2nd/10_Wiki/Topics/AI_and_ML/SARD 안티치트 솔루션(SARD Anti-Cheat).md

---
id: wiki-2026-0508-sard-안티치트-솔루션-sard-anti-cheat
title: SARD 안티치트 솔루션 (SARD Anti-Cheat)
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [SARD, SARD Anti-Cheat, 사드 안티치트]
duplicate_of: none
source_trust_level: B
confidence_score: 0.85
verification_status: applied
tags: [anti-cheat, security, game-security, kernel-driver, behavioral-detection]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: C++/Rust/Python
  framework: kernel driver + ML behavioral
---

# SARD 안티치트 솔루션 (SARD Anti-Cheat)

## 매 한 줄
> **"매 multi-layer game protection — kernel driver + behavioral ML + server-side validation."**. SARD 매 Korean game security solution category 의, 매 modern anti-cheat (Vanguard, BattlEye, Easy Anti-Cheat, nProtect XIGNCODE) 와 매 same architecture 의 follow — kernel ring-0 driver 의 process integrity, hypervisor-level memory protection, ML 의 behavior anomaly detection, server-side replay validation 의 layered defense.

## 매 핵심

### 매 layered defense
1. **Client integrity** — code signing, anti-debug, packed binary, integrity check.
2. **Kernel driver (ring-0)** — process scan, handle stripping, hypervisor protection.
3. **Memory protection** — page guard, hash check on critical structs.
4. **Behavioral ML** — input pattern, mouse trajectory, reaction time anomaly.
5. **Server-side validation** — physics replay, stat sanity, statistical clustering.
6. **Telematic uploading** — process list, loaded modules, hardware fingerprint.

### 매 cheat categories
- **Aimbot** — auto-aim via memory or screen capture.
- **Wallhack / ESP** — render-pipeline injection, depth buffer read.
- **Memory editor** — Cheat Engine, custom DLL injection.
- **Macro / scripting** — input automation (Logitech G Hub, AutoHotKey).
- **Modded client** — replaced game DLL.
- **AI-assisted** (2024+) — external CV model on screen capture (the new frontier).

### 매 응용
1. Korean F2P MMO/MOBA (Lost Ark, BG, MapleStory).
2. FPS competitive (Valorant 의 Vanguard 가 reference).
3. Mobile game protection (post-Android 14 root detection).

## 💻 패턴

### Kernel Driver Process Scan (conceptual C++)
```cpp
// 매 illustrative, real kernel work needs WDF/EDR experience.
NTSTATUS ScanLoadedModules(PEPROCESS process) {
    PPEB peb = PsGetProcessPeb(process);
    if (!peb) return STATUS_UNSUCCESSFUL;

    PPEB_LDR_DATA ldr = peb->Ldr;
    PLIST_ENTRY head = &ldr->InMemoryOrderModuleList;
    for (PLIST_ENTRY e = head->Flink; e != head; e = e->Flink) {
        PLDR_DATA_TABLE_ENTRY mod = CONTAINING_RECORD(e, LDR_DATA_TABLE_ENTRY,
                                                       InMemoryOrderLinks);
        if (IsBlacklisted(&mod->BaseDllName)) {
            ReportToServer(process, &mod->BaseDllName);
            return STATUS_ACCESS_DENIED;
        }
    }
    return STATUS_SUCCESS;
}
```

### Integrity Hash Check
```cpp
DWORD CrcCodeSection(HMODULE mod) {
    auto dos = (PIMAGE_DOS_HEADER)mod;
    auto nt  = (PIMAGE_NT_HEADERS)((BYTE*)mod + dos->e_lfanew);
    auto sect = IMAGE_FIRST_SECTION(nt);
    for (UINT i = 0; i < nt->FileHeader.NumberOfSections; i++, sect++) {
        if (memcmp(sect->Name, ".text", 5) == 0) {
            return Crc32((BYTE*)mod + sect->VirtualAddress, sect->Misc.VirtualSize);
        }
    }
    return 0;
}
```

