Archives: Glossary Terms

How Ad server Works

User Request → Website → Publisher Ad Server → Ad Selection & Logging
     │                                                    │
     │                                                    ↓
     └─────────────────────── Ad Served <───────────────┘
                                  │
                                  ↓
                        +----------------------+
                        │ Click/Impression Data│
                        │ (IP, UA, Timestamp)  │
                        +----------------------+
                                  │
                                  ↓
                        ┌──────────────────────┐
                        │ Fraud Detection System │
                        │ (Pattern Analysis)   │
                        └──────────────────────┘
                                  │
                                  ↓
                        ┌──────────────────────┐
                        │   Blocklist/Alert    │
                        └──────────────────────┘

🧠 Core Detection Logic

Example 1: Repetitive Click Analysis

This logic identifies and flags IP addresses that generate an abnormally high number of clicks in a short period. It helps prevent budget waste from automated bots or click farms programmed to repeatedly click ads. This is a foundational rule in most traffic protection systems.

FUNCTION checkClickFrequency(request):
  ip = request.getIP()
  timestamp = request.getTime()
  
  // Get recent clicks for this IP from a temporary log
  recent_clicks = getClicksForIP(ip, within_last_minutes=5)
  
  IF count(recent_clicks) > 20:
    // Flag IP for review or add to a temporary blocklist
    flagIP(ip, reason="High Click Frequency")
    RETURN "Suspicious"
  
  logClick(ip, timestamp)
  RETURN "Valid"

Example 2: User Agent & Header Validation

This logic inspects the HTTP headers and User-Agent string of an ad request to identify signatures of known bots or non-standard browsers. Many automated scripts use outdated or generic user agents that don't match typical human users, making them easy to filter out.

FUNCTION validateUserAgent(request):
  user_agent = request.getHeader("User-Agent")
  known_bot_signatures = ["bot", "spider", "crawler", "headless"]
  
  // Check for common bot keywords
  FOR signature IN known_bot_signatures:
    IF signature IN user_agent.lower():
      flagRequest(request, reason="Known Bot Signature")
      RETURN "Invalid"
      
  // Check for missing or malformed User-Agent
  IF user_agent IS NULL OR len(user_agent) < 10:
    flagRequest(request, reason="Malformed User-Agent")
    RETURN "Invalid"
    
  RETURN "Valid"

Example 3: Geographic Mismatch Detection

This logic compares the geographic location derived from the user's IP address with other location data available (e.g., from a user profile or language settings). A significant mismatch can indicate the use of a proxy or VPN to mask the user's true location, a common tactic in ad fraud.

FUNCTION checkGeoMismatch(request):
  ip_location = getLocationFromIP(request.getIP()) // e.g., "USA"
  profile_location = request.getUserProfile().getCountry() // e.g., "Vietnam"
  
  // Allow for some regional proxy use, but flag major discrepancies
  IF ip_location IS NOT "Unknown" AND profile_location IS NOT "Unknown":
    IF ip_location != profile_location:
      // Calculate distance or check against a list of high-fraud countries
      IF isHighRiskMismatch(ip_location, profile_location):
        flagRequest(request, reason="Geographic Mismatch")
        RETURN "Suspicious"
        
  RETURN "Valid"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Businesses use ad server data to apply real-time filtering rules, blocking clicks from known bots, data centers, and competitors. This directly protects the advertising budget by preventing payment for invalid traffic before it accumulates.
• Analytics Purification – By filtering out non-human traffic, ad servers ensure that marketing analytics reflect genuine human engagement. This leads to more accurate metrics like click-through rate (CTR) and conversion rate, enabling better strategic decisions.
• ROI Optimization – With cleaner traffic, the return on ad spend (ROAS) naturally improves. Businesses can reallocate the budget saved from blocking fraud toward channels and placements that deliver real, converting customers, maximizing profitability.
• Lead Generation Integrity – For businesses focused on acquiring leads, the ad server helps verify that form fills and sign-ups come from legitimate users. It prevents fake leads from polluting the sales funnel and wasting the sales team's time.

Example 1: Geofencing Rule

A local service-based business that only operates in California can use ad server data to automatically block clicks from IP addresses outside its service area. This prevents budget waste on clicks from users who cannot become customers.

// Rule applied in the fraud detection platform
RULE "California-Only Traffic"
WHEN
  request.getGeoLocation().country != "USA" OR
  request.getGeoLocation().state != "California"
THEN
  BLOCK_CLICK(reason="Out of Service Area")

Example 2: Session Behavior Scoring

An e-commerce business notices that fraudulent users often click an ad but bounce instantly without any page interaction. It can create a rule that scores clicks based on post-click behavior, flagging users with zero session duration or no mouse movement.

// Pseudocode for a scoring model
FUNCTION scoreSession(click_data):
  score = 100 // Start with a perfect score
  
  IF click_data.session_duration < 2 seconds:
    score = score - 50
  
  IF click_data.mouse_events == 0:
    score = score - 30
    
  IF score < 50:
    FLAG_AS_FRAUD(click_data.id)

🐍 Python Code Examples

This code demonstrates a basic filter to block incoming ad clicks from a predefined list of suspicious IP addresses. This is a common first line of defense in protecting ad campaigns from known bad actors or competitor clicks.

BLOCKED_IPS = {"198.51.100.1", "203.0.113.24", "192.0.2.15"}

def block_suspicious_ips(click_request):
    """
    Checks if the click's IP is in the blocklist.
    """
    ip_address = click_request.get("ip")
    if ip_address in BLOCKED_IPS:
        print(f"Blocked fraudulent click from IP: {ip_address}")
        return False
    print(f"Allowed click from IP: {ip_address}")
    return True

# Simulate incoming clicks
click1 = {"ip": "91.198.174.192", "ad_id": "abc-123"}
click2 = {"ip": "198.51.100.1", "ad_id": "xyz-789"}

block_suspicious_ips(click1)
block_suspicious_ips(click2)

This example analyzes the time difference between clicks from the same user ID to detect abnormally rapid clicking, which is characteristic of bot behavior. Real users do not typically click the same ad multiple times within a few seconds.

import time

click_timestamps = {}
# Time in seconds to detect rapid clicks
TIME_THRESHOLD = 5 

def detect_rapid_clicks(click_request):
    """
    Detects if a user is clicking too frequently.
    """
    user_id = click_request.get("user_id")
    current_time = time.time()
    
    if user_id in click_timestamps:
        last_click_time = click_timestamps[user_id]
        if (current_time - last_click_time) < TIME_THRESHOLD:
            print(f"Fraudulent rapid click detected for user: {user_id}")
            return False
            
    click_timestamps[user_id] = current_time
    print(f"Valid click from user: {user_id}")
    return True

# Simulate clicks from the same user
click1 = {"user_id": "user-9876"}
click2 = {"user_id": "user-9876"}

detect_rapid_clicks(click1)
time.sleep(2) # Wait 2 seconds
detect_rapid_clicks(click2)

Types of Ad server

• First-Party Ad Server
  Used by publishers to manage their own ad inventory and serve direct-sold campaigns. In fraud protection, it's the primary source of raw data (IPs, user agents, timestamps) and is responsible for implementing the initial blocking rules against suspicious traffic before an ad is even served.
• Third-Party Ad Server
  Used by advertisers to track campaign performance and verify ad delivery across multiple publishers. For fraud detection, it acts as a central auditing tool, comparing its own click and impression data against the publisher's reports to identify discrepancies and measure the overall quality of traffic from different sources.
• Open-Source Ad Server
  A self-hosted ad server that gives advertisers full control over their ad-serving technology and data. In the context of fraud, this allows for highly customized detection rules and direct integration with proprietary anti-fraud systems, offering greater transparency and control than commercial solutions, though it requires significant technical maintenance.

How Ad spend Works

Incoming Ad Traffic ─→ [Data Collection] ─→ [Spend Analysis Engine] ─→ [Fraud Identification] ─→ + ─→ [Block & Alert]
      (Clicks, Impressions) │                   │ (Pacing, CPA, Geo-spend)      │ (Anomalies, Rules)        │      └─→ [Allow]
                          └───────────────────┴───────────────────────────────┴───────────────────────────┘

🧠 Core Detection Logic

Example 1: Budget Velocity Capping

This logic monitors the rate at which an ad campaign’s budget is spent. It is designed to prevent rapid budget depletion caused by bot-driven click attacks. If spending exceeds a predefined threshold within a short time frame without a corresponding rise in conversions, the system flags the activity as fraudulent.

