Researchers mimic board game to bolster computer security

By studying the memory game Concentration, they hope to lay the groundwork for highly accurate bot-detection programs

Internet cyber security

University researchers have built a program that mimics the way people play the memory game Concentration, opening the possibility of improving computer security by distinguishing human behavior from bots.

The study, conducted by North Carolina State University researchers, sets the groundwork for one day being able to integrate within software highly accurate bot-detection programs to prevent computer fraud. 

Bots are software applications that run automated tasks over the Internet. While having legitimate purposes, such as fetching information from websites for search queries, bots are also used by scalpers to buy large quantities of tickets from ticketing sites and to infiltrate online in-game economies to amass virtual currency.

The NCSU researchers set out to see whether they could simulate people's thought processes in playing Concentration, a solitaire game in which cards are arranged facedown on a grid and a person tries to find matching pairs.

To do that, a person turns over a card and then chooses another. If they chooseright, the pair is taken off the grid. If not, then the cards are turned facedown and the player tries again, hoping to remember the location of cards in order to find them again later to make a match.

"Concentration has been used in psychology literature as a model for memory for a few decades now," Robert St. Amant, co-author of the report, entitled "Modeling the Concentration Game wiith ACT-R," said on Monday. "But no one to our knowledge has built a cognitively plausible account of how people play the game."

The researchers gathered information on the thought processes involved by monitoring the gameplay of 179 people playing an online version of Concentration that involved 16 cards. The game was played under two conditions, accuracy and speed.

Under the latter, participants scored higher the faster they finished the game. Under the former, they got more points for choosing the right match. When striving for accuracy, the players were less random in their choices and had more time to think about the location of cards.

The data fed into the program developed by researchers, called ACT-R, included the probability of the average player forgetting a card's location or remembering one seen before. Overall, ACT-R finished the speed game within a second of the average player and the accuracy game within one mistake.

[Also see: Researchers find APT malware that monitors mouse clicks to evade detection]

"We thought [the results] were pretty good," St. Amant said. "For us, we were able to distinguish between [people playing] the speed condition and the accuracy condition pretty easily."

The research may eventually lead to determining whether a real person is participating in such activities as online voting because it shows that scientists can simulate human behavior in a program, albeit through a simple game.

Further research will be needed to develop programs that can detect humans based on the way the keyboard and mouse are being used. This would replace the use of logs and IP addresses in watching for bots.

While it would be possible for criminals to simulate keyboard and mouse use by a person, the expense of doing so would make such bots impractical, St. Amant said.

Beyond just discovering bots, St. Amant said he believes future research on keystroke and mice dynamics could help scientists identify malice. How a person is using the devices "can actually tell something about the probability that you're trying to be a little bit deceptive," he said.

The ability to analyze security-related intent based on how people use the devices that interact with their computers will likely be programmed into software within the next five years, Amant said.

"Systems already exist to track people's mouse movements and keyboard actions in some kinds of games," Amant said. "This is just a matter of building the monitoring tools and raising flags to a human security person."

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.