams are placed side by side to reflect the change of the decision tree over time; In the recommendation and display panel, the information of all nodes of the selected icicle diagram in the dynamic tree diagram is displayed in the recommendation panel in a sortable table; in the display panel, if a node is selected in the dynamic tree diagram, the information of all nodes in the dynamic tree diagram is displayed by radar. In the form of a distribution graph, it shows the situation that this node contains players; The accuracy/recall rate line graph and the dynamic tree graph are arranged up and down according to the time correspondence, indicating the accuracy/recall rate predicted by each decision tree over time; There are many points in the radar distribution map, each point represents the state of a player at the current time, and the various action frequencies of each player are used as multi-dimensional vectors, with a mark of whether it is a plug-in; Project these multi-dimensional vectors on a two-dimensional circle to show the relationship between players and the level of danger of players; On the circular surface, the Euclidean distance between players maintains the distance of the original multi-dimensional vector, and the distance from the player to the center of the circle is represented by 1 minus the suspect degree. 2 . The system for plug-in detection using an incremental decision tree according to claim 1 , wherein the points are dots with transparency. 3 . 3. the system that adopts incremental decision tree to carry out plug-in detection as claimed in claim 1, is characterized in that, also comprises detail view visualization module, comprises individual panel and grouping panel; The personal panel is used to display the changes of individual player behaviors, actions and suspicions over time; The grouping panel is used to display the distribution of the values of the attributes of the selected two groups of players over time. 4. The system for plug-in detection using incremental decision tree as claimed in claim 3, wherein each time period of each person in the personal panel is represented by a rectangular box and its inner bar graph, and each person is represented by a rectangular frame and an internal bar graph thereof. The time-varying information is represented by a whole line, and one bar of each bar represents the accumulation of the quantitative values of various actions under a behavior. 5. the system that adopts incremental decision tree to carry out plug-in detection as claimed in claim 4, is characterized in that, double-clicks the bar graph of a certain color on the described personal panel, then shows the detailed each classification under this behavior. A line graph of each action, showing how each action changes over time. 6. the system that adopts incremental decision tree to carry out plug-in detection as claimed in claim 3, is characterized in that, in described grouping panel, each row represents a kind of action, the situation that two groups of players change over time, and each group The player is a horizontal bar showing the range of maximum and minimum values.

Images