// Rule: Budget Velocity Anomaly
IF (Campaign.time_elapsed < 1_HOUR AND Campaign.spend_rate > 5 * Campaign.historical_avg_spend_rate)
THEN
  IF (Campaign.conversion_rate < 0.5 * Campaign.historical_avg_conversion_rate)
  THEN
    FLAG traffic_source AS "Suspicious: High Spend, Low Conversion"
    PAUSE campaign
    ALERT manager
  END IF
END IF

Example 2: Geographic Spend Anomaly Detection

This logic analyzes the geographic source of clicks in relation to ad spend. If a significant portion of the budget is consumed by clicks from a location outside the campaign's target geography or from a region known for click farms, it is flagged as a geo-mismatch and likely fraud.

// Rule: Geographic Spend Mismatch
FOR each click IN campaign.traffic
  IF (click.geolocation NOT IN Campaign.target_geographies) AND (click.cost > 0.01)
  THEN
    total_mismatched_spend += click.cost
  END IF
END FOR

IF (total_mismatched_spend > Campaign.daily_budget * 0.20)
THEN
  FLAG campaign AS "Geographic Spend Anomaly"
  BLOCK geolocations with highest mismatched spend
END IF

Example 3: CPA Inflation Monitoring

This logic tracks the Cost Per Acquisition (CPA) in real time. Fraudulent clicks do not convert, causing the total ad spend to rise without an increase in successful acquisitions. A sudden, unexplained spike in CPA is a strong indicator that the campaign is being targeted by click fraud, as the budget is wasted on non-converting traffic.

// Rule: Real-time CPA Inflation Alert
current_cpa = Campaign.total_spend / Campaign.total_conversions

IF (current_cpa > Campaign.target_cpa * 2.5) AND (Campaign.impressions > 1000)
THEN
  FLAG campaign AS "High CPA Alert: Potential Ad Fraud"
  FOR each source IN campaign.traffic_sources
    IF (source.conversions == 0 AND source.spend > high_spend_threshold)
    THEN
      BLOCK source.ip_range
    END IF
  END FOR
END IF

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically block traffic from sources that drain ad spend without generating conversions. This protects daily budgets from being exhausted by automated bots or click farms, ensuring ads remain visible to genuine potential customers.
• ROAS Optimization – Improve Return on Ad Spend (ROAS) by ensuring that financial resources are allocated exclusively to traffic with a genuine potential for conversion. By filtering out fraudulent clicks, businesses prevent budget waste and achieve a more accurate picture of campaign profitability.
• Data Integrity for Marketing Analytics – Ensure that performance metrics like Click-Through Rate (CTR) and Cost Per Conversion are not skewed by fraudulent interactions. Clean data allows marketers to make more accurate decisions about budget allocation, targeting strategies, and campaign planning.
• Competitive Advantage – Protect campaigns from competitors aiming to maliciously deplete ad budgets. By identifying and blocking competitor-driven click fraud, businesses can maintain their market presence and ensure their advertising efforts are not sabotaged.

Example 1: High-Frequency Spend Rule

This pseudocode blocks an IP address that consumes a disproportionate amount of ad spend in a very short period, a common sign of an aggressive bot attack.

// Logic to block IPs based on rapid, high-volume spend
DEFINE spend_threshold = $5.00
DEFINE time_window = 60 // seconds

FOR each visitor IN traffic_log
  visitor_spend = SUM(click_cost) WHERE visitor.ip == current_ip
  IF visitor_spend > spend_threshold AND visitor.session_duration < time_window
  THEN
    ADD visitor.ip TO global_block_list
    LOG "Blocked IP " + visitor.ip + " for rapid spend fraud."
  END IF
END FOR

Example 2: Conversion-Based Spend Analysis

This logic identifies traffic sources that are spending money but never leading to conversions over time, suggesting they are sources of invalid traffic.

// Logic to identify and block non-converting traffic sources
DEFINE review_period = 24 // hours
DEFINE min_spend_threshold = $20.00

FOR each traffic_source IN campaign.sources
  IF (TIME_SINCE(traffic_source.first_click) > review_period)
  THEN
    source_spend = SUM(click_cost) FOR traffic_source
    source_conversions = COUNT(conversions) FOR traffic_source

    IF (source_spend > min_spend_threshold AND source_conversions == 0)
    THEN
      ADD traffic_source.id TO exclusion_list
      LOG "Excluded source " + traffic_source.id + " for zero conversions."
    END IF
  END IF
END FOR

🐍 Python Code Examples

This code demonstrates how to identify suspicious IP addresses by tracking the ad spend they generate. If an IP's total spend exceeds a certain threshold without any associated conversions, it gets flagged as potentially fraudulent, helping to stop budget-wasting traffic.

# Simulate tracking ad spend per IP to detect non-converting, high-cost traffic
ad_clicks = [
  {'ip': '203.0.113.1', 'cost': 0.50, 'converted': False},
  {'ip': '198.51.100.5', 'cost': 0.75, 'converted': True},
  {'ip': '203.0.113.1', 'cost': 0.80, 'converted': False},
  {'ip': '203.0.113.1', 'cost': 1.20, 'converted': False},
]

def analyze_spend_by_ip(clicks, spend_threshold=2.0):
  spend_per_ip = {}
  suspicious_ips = []

  for click in clicks:
    ip = click['ip']
    cost = click['cost']
    converted = click['converted']
    
    if ip not in spend_per_ip:
      spend_per_ip[ip] = {'total_cost': 0, 'conversions': 0}
      
    spend_per_ip[ip]['total_cost'] += cost
    if converted:
      spend_per_ip[ip]['conversions'] += 1

  for ip, data in spend_per_ip.items():
    if data['total_cost'] > spend_threshold and data['conversions'] == 0:
      suspicious_ips.append(ip)
      
  return suspicious_ips

flagged_ips = analyze_spend_by_ip(ad_clicks)
print(f"Suspicious IPs based on high spend without conversion: {flagged_ips}")

This script filters a list of incoming ad clicks by analyzing their associated user agents. It blocks clicks from known bot user agents, which prevents automated scripts from consuming the ad budget and ensures spend is directed toward genuine human users.

# Filter traffic based on known fraudulent user agents to protect ad spend
traffic_requests = [
  {'user_agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...', 'cost': 1.10},
  {'user_agent': 'AhrefsBot/7.0; +http://ahrefs.com/robot/', 'cost': 0.95},
  {'user_agent': 'Googlebot/2.1 (+http://www.google.com/bot.html)', 'cost': 0.85},
  {'user_agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 15_0 like Mac OS X) ...', 'cost': 1.50},
]

def filter_bot_traffic(requests):
  known_bots = ['AhrefsBot', 'SemrushBot', 'Googlebot']
  valid_spend = 0
  blocked_spend = 0

  for req in requests:
    is_bot = any(bot in req['user_agent'] for bot in known_bots)
    if not is_bot:
      valid_spend += req['cost']
    else:
      blocked_spend += req['cost']
      print(f"Blocked bot traffic from: {req['user_agent']}")
      
  return valid_spend, blocked_spend

valid, blocked = filter_bot_traffic(traffic_requests)
print(f"Valid ad spend: ${valid:.2f}")
print(f"Blocked ad spend: ${blocked:.2f}")

Types of Ad spend

• Spend Velocity Analysis – This method focuses on the rate at which ad budget is consumed. A sudden, unusually high rate of spending is a strong indicator of a bot-driven attack, as automated scripts can generate a massive volume of clicks in a very short time, draining budgets almost instantly.
• Geographic Spend Distribution – This involves analyzing where ad spend is geographically concentrated. If a campaign targeting the United States suddenly shows a majority of its budget being spent on clicks from a different country, it signals potential fraud, such as traffic from offshore click farms.
• Cost Per Acquisition (CPA) Anomaly Detection – This technique monitors the cost of acquiring a customer. Since fraudulent clicks do not lead to actual conversions, a rising ad spend without a corresponding increase in customers causes the CPA to inflate, flagging the traffic source as suspicious.

- Time-of-Day Spend Monitoring – This method analyzes spending patterns based on the time of day. If a significant portion of the budget is spent during off-hours (e.g., 3-5 AM) when the target audience is typically inactive, it suggests the clicks are automated and not from genuine users.