### Behavioral Anomaly Detection (Python)
```python
import numpy as np
from sklearn.ensemble import IsolationForest

def extract_aim_features(snapshot_window: list[dict]) -> np.ndarray:
    """매 mouse trajectory + headshot ratio + reaction time."""
    angles = np.array([s["delta_angle"] for s in snapshot_window])
    return np.array([
        np.mean(angles), np.std(angles),
        np.mean([s["reaction_ms"] for s in snapshot_window]),
        sum(1 for s in snapshot_window if s["headshot"]) / len(snapshot_window),
        np.percentile([s["snap_speed"] for s in snapshot_window], 95),
    ])

class CheatBehaviorDetector:
    def __init__(self):
        self.iforest = IsolationForest(contamination=0.01, random_state=42)

    def fit(self, normal_features: np.ndarray):
        self.iforest.fit(normal_features)

    def score(self, features: np.ndarray) -> float:
        return -self.iforest.score_samples(features.reshape(1, -1))[0]
```

### Server-Side Physics Replay
```python
def validate_movement(prev_pos, curr_pos, dt_ms, max_speed):
    dx = ((curr_pos["x"] - prev_pos["x"]) ** 2
        + (curr_pos["y"] - prev_pos["y"]) ** 2) ** 0.5
    speed = dx / (dt_ms / 1000)
    if speed > max_speed * 1.1:    # 10% tolerance
        return False, "speedhack"
    return True, None
```

### Hardware Fingerprint
```python
import hashlib

def device_fingerprint(payload: dict) -> str:
    keys = ["motherboard_serial", "cpu_id", "disk_serial", "mac_addr"]
    blob = "|".join(payload.get(k, "") for k in keys)
    return hashlib.sha256(blob.encode()).hexdigest()[:32]
```

### Anti-Debug (windows)
```cpp
bool IsDebuggerPresentChecks() {
    if (IsDebuggerPresent()) return true;
    BOOL remote = FALSE;
    CheckRemoteDebuggerPresent(GetCurrentProcess(), &remote);
    if (remote) return true;
    PEB* peb = (PEB*)__readgsqword(0x60);
    if (peb->BeingDebugged) return true;
    return false;
}
```

### AI-Assisted Cheat Detection (2024+ frontier)
```python
def detect_external_cv(input_log) -> float:
    """매 외부 CV-aimbot — 매 mouse 의 과도하게 smooth + perfect prediction.
    매 unrealistic combination (very smooth path + perfect headshot)."""
    smoothness = compute_path_smoothness(input_log)
    accuracy   = compute_headshot_rate(input_log)
    return smoothness * accuracy   # >> human achievable
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| New PC FPS | Kernel driver + behavioral ML (Vanguard model) |
| MMO economy abuse | Server-side stat anomaly + clustering |
| Mobile game | Root detection + integrity + server replay |
| Privacy-concerned market (EU) | User-mode + heavy server-side, no kernel |
| AI-aimbot threat | Mouse-trajectory ML + screen-capture detection |

**기본값**: User-mode integrity + server-side replay + behavioral ML; kernel driver 의 competitive ranked queue 의 only (privacy/stability tradeoff).

## 🔗 Graph

## 🤖 LLM 활용
**언제**: cheat forum scraping for new technique discovery, support ticket triage, false-positive review summary.
**언제 X**: 의 X automated ban decisions — false-positive 의 player trust 의 destroy. Human review 의 mandatory.

## ❌ 안티패턴
- **Client trust**: 의 X — 매 client side 의 byte 의 attacker 의 control. 매 server-side validation 의 always.
- **Kernel driver only**: bypass 의 known. Layered 의 defense 의 필요.
- **No false-positive process**: legitimate player 의 ban 의 community trust 의 collapse.
- **Static signature only**: cheat updates 의 daily — behavioral ML 의 layer.
- **Privacy-blind kernel reach**: EU/GDPR 의 risk — telemetry 의 minimize, disclose.

## 🧪 검증 / 중복
- Verified (Vanguard/BattlEye/EAC public docs; SARD 의 specific 의 vendor-confidential 의, B trust).
- 신뢰도 B.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — anti-cheat layered architecture + behavioral ML |