How Ad stacking Works

     User's View      │      Fraudulent Publisher's Site/App
──────────────────────┼─────────────────────────────────────────────
                      │
   Visible Ad         │   +─────────────────────+
 [ Ad Campaign #1 ]   │   │   Visible Ad Slot   │  ← User sees this ad
 └──────────────────┘ │   +─────────────────────+
                      │             ↑
                      │      Loads & Hides
                      │             ↓
   Hidden Layers      │   +─────────────────────+
   (Invisible)        │   │   Hidden Ad #2      │  ← Impression #2 logged
                      │   +─────────────────────+
                      │   │   Hidden Ad #3      │  ← Impression #3 logged
                      │   +─────────────────────+
                      │   │   ... (more ads)    │  ← More impressions
                      │   +─────────────────────+
                      │

🧠 Core Detection Logic

Example 1: Timestamp Correlation

This logic detects ad stacking by identifying multiple ad interactions (clicks or impressions) originating from the same device or user session at the exact same time. Since a legitimate user cannot interact with multiple ads in different locations simultaneously, identical timestamps are a strong indicator of stacking.

FUNCTION detect_stacking(session_logs):
  // Group all ad events by user session ID
  grouped_events = GROUP_BY(session_logs, "session_id")

  FOR each session in grouped_events:
    // Further group events by their exact timestamp
    timed_events = GROUP_BY(session.events, "timestamp")

    FOR each time_group in timed_events:
      // If more than one unique ad ID exists for a single timestamp, flag it
      IF COUNT(UNIQUE(time_group.ad_id)) > 1:
        FLAG_AS_FRAUD(session.id, "Ad Stacking Detected: Multiple ads at same timestamp")
        RETURN

Example 2: Viewability and Geometry Analysis

This method checks the viewability status and physical position of ad containers on a webpage. If multiple ad containers report being 100% viewable but share the exact same coordinates and dimensions, it implies they are stacked on top of each other. This requires a client-side script that can access the DOM.

FUNCTION check_ad_geometry(ad_containers):
  // Store geometry of checked containers: { "x,y,w,h": count }
  geometry_map = {}

  FOR ad in ad_containers:
    // Check if the ad is considered viewable by the browser's API
    IF ad.is_viewable():
      // Create a unique key from the ad's position and size
      geo_key = CONCAT(ad.x, ad.y, ad.width, ad.height)

      // Increment count for this specific geometry
      IF geo_key in geometry_map:
        geometry_map[geo_key] += 1
      ELSE:
        geometry_map[geo_key] = 1

  // If any geometry has more than one ad, it's a stack
  FOR key, count in geometry_map.items():
    IF count > 1:
      FLAG_AS_FRAUD("Ad Stacking Detected: Overlapping geometry")
      RETURN

Example 3: Impression-to-Click Ratio Anomaly

This server-side logic analyzes the performance metrics of a specific ad placement or publisher. Placements committing ad stacking fraud often exhibit an abnormally high number of impressions with a near-zero click-through rate (CTR) because the hidden ads are never seen and therefore cannot be clicked.

FUNCTION analyze_placement_performance(publisher_id, time_window):
  placement_data = GET_DATA(publisher_id, time_window)

  FOR each placement in placement_data:
    impressions = placement.impression_count
    clicks = placement.click_count

    // Set a high threshold for impressions and a very low one for CTR
    HIGH_IMPRESSION_THRESHOLD = 10000
    LOW_CTR_THRESHOLD = 0.0001 // 0.01%

    IF impressions > HIGH_IMPRESSION_THRESHOLD:
      ctr = clicks / impressions
      IF ctr < LOW_CTR_THRESHOLD:
        FLAG_AS_FRAUD(publisher_id, placement.id, "Anomaly Detected: Extremely high impressions with near-zero CTR")

📈 Practical Use Cases for Businesses

• Campaign Budget Shielding – Prevents ad spend from being wasted on fraudulent, unseen impressions, ensuring that budget is allocated to ads with a genuine opportunity to be viewed by human users.
• Data Integrity for Analytics – By filtering out fraudulent impressions and clicks from stacking, businesses can maintain clean performance data, leading to more accurate analysis and better strategic marketing decisions.
• Improving Return on Ad Spend (ROAS) – Eliminating payments for fake impressions directly improves ROAS by ensuring that the ad spend is directed towards legitimate placements that can drive actual conversions.
• Protecting Brand Reputation – Prevents brand association with low-quality or fraudulent publishers, preserving brand safety and ensuring ads are displayed in appropriate environments.

Example 1: Real-Time Impression Timestamp Rule

This pseudocode defines a real-time rule within an ad exchange or a demand-side platform (DSP) to block bids to publishers that show signs of ad stacking. It works by flagging users who generate multiple impressions from different ad campaigns simultaneously.

// Rule: Block bid request if user exhibits stacking behavior

FUNCTION should_block_bid(bid_request):
  user_id = bid_request.user.id
  current_timestamp = NOW()

  // Get impression events for this user in the last 2 seconds
  recent_impressions = GET_IMPRESSIONS(user_id, LOOKBACK_WINDOW = 2_SECONDS)

  // If more than 2 impressions were logged at the exact same timestamp, flag user
  IF COUNT_IMPRESSIONS_AT_TIMESTAMP(recent_impressions, current_timestamp) > 2:
    // Add user to a temporary blocklist
    ADD_TO_BLOCKLIST(user_id, DURATION = 1_HOUR)
    LOG_FRAUD("Stacking behavior detected, user blocked.")
    RETURN TRUE // Block bid

  RETURN FALSE

Example 2: Publisher Performance Monitoring

This logic is for an automated system that reviews publisher performance daily. It identifies publishers with an extremely low click-through rate (CTR) despite a high volume of served impressions, which is a strong indicator of impression fraud like ad stacking.

// Daily automated script to review publisher quality

PROCEDURE review_publisher_metrics():
  yesterday_stats = GET_PUBLISHER_STATS(DATE = YESTERDAY)

  FOR publisher in yesterday_stats:
    impressions = publisher.metrics.impressions
    clicks = publisher.metrics.clicks

    // Check for a statistically significant number of impressions
    IF impressions > 50000:
      // Calculate Click-Through Rate
      ctr = clicks / impressions

      // If CTR is abnormally low (e.g., less than 0.01%), pause the publisher
      IF ctr < 0.0001:
        PAUSE_PUBLISHER(publisher.id)
        NOTIFY_ADMIN(f"Publisher {publisher.id} paused due to suspected impression fraud.")

🐍 Python Code Examples

This example simulates checking a log of ad events to find instances where multiple unique ads were recorded for the same user at the exact same timestamp, a clear sign of ad stacking.

import collections

def detect_ad_stacking_by_timestamp(event_logs):
    """
    Analyzes event logs to detect ad stacking based on simultaneous impressions.
    An event log is a list of dicts: {'user_id': 'xyz', 'ad_id': 'abc', 'timestamp': 1677615000}
    """
    events_by_time = collections.defaultdict(list)
    fraudulent_sessions = set()

    # Group ad IDs by user and timestamp
    for event in event_logs:
        key = (event['user_id'], event['timestamp'])
        events_by_time[key].append(event['ad_id'])

    # If any user has multiple unique ad IDs at the same time, flag it
    for (user, timestamp), ad_ids in events_by_time.items():
        if len(set(ad_ids)) > 1:
            fraudulent_sessions.add(user)
            print(f"Ad stacking detected for user {user} at timestamp {timestamp} with ads: {set(ad_ids)}")

    return list(fraudulent_sessions)

# Sample Data
logs = [
    {'user_id': 'user-123', 'ad_id': 'ad-A', 'timestamp': 1677615000},
    {'user_id': 'user-123', 'ad_id': 'ad-B', 'timestamp': 1677615000}, # Fraud
    {'user_id': 'user-123', 'ad_id': 'ad-C', 'timestamp': 1677615000}, # Fraud
    {'user_id': 'user-456', 'ad_id': 'ad-A', 'timestamp': 1677615001},
    {'user_id': 'user-123', 'ad_id': 'ad-A', 'timestamp': 1677615002},
]
detect_ad_stacking_by_timestamp(logs)

This code simulates analyzing publisher data to identify those with an unusually high impression count but an extremely low click-through rate (CTR), which suggests that ads are being served but not seen.

def find_suspicious_publishers(publisher_data):
    """
    Identifies suspicious publishers based on high impressions and very low CTR.
    Publisher data is a list of dicts: {'pub_id': 'pub-01', 'impressions': 50000, 'clicks': 10}
    """
    suspicious_list = []
    IMPRESSION_THRESHOLD = 10000  # Minimum impressions to be considered significant
    CTR_THRESHOLD = 0.0005  # Less than 0.05% CTR

    for pub in publisher_data:
        if pub['impressions'] > IMPRESSION_THRESHOLD:
            ctr = pub['clicks'] / pub['impressions'] if pub['impressions'] > 0 else 0
            if ctr < CTR_THRESHOLD:
                suspicious_list.append(pub['pub_id'])
                print(f"Suspicious publisher found: {pub['pub_id']} (Impressions: {pub['impressions']}, CTR: {ctr:.4f})")
    
    return suspicious_list

# Sample Data
data = [
    {'pub_id': 'pub-good', 'impressions': 75000, 'clicks': 150},
    {'pub_id': 'pub-fraud', 'impressions': 120000, 'clicks': 5}, # Suspicious
    {'pub_id': 'pub-small', 'impressions': 1000, 'clicks': 2},
]
find_suspicious_publishers(data)

Types of Ad stacking

• Classic Layering – This is the most direct form, where multiple ads are placed in the same ad unit using code to layer them. Only the top ad is visible, while others are hidden underneath with their opacity set to zero or near-zero, yet all register an impression.
• Pixel Stuffing – A variation where one or more ads are crammed into a tiny 1x1 pixel iframe. While technically loaded and counted as an impression, the ad is completely invisible to the human eye, making it a severe form of impression fraud.
• Hidden Video Ads – Fraudsters may display a static, visible image to the user while one or more video ads autoplay in the background. The user is unaware of the video content, but the advertiser is charged for a video view, which is often more expensive than a display impression.
• Banner Rotation Abuse – In this method, a single ad placement rapidly rotates through multiple ads in the background, faster than a human could see. Each ad is displayed just long enough to register an impression before being replaced, creating a continuous cycle of fraudulent impressions behind one visible ad space.

How Ad tag Works

  User Visit     +----------------------+     Ad Request     +--------------------+     Analysis      +---------------------+     Decision
(Legitimate/Bot) │   Publisher Website  │------------------>│ Fraud Detection    │----------------->│   Scoring Engine    │------------------> (Serve/Block Ad)
      │          │ with Security Ad Tag │                  │   System (Server)  │                 │ (Rules & Heuristics)│                  │
      └──────────│       (JS Code)      │<------------------│                    │<------------------│                     │<------------------┘
                 +----------------------+   Data Collection  +--------------------+    Feedback     +---------------------+

🧠 Core Detection Logic

Example 1: IP Reputation and Filtering

This logic checks the incoming user’s IP address against known blacklists of fraudulent IPs, such as those associated with data centers, VPNs/proxies, or known botnets. It’s a foundational layer of defense that filters out obviously non-human traffic before it can consume ad resources.

FUNCTION checkIpReputation(request):
  user_ip = request.getIpAddress()
  
  IF user_ip IS IN known_datacenter_ips_blacklist THEN
    RETURN "BLOCK"
  
  IF user_ip IS IN known_proxy_vpn_blacklist THEN
    RETURN "BLOCK"
    
  IF getIpReputationScore(user_ip) < fraud_threshold THEN
    RETURN "BLOCK"
    
  RETURN "ALLOW"

Example 2: Session Click Velocity Heuristics

This logic analyzes the user's click behavior within a specific timeframe. An unnaturally high number of clicks from a single user in a short period is a strong indicator of bot activity or a click farm. This helps catch automated scripts that standard IP filters might miss.

FUNCTION checkClickVelocity(user_session):
  current_time = now()
  click_timestamps = user_session.getClickTimestamps()
  
  clicks_in_last_minute = 0
  FOR each timestamp IN click_timestamps:
    IF current_time - timestamp <= 60 seconds THEN
      clicks_in_last_minute += 1
      
  IF clicks_in_last_minute > 5 THEN
    RETURN "FLAG_AS_SUSPICIOUS"
  
  RETURN "NORMAL"

Example 3: Geo Mismatch Detection

This rule compares the geographical location derived from the user's IP address with other location-based data points, such as browser timezone or language settings. A significant mismatch (e.g., an IP in one country but a timezone from another) can indicate attempts to spoof location and is a common tactic in ad fraud.

FUNCTION checkForGeoMismatch(request):
  ip_geolocation = getGeoFromIp(request.getIpAddress())
  browser_timezone = request.getBrowserTimezone()
  browser_language = request.getBrowserLanguage()

  expected_timezone = getTimezoneForCountry(ip_geolocation.country)
  expected_language = getLanguageForCountry(ip_geolocation.country)

  IF browser_timezone IS NOT IN expected_timezone THEN
    RETURN "BLOCK_GEO_MISMATCH"
  
  IF browser_language IS NOT IN expected_language THEN
    RETURN "FLAG_AS_SUSPICIOUS"

  RETURN "ALLOW"

📈 Practical Use Cases for Businesses

• Campaign Shielding: Protects active advertising campaigns from being drained by automated bot clicks and other forms of invalid traffic, ensuring the budget is spent on reaching real potential customers.
• Data Integrity: Ensures that marketing analytics and performance metrics (like CTR and conversion rates) are based on genuine human interactions, leading to more accurate insights and better strategic decisions.
• ROAS Optimization: Improves Return on Ad Spend (ROAS) by preventing wasteful expenditure on fraudulent clicks that will never convert, thereby increasing the overall efficiency and profitability of ad campaigns.
• Lead Generation Filtering: Prevents fake leads generated by bots from polluting sales funnels, saving time and resources for sales teams who would otherwise be chasing nonexistent prospects.

Example 1: Geofencing Rule

This logic is used to block traffic from regions outside the advertiser's target market. It's a simple but effective way to eliminate irrelevant clicks and reduce exposure to fraud originating from specific high-risk countries.

FUNCTION applyGeofencing(request):
  user_country = getGeoFromIp(request.getIpAddress()).country
  allowed_countries = ["USA", "CAN", "GBR"]

  IF user_country NOT IN allowed_countries THEN
    // Block the ad request immediately
    BLOCK_REQUEST(request.id, "Geo-fencing Violation")
  ELSE
    // Allow request to proceed to next check
    ALLOW_REQUEST(request.id)

Example 2: Session Scoring Logic

This pseudocode demonstrates a more complex scoring system. It aggregates multiple risk factors (like using a VPN, being a known bot, or having a high click frequency) into a single score. If the score exceeds a certain threshold, the user is blocked, allowing for a more nuanced approach than a single rule.

FUNCTION calculateSessionScore(session):
  score = 0
  
  IF session.usesVpnOrProxy() THEN
    score += 40
    
  IF session.isFromKnownDataCenter() THEN
    score += 50
    
  IF session.clickFrequency > 10 clicks_per_minute THEN
    score += 25

  IF score >= 80 THEN
    // Block user and log as high-risk
    BLOCK_USER(session.userId, "Session score exceeded threshold")
  ELSE
    // Allow user
    PROCEED(session.userId)

🐍 Python Code Examples

This Python function simulates checking a user's IP address against a predefined blacklist of fraudulent IPs. It's a common first-line defense in many click fraud detection systems to filter out known bad actors before performing more complex analysis.

# A set of known fraudulent IP addresses (e.g., from data centers, proxies)
FRAUDULENT_IPS = {"198.51.100.15", "203.0.113.88", "192.0.2.240"}

def filter_suspicious_ips(ip_address):
    """
    Checks if an IP address is in the fraudulent IP set.
    """
    if ip_address in FRAUDULENT_IPS:
        print(f"Blocking fraudulent IP: {ip_address}")
        return False  # Block the request
    else:
        print(f"Allowing legitimate IP: {ip_address}")
        return True  # Allow the request

# Example Usage
filter_suspicious_ips("198.51.100.15")
filter_suspicious_ips("8.8.8.8")

This code analyzes click timestamps for a given user ID to detect unnaturally high click frequency. By tracking the time between clicks, it can identify automated bots that click much faster than a human could, helping to flag non-human traffic.

import time

# Store click times per user
user_clicks = {}
CLICK_THRESHOLD_SECONDS = 2  # Minimum seconds between human clicks

def is_click_frequency_abnormal(user_id):
    """
    Detects rapid, successive clicks from a single user.
    """
    current_time = time.time()
    
    if user_id in user_clicks:
        last_click_time = user_clicks[user_id]
        if (current_time - last_click_time) < CLICK_THRESHOLD_SECONDS:
            print(f"Abnormal click frequency detected for user: {user_id}")
            return True  # Flag as fraudulent
            
    user_clicks[user_id] = current_time
    print(f"Normal click frequency for user: {user_id}")
    return False

# Example Usage
is_click_frequency_abnormal("user-123") # First click
time.sleep(1)
is_click_frequency_abnormal("user-123") # Second click (too fast)

This example demonstrates a traffic scoring system that combines multiple risk factors into a single fraud score. This allows for a more nuanced decision-making process, where traffic isn't simply blocked or allowed but assessed based on a combination of suspicious signals.

def get_traffic_authenticity_score(request_data):
    """
    Scores traffic based on multiple indicators (e.g., IP, user agent).
    A lower score is better.
    """
    score = 0
    
    # Check for suspicious user agents (e.g., outdated or known bot user agents)
    suspicious_user_agents = ["BotBrowser/1.0", "OldNetscapeBrowser"]
    if request_data.get("user_agent") in suspicious_user_agents:
        score += 50
        
    # Check for known fraudulent IPs
    fraudulent_ips = {"198.51.100.15", "203.0.113.88"}
    if request_data.get("ip") in fraudulent_ips:
        score += 50
        
    if score >= 80:
        print(f"High fraud score ({score}). Blocking request.")
        return False
    else:
        print(f"Low fraud score ({score}). Allowing request.")
        return True

# Example Usage
request1 = {"ip": "198.51.100.15", "user_agent": "Chrome/108.0"}
request2 = {"ip": "8.8.8.8", "user_agent": "BotBrowser/1.0"}
get_traffic_authenticity_score(request1)
get_traffic_authenticity_score(request2)

Types of Ad tag

• JavaScript Ad Tags: These are the most common type of ad tags. They are snippets of JavaScript code that can execute more complex logic, such as collecting detailed user data, analyzing the user's environment, and communicating in real-time with fraud detection servers.
• iFrame Ad Tags: iFrame (Inline Frame) tags load the ad in a separate HTML document embedded within the main webpage. This can help isolate the ad's code from the publisher's content, which can prevent certain types of malicious ad injections or page manipulations.
• VAST (Video Ad Serving Template) Tags: These are specialized XML-based tags used for video ads. In fraud prevention, VAST tags are monitored for signs of "ad stacking" (multiple ads layered in one slot) or if the video player is running in a hidden or non-viewable environment.
• Synchronous Ad Tags: This type of tag loads along with the other content on the page. From a fraud detection standpoint, it can be useful for ensuring the ad is part of the primary page load, but it can also slow down the website if the fraud check takes too long.
• Asynchronous Ad Tags: These tags load independently of the rest of the webpage content. This is generally preferred as it doesn't slow down page load times, and a fraud detection script can run in the background without impacting the user's experience.

How Ad unit Works

+----------------+      +-------------+      +-----------+      +--------------------+      +------------------+
| User Request   |  ->  | Ad Server   |  ->  | Ad Unit   |  ->  | Fraud Analysis     |  ->  | Action           |
| (Impression)   |      | (Selects Ad)|      | (Displays Ad) |  | (Real-time/Batch)  |      | (Block/Allow)    |
+----------------+      +-------------+      +-----------+      +--------------------+      +------------------+
                                                                         |
                                                                         └─ [Invalid] -> Block & Report
                                                                         └─ [Valid]   -> Render Ad & Count

🧠 Core Detection Logic

Example 1: Behavioral Anomaly Detection

This logic analyzes user interaction patterns within a specific ad unit to identify non-human behavior. It focuses on how a user interacts with the ad, flagging patterns that are too fast, too uniform, or lack the subtle variations typical of human engagement. This is effective against bots that execute simple, repetitive click actions.

FUNCTION check_behavior(click_event):
  // Collect data for a single click on an ad unit
  time_since_page_load = click_event.timestamp - page_load_time
  mouse_path = click_event.mouse_trace
  
  // Rule 1: Check for unnaturally fast clicks
  IF time_since_page_load < 2 SECONDS THEN
    RETURN {fraud: true, reason: "Click too fast"}
  END IF
  
  // Rule 2: Check for robotic mouse movement (e.g., a perfectly straight line)
  IF is_linear(mouse_path) AND length(mouse_path) > 20 PIXELS THEN
    RETURN {fraud: true, reason: "Robotic mouse movement"}
  END IF
  
  RETURN {fraud: false}
END FUNCTION

Example 2: Click Frequency Capping

This rule limits how many times a single user (identified by IP address or device fingerprint) can click on a specific ad unit within a set time frame. It is a direct countermeasure against click flooding, where a bot repeatedly hits the same ad to quickly exhaust a campaign’s budget.

FUNCTION is_frequency_fraud(user_id, ad_unit_id):
  // Define thresholds
  time_window = 60 MINUTES
  max_clicks = 3
  
  // Get user's click history for the specific ad unit
  click_timestamps = get_clicks(user_id, ad_unit_id, within=time_window)
  
  // Check if click count exceeds the maximum allowed
  IF count(click_timestamps) > max_clicks THEN
    RETURN {fraud: true, reason: "Exceeded click frequency cap"}
  END IF
  
  RETURN {fraud: false}
END FUNCTION

Example 3: Geo-Targeting Mismatch

This logic verifies that the user’s geographic location, determined via their IP address, aligns with the intended target region for that ad unit. It is particularly useful for identifying sophisticated fraud where bots use proxies or VPNs from outside a campaign’s target area to generate fake engagement.

FUNCTION check_geo_mismatch(user_ip, ad_unit_id):
  // Get ad unit's targeting rules
  ad_target_region = get_ad_unit_targeting(ad_unit_id).region
  
  // Get user's location from their IP address
  user_location = get_location_from_ip(user_ip)
  
  // Compare user's location to the ad's target region
  IF user_location.country NOT IN ad_target_region.countries THEN
    RETURN {fraud: true, reason: "Geographic mismatch"}
  END IF
  
  RETURN {fraud: false}
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – This protects advertising budgets by applying real-time filtering rules to ad units, ensuring that money is spent reaching genuine potential customers, not wasted on automated bot clicks or other forms of invalid traffic.
• Analytics Integrity – By ensuring only valid interactions are recorded at the ad unit level, businesses maintain clean data. This allows for accurate performance measurement, reliable conversion tracking, and smarter strategic decisions based on real user engagement.
• Return on Ad Spend (ROAS) Improvement – By blocking fraudulent traffic at the source ad unit, businesses ensure their campaigns have a higher concentration of legitimate users. This directly improves ROAS by preventing budget drain and focusing ad delivery on audiences that can actually convert.
• Publisher Quality Assessment – Businesses can analyze fraud rates per publisher ad unit to identify which traffic sources are clean and which are sending high levels of invalid traffic, allowing them to optimize their media buying and partner with high-quality publishers.

Example 1: E-commerce Geofencing Rule

An online retailer running a campaign specifically for a “UK Summer Sale” can apply a geofencing rule to its ad units to reject any clicks from outside the UK. This immediately blocks irrelevant traffic from bots using international proxies, saving budget and ensuring metrics reflect the target market.

// Logic applied to each click on a designated ad unit
PROCEDURE filter_campaign_clicks(click_data):
  CAMPAIGN_AD_UNITS = ["uk_summer_sale_banner", "uk_promo_sidebar"]
  ALLOWED_COUNTRY = "GB"

  IF click_data.ad_unit_id IN CAMPAIGN_AD_UNITS THEN
    user_country = get_country_from_ip(click_data.ip_address)
    
    IF user_country != ALLOWED_COUNTRY THEN
      // Reject the click and do not charge the advertiser
      REJECT_CLICK(click_data, reason="Geo-mismatch")
    ELSE
      // Process click as valid
      ACCEPT_CLICK(click_data)
    END IF
  END IF
END PROCEDURE

Example 2: Data Center Traffic Blocking

A B2B software company wants to ensure its lead-generation ads are seen by people in corporate environments, not by bots hosted on servers. It applies a rule to its ad units to block all traffic originating from known data center IP ranges, which are a common source of non-human traffic.

// Logic to check IP origin before serving an ad
FUNCTION should_serve_ad(request_data):
  // Load a list of known data center IP ranges
  DATA_CENTER_IPS = load_datacenter_ip_list()

  // Check if the request IP falls within a data center range
  IF is_ip_in_range(request_data.ip_address, DATA_CENTER_IPS) THEN
    LOG_BLOCKED_REQUEST(reason="Data center IP")
    RETURN FALSE // Do not serve the ad
  ELSE
    RETURN TRUE // Serve the ad
  END IF
END FUNCTION

🐍 Python Code Examples

This Python function demonstrates a simple way to detect click fraud by analyzing the frequency of clicks from a single IP address on a specific ad unit. If the number of clicks within a short time window exceeds a threshold, it’s flagged as suspicious, a common pattern for automated bots.

# A dictionary to store click timestamps for each IP on each ad unit
click_log = {}

# Time window in seconds and click limit
TIME_WINDOW = 60
CLICK_LIMIT = 5

def is_suspicious_frequency(ip_address, ad_unit_id, timestamp):
    """Checks for abnormally high click frequency from an IP on an ad unit."""
    if ad_unit_id not in click_log:
        click_log[ad_unit_id] = {}
    
    if ip_address not in click_log[ad_unit_id]:
        click_log[ad_unit_id][ip_address] = []

    # Remove timestamps older than the time window
    relevant_timestamps = [t for t in click_log[ad_unit_id][ip_address] if timestamp - t < TIME_WINDOW]
    relevant_timestamps.append(timestamp)
    
    click_log[ad_unit_id][ip_address] = relevant_timestamps
    
    # Check if the number of recent clicks exceeds the limit
    if len(relevant_timestamps) > CLICK_LIMIT:
        return True
    return False

This code filters traffic based on the user-agent string. Many simple bots use generic or known malicious user-agent strings. This function checks if a request’s user agent is on a blocklist, providing a basic but effective first line of defense at the ad unit level.

# A set of known bot user agents for quick lookups
BOT_AGENTS_BLOCKLIST = {
    "Googlebot/2.1",  # Example of a legitimate bot that should not click ads
    "AhrefsBot",
    "SemrushBot",
    "EvilBot/1.0",
    "Scrapy/1.5.0",
}

def is_known_bot(user_agent_string):
    """Checks if the user agent is in the blocklist."""
    if user_agent_string in BOT_AGENTS_BLOCKLIST:
        return True
    # More advanced checks could go here (e.g., regex matching)
    if "bot" in user_agent_string.lower() or "spider" in user_agent_string.lower():
        return True
    return False

This example simulates a traffic scoring system based on multiple risk factors associated with a request to an ad unit. It combines checks for data center IPs and suspicious user agents to produce a fraud score, allowing for more nuanced decision-making than a simple block/allow rule.

# Assume is_datacenter_ip and is_suspicious_ua are defined functions
# that return True/False

def get_traffic_fraud_score(ip_address, user_agent):
    """Calculates a fraud score based on multiple risk factors."""
    score = 0
    reasons = []

    # Risk Factor 1: Traffic from a known data center
    if is_datacenter_ip(ip_address):
        score += 50
        reasons.append("Data Center IP")
        
    # Risk Factor 2: Traffic from a suspicious user agent
    if is_suspicious_ua(user_agent):
        score += 50
        reasons.append("Suspicious User Agent")

    # More factors like time-of-day anomalies, geo-mismatch, etc. could be added
    
    return {"score": score, "reasons": reasons}

Types of Ad unit

• Static Monitored Ad Units – These are standard ad placements (e.g., banners) where traffic is analyzed retrospectively. Data on clicks and impressions is collected and reviewed in batches to identify large-scale fraud patterns, rather than blocking individual clicks in real time.
• Dynamically Scored Ad Units – For these ad units, every incoming ad request is analyzed and scored for fraud potential in real time before an ad is even served. This pre-bid analysis prevents bots from receiving impressions, offering proactive protection but requiring faster processing.
• Honeypot Ad Units – These are invisible ad units, hidden from human users but detectable by bots and web scrapers. They function as traps; any interaction with a honeypot ad unit is immediately flagged as non-human and the source IP or device is blacklisted.
• Rewarded Ad Units – Common in mobile apps, these units offer users an in-game reward for watching a video ad. They are prone to fraud where bots simulate ad views to farm rewards. Protection involves analyzing device integrity and interaction to ensure a real user completed the view.

How Ad Verification Works

  Incoming Ad Request
           │
           ▼
+---------------------+
│ 1. Data Collection  │
│ (IP, UA, Behavior)  │
+---------------------+
           │
           ▼
+---------------------+
│ 2. Real-Time Analysis│
│ (Pattern Matching)  │
+---------------------+
           │
           ▼
+---------------------+
│ 3. Fraud Scoring    │
+---------------------+
           │
     ┌─────┴─────┐
     ▼           ▼
+----------+ +-----------+
│  Block   │ │   Allow   │
│ (Fraud)  │ │ (Legit)   │
└──────────┘ └───────────┘

🧠 Core Detection Logic

Example 1: IP Filtering

This logic prevents clicks from known fraudulent sources by checking the incoming IP address against a maintained blocklist. It is a foundational layer of traffic protection that filters out traffic from data centers, VPNs, and proxies commonly used by bots.

FUNCTION handle_request(request):
  ip_address = request.get_ip()
  
  IF ip_address IN known_fraud_ip_list:
    REJECT_REQUEST("Blocked IP address")
  ELSE:
    PROCESS_REQUEST()

Example 2: Session Heuristics

This logic analyzes user behavior within a single session to identify non-human patterns. It flags or blocks traffic that exhibits behaviors impossible for a real user, such as clicking faster than humanly possible or multiple clicks without any corresponding mouse movement.

FUNCTION analyze_session(session):
  clicks = session.get_clicks()
  start_time = session.start_time
  
  // Rule: More than 5 clicks in the first 2 seconds is suspicious
  IF (time.now() - start_time < 2) AND (length(clicks) > 5):
    FLAG_SESSION_AS_FRAUD("Anomalous click frequency")
    
  // Rule: Clicks occurred with no mouse movement
  IF length(clicks) > 0 AND session.mouse_movement_events == 0:
    FLAG_SESSION_AS_FRAUD("Click with no mouse movement")

Example 3: Geo Mismatch Detection

This logic identifies fraud by detecting inconsistencies between different location signals. For example, if a user’s IP address originates from one country, but their browser’s language or timezone setting corresponds to another, it could indicate a spoofed location used to bypass geo-targeting.

FUNCTION check_geo_mismatch(request):
  ip_location = get_country_from_ip(request.ip)
  browser_timezone = request.headers.get('Timezone')
  
  expected_timezone = get_timezone_for_country(ip_location)
  
  IF browser_timezone != expected_timezone:
    FLAG_AS_SUSPICIOUS("Geo Mismatch: IP location and timezone do not align")

📈 Practical Use Cases for Businesses

• Campaign Shielding – Actively blocks invalid traffic from reaching advertising campaigns, ensuring that promotional content is served to real, interested users rather than bots. This protects brand reputation and campaign performance.
• Budget Protection – Prevents ad spend from being wasted on fraudulent clicks and impressions generated by automated scripts or click farms. This directly preserves the marketing budget and improves return on investment (ROI).
• Analytics Integrity – Ensures that performance data (like CTR and conversion rates) is based on genuine human interactions. This allows businesses to make accurate, data-driven decisions for future marketing strategies and optimizations.
• Brand Safety Assurance – Prevents ads from appearing alongside inappropriate or harmful content, safeguarding the brand’s image and consumer trust. This is achieved by analyzing the context of the publisher’s site before an ad is served.

Example 1: Geofencing Rule

This pseudocode demonstrates a geofencing rule that blocks any ad click originating from a country not on the advertiser’s pre-approved list. This is crucial for local businesses or campaigns targeting specific regions, ensuring ad spend is not wasted on irrelevant geographic locations.

FUNCTION handle_click(click_data):
  allowed_countries = ["US", "CA", "GB"]
  click_country = get_country_from_ip(click_data.ip_address)
  
  IF click_country NOT IN allowed_countries:
    // Block the click and log the event
    block_traffic(click_data.ip_address)
    log_event("Blocked out-of-geo click from " + click_country)
    RETURN "BLOCKED"
  
  RETURN "ALLOWED"

Example 2: Session Scoring for Bot Behavior

This logic assigns risk scores to various user actions within a session. If the total score exceeds a defined threshold, the user is identified as a bot and blocked. This is more sophisticated than a single rule, as it aggregates multiple suspicious signals—like rapid-fire clicks and minimal time-on-page—to make a more accurate determination.

FUNCTION analyze_user_session(session_events):
  risk_score = 0
  
  // Rule 1: High click frequency
  IF session_events.click_count / session_events.duration_seconds > 0.5:
    risk_score += 40
  
  // Rule 2: Minimal time on page before action
  IF session_events.duration_seconds < 3:
    risk_score += 30
    
  // Rule 3: User agent indicates known bot
  IF is_known_bot(session_events.user_agent):
    risk_score += 100 // High-confidence indicator
    
  // Decision
  IF risk_score >= 100:
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"

🐍 Python Code Examples

This code demonstrates how to detect abnormally high click frequency from a single IP address. By tracking timestamps, it can identify automated bots that generate clicks much faster than a human user could, a common indicator of click fraud.

import time

# Store click timestamps per IP
ip_clicks = {}
CLICK_LIMIT = 5
TIME_WINDOW_SECONDS = 10

def is_fraudulent_click_frequency(ip):
    current_time = time.time()
    if ip not in ip_clicks:
        ip_clicks[ip] = []
    
    # Remove clicks outside the time window
    ip_clicks[ip] = [t for t in ip_clicks[ip] if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add the current click
    ip_clicks[ip].append(current_time)
    
    # Check if the click limit is exceeded
    if len(ip_clicks[ip]) > CLICK_LIMIT:
        print(f"Fraudulent activity detected for IP: {ip}")
        return True
        
    return False

# Simulate clicks
is_fraudulent_click_frequency("192.168.1.100")
is_fraudulent_click_frequency("192.168.1.100")
is_fraudulent_click_frequency("192.168.1.100")
is_fraudulent_click_frequency("192.168.1.100")
is_fraudulent_click_frequency("192.168.1.100")
is_fraudulent_click_frequency("192.168.1.100") # This will be flagged

This example provides a function to filter out traffic based on suspicious user-agent strings. It checks if a user agent matches a list of known bots or automated scripts, which is a straightforward way to block low-quality and fraudulent traffic before it impacts campaign metrics.

SUSPICIOUS_USER_AGENTS = [
    "bot",
    "crawler",
    "spider",
    "headlesschrome" # Often used for automated scripts
]

def filter_suspicious_user_agent(user_agent):
    ua_lower = user_agent.lower()
    for suspicious_string in SUSPICIOUS_USER_AGENTS:
        if suspicious_string in ua_lower:
            print(f"Blocking suspicious user agent: {user_agent}")
            return True
    return False

# Example Usage
filter_suspicious_user_agent("Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)")
filter_suspicious_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36")

Types of Ad Verification

• Fraud Detection: This type focuses on identifying and blocking invalid traffic (IVT) from sources like bots, click farms, and other automated schemes. Its primary goal is to ensure that ads are served to real humans, protecting advertisers from paying for fake clicks and impressions.
• Brand Safety and Suitability: This ensures that advertisements do not appear alongside content that is inappropriate, harmful, or misaligned with the brand’s values, such as hate speech or violence. It protects the brand’s reputation by controlling the context in which ads are displayed.
• Viewability Verification: This confirms that an ad had the opportunity to be seen by a user. According to industry standards, an ad is considered viewable if a certain percentage of its pixels are on-screen for a minimum duration, ensuring advertisers don’t pay for ads that were never visible.
• Geographic Verification: This confirms that ads are being delivered to the correct geographic locations as specified in the campaign’s targeting parameters. It is especially important for local businesses and region-specific campaigns to avoid wasting ad spend on irrelevant audiences.

How Administrative Services Organization ASO Works

Incoming Ad Traffic → +---------------------------+
                        │   ASO Gateway & Filter    │
                        +---------------------------+
                                     │
                                     ↓
                      +-----------------------------+
                      │   Real-Time Analysis Engine │
                      │   (Rules, Heuristics, ML)   │
                      +-----------------------------+
                                     │
                                     ↓ (Suspicious?)
                      +-----------------------------+
                      │     Decision & Mitigation   │ ---→ [BLOCK]
                      +-----------------------------+
                                     │ (Legitimate)
                                     ↓
                   Clean Traffic to Ad/Website ←--- [ALLOW]

🧠 Core Detection Logic

Example 1: IP Reputation and Proxy Detection

This logic checks the incoming IP address against a database of known threats, including data center IPs, public proxies, and addresses associated with past fraudulent activity. It serves as a fundamental, first-line defense in a traffic protection system by blocking traffic from sources that have a high probability of being non-human or malicious.

FUNCTION check_ip_reputation(request):
  ip_address = request.get_ip()
  
  IF ip_address IN known_bot_blacklist:
    RETURN "BLOCK"
  
  IF is_data_center_ip(ip_address):
    RETURN "BLOCK"

  IF is_known_proxy(ip_address):
    RETURN "FLAG_FOR_REVIEW"
    
  RETURN "ALLOW"

Example 2: User-Agent and Header Anomaly Detection

This logic inspects the user-agent string and other HTTP headers of an incoming request. It looks for inconsistencies, outdated browser versions, or signatures associated with automation tools and headless browsers. This is important for identifying bots that attempt to disguise themselves as legitimate users but fail to perfectly mimic a standard browser environment.

FUNCTION validate_user_agent(request):
  user_agent = request.get_header("User-Agent")
  
  IF user_agent IS NULL or user_agent IN known_bot_user_agents:
    RETURN "BLOCK"
    
  // Check for mismatches, e.g., a mobile UA on a desktop OS
  IF header_inconsistency_detected(request.headers):
    RETURN "FLAG_FOR_REVIEW"
    
  RETURN "ALLOW"

Example 3: Behavioral Heuristics (Click Frequency)

This type of logic analyzes user behavior patterns over a short period. An abnormally high number of clicks from a single IP address within seconds or minutes is a strong indicator of non-human, automated activity. This is crucial for stopping click spam and bot-driven attacks that simple IP blocklists might miss.

FUNCTION analyze_click_frequency(ip_address, timestamp):
  // Define time window and click threshold
  time_window = 60 // seconds
  click_threshold = 10 // max clicks per window
  
  // Get recent clicks from this IP
  recent_clicks = get_clicks_for_ip(ip_address, since=timestamp - time_window)
  
  IF count(recent_clicks) > click_threshold:
    RETURN "BLOCK"
  
  RECORD_CLICK(ip_address, timestamp)
  RETURN "ALLOW"

📈 Practical Use Cases for Businesses

An Administrative Services Organization (ASO) in the context of ad fraud protection provides businesses with a centralized system to manage and enforce traffic quality rules. It helps protect marketing budgets, maintain data accuracy, and improve overall campaign effectiveness by filtering out invalid and fraudulent interactions before they can cause damage.

• PPC Campaign Shielding: Automatically blocks clicks from known bots and fraudulent sources, ensuring that the ad budget is spent on reaching real potential customers and maximizing return on ad spend (ROAS).
• Lead Generation Form Protection: Prevents automated scripts from submitting fake or spam information into lead forms, ensuring the sales team receives high-quality, actionable leads and not junk data.
• Analytics Data Integrity: Filters out non-human traffic from website analytics platforms. This provides a true picture of user engagement and website performance, leading to more accurate business decisions.
• E-commerce Fraud Reduction: Identifies and blocks bots designed to scrape prices, hold items in carts, or perpetrate other forms of e-commerce fraud, thus protecting inventory and revenue.

Example 1: Geofencing Rule

This pseudocode demonstrates a common business rule to ensure ad spend is focused on targeted geographic locations. Traffic from outside the intended countries is automatically blocked.

FUNCTION enforce_geofencing(request):
  user_ip = request.get_ip()
  user_country = get_country_from_ip(user_ip)
  
  allowed_countries = ["USA", "CAN", "GBR"]
  
  IF user_country NOT IN allowed_countries:
    log_event("Blocked geo-mismatch", ip=user_ip, country=user_country)
    RETURN "BLOCK"
  
  RETURN "ALLOW"

Example 2: Session Scoring Logic

This example shows a simplified scoring system. Different suspicious indicators add points to a session’s fraud score. If the score exceeds a certain threshold, the traffic is blocked.

FUNCTION calculate_session_fraud_score(session_data):
  score = 0
  
  IF session_data.is_proxy:
    score += 40
  
  IF session_data.has_inconsistent_headers:
    score += 30
    
  IF session_data.click_frequency > 5 per minute:
    score += 50
  
  // If score is high, block the session
  IF score >= 80:
    RETURN "BLOCK"
  
  RETURN "ALLOW"

🐍 Python Code Examples

This Python function simulates checking for rapid, successive clicks from the same IP address. It’s a basic but effective way to detect click spam bots that repeatedly hit an ad in a short time frame.

from collections import defaultdict
import time

# Store click timestamps for each IP
ip_clicks = defaultdict(list)
TIME_WINDOW = 10  # seconds
CLICK_LIMIT = 5   # max clicks in window

def is_click_fraud(ip_address):
    current_time = time.time()
    
    # Remove old timestamps
    ip_clicks[ip_address] = [t for t in ip_clicks[ip_address] if current_time - t < TIME_WINDOW]
    
    # Check if click limit is exceeded
    if len(ip_clicks[ip_address]) >= CLICK_LIMIT:
        print(f"Fraud detected for IP: {ip_address}")
        return True
    
    # Record the valid click
    ip_clicks[ip_address].append(current_time)
    print(f"Valid click recorded for IP: {ip_address}")
    return False

# Simulation
is_click_fraud("8.8.8.8")
is_click_fraud("8.8.8.8")
is_click_fraud("8.8.8.8")
is_click_fraud("8.8.8.8")
is_click_fraud("8.8.8.8")
print(is_click_fraud("8.8.8.8")) # This one will be flagged as fraud

This code filters incoming web requests based on a blacklist of suspicious user-agent strings. This helps block known bots and non-standard browsers commonly used for automated scraping and click fraud.

# List of user agents known to be associated with bots
BOT_USER_AGENTS = [
    "AhrefsBot",
    "SemrushBot",
    "PhantomJS",
    "Googlebot-Image", # Example of a good bot you might want to allow depending on context
    "EvilBot/1.0"
]

def filter_by_user_agent(request_headers):
    user_agent = request_headers.get("User-Agent", "")
    
    if any(bot_ua in user_agent for bot_ua in BOT_USER_AGENTS):
        print(f"Blocking request with User-Agent: {user_agent}")
        return False # Block request
        
    print(f"Allowing request with User-Agent: {user_agent}")
    return True # Allow request

# Simulation
request1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."}
request2 = {"User-Agent": "AhrefsBot/7.0; +http://ahrefs.com/robot/"}

filter_by_user_agent(request1)
filter_by_user_agent(request2)

Types of Administrative Services Organization ASO

• Rule-Based ASO: Operates using a predefined set of static rules, such as IP blacklists, user-agent blocklists, or geofencing restrictions. It is effective against known, unsophisticated threats but lacks the flexibility to adapt to new fraud techniques without manual updates.
• Heuristic-Based ASO: Employs behavioral rules and pattern analysis to identify suspicious activity. This type looks at the context of the interaction, such as click velocity, session duration, and mouse movements, to spot anomalies indicative of non-human behavior, offering more adaptability than static rules.
• Machine Learning-Powered ASO: Utilizes AI models to analyze vast datasets and predict the likelihood of fraud in real-time. This is the most advanced type, capable of identifying complex and evolving threats by learning from new data, making it highly effective against sophisticated botnets and coordinated attacks.
• Hybrid ASO: Combines elements from rule-based, heuristic, and machine learning approaches. This layered defense uses fast, static rules to block obvious bots, followed by deeper heuristic and ML analysis for more ambiguous traffic, providing a balanced approach to accuracy, speed, and scalability.

How adTech Works

Incoming Ad Request
        │
        ▼
+---------------------+
│   Data Collection   │
│ (IP, UA, Behavior)  │
+---------------------+
        │
        ▼
+---------------------+
│  Real-Time Analysis │
│ (Rules & ML Models) │
+---------------------+
        │
        ▼
+---------------------+
│  Fraud Scoring      │
│ (Assigns Risk Level)│
+---------------------+
        │
        ▼
+---------------------+      +----------------+
│ Decision Engine     ├─────►│ Block/Redirect │
│ (Block/Allow?)      │      +----------------+
+---------------------+
        │
        ▼
+---------------------+
│   Serve Legitimate Ad │
+---------------------+

🧠 Core Detection Logic

Example 1: IP Filtering

This logic checks an incoming click’s IP address against a known blocklist of fraudulent IPs, such as those associated with data centers or proxy services. It’s a foundational layer of protection that filters out obvious, non-human traffic sources before more complex analysis is needed.

FUNCTION checkIP(ip_address):
  // Predefined list of fraudulent IPs and subnets
  fraud_ips = ["198.51.100.1", "203.0.113.0/24"]
  
  IF ip_address IN fraud_ips:
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"
END FUNCTION

Example 2: Session Heuristics

This logic analyzes the behavior of a user within a single session to identify non-human patterns. For example, it can track the time between clicks. An unnaturally short interval between multiple clicks is a strong indicator of an automated bot, not a real user.

FUNCTION analyzeSession(session_data):
  // Get timestamps of all clicks in the session
  click_times = session_data.getClickTimestamps()

  // Check time difference between consecutive clicks
  FOR i FROM 1 TO length(click_times) - 1:
    time_diff = click_times[i] - click_times[i-1]
    IF time_diff < 2 SECONDS:
      RETURN "FLAG_AS_FRAUD"
  
  RETURN "LEGITIMATE"
END FUNCTION

Example 3: Geo Mismatch

This logic compares the geographic location claimed by a device or browser with the location of its IP address. A significant mismatch, such as a device reporting its location in the US while the IP is from a different country, suggests the use of GPS spoofing or other masking techniques common in ad fraud.

FUNCTION verifyGeoLocation(click_data):
  // Get location data from different sources
  ip_geo = getGeoFromIP(click_data.ip)
  device_geo = click_data.device_location
  
  // Calculate distance between the two locations
  distance = calculateDistance(ip_geo, device_geo)
  
  // If distance is greater than a reasonable threshold (e.g., 100 km)
  IF distance > 100:
    RETURN "SUSPICIOUS_GEO"
  ELSE:
    RETURN "GEO_OK"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – AdTech automatically filters out clicks and impressions from bots and malicious actors in real time. This directly protects advertising budgets from being wasted on fraudulent traffic that has no chance of converting, ensuring spend is focused on genuine potential customers.
• Analytics Integrity – By blocking invalid traffic at the source, adTech ensures that marketing analytics and campaign performance data are clean and accurate. Businesses can make better strategic decisions when their metrics, like CTR and conversion rates, reflect real user engagement.
• Return on Ad Spend (ROAS) Improvement – AdTech improves ROAS by preventing budget leakage to fraud and ensuring ads are served to real humans. With cleaner traffic, conversion rates increase, and the cost per acquisition (CPA) is lowered, leading to more efficient and profitable campaigns.
• Publisher Vetting – AdTech systems can score the quality of traffic coming from different publishers or sources. This allows businesses to identify and invest more in high-quality channels while divesting from those that consistently deliver low-quality or fraudulent traffic, optimizing media buying strategies.

Example 1: Geofencing Rule

This pseudocode demonstrates a geofencing rule that blocks clicks from countries outside of the campaign's target market. This is a common practice for businesses running local or national campaigns to prevent budget waste from irrelevant international traffic, which often has a high percentage of fraud.

PROCEDURE applyGeofencing(click_details):
  // Define the list of allowed countries for the campaign
  allowed_countries = ["USA", "CAN", "GBR"]
  
  // Get the country from the click's IP address
  click_country = getCountryFromIP(click_details.ip_address)
  
  // Block if the click's country is not in the allowed list
  IF click_country NOT IN allowed_countries:
    blockRequest(click_details.id)
    logEvent("Blocked: Geo-fencing violation")
  END IF
END PROCEDURE

Example 2: Session Scoring Logic

This example shows how a session can be scored based on multiple risk factors. A business might use this to differentiate between low-quality and high-quality traffic. A session with a high-risk score can be blocked, while a medium-risk one could be served a lower-value ad or flagged for review.

FUNCTION scoreSession(session_info):
  risk_score = 0
  
  // Increase score for known data center IP
  IF isDataCenterIP(session_info.ip):
    risk_score += 40
  
  // Increase score for outdated browser (common in bots)
  IF hasOldUserAgent(session_info.user_agent):
    risk_score += 20
    
  // Increase score for abnormally high click rate
  IF session_info.click_count > 10 in 1 minute:
    risk_score += 40

  RETURN risk_score
END FUNCTION

🐍 Python Code Examples

This function simulates detecting abnormal click frequency from a single IP address. It tracks click timestamps and flags an IP as suspicious if it exceeds a defined threshold within a short time frame, a common indicator of bot activity.

# Dictionary to store click timestamps for each IP
ip_clicks = {}
CLICK_LIMIT = 10
TIME_WINDOW_SECONDS = 60

import time

def is_click_fraud(ip_address):
    current_time = time.time()
    
    # Get click history for the IP, or initialize if new
    if ip_address not in ip_clicks:
        ip_clicks[ip_address] = []
    
    # Remove old clicks that are outside the time window
    ip_clicks[ip_address] = [t for t in ip_clicks[ip_address] if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add the new click
    ip_clicks[ip_address].append(current_time)
    
    # Check if the number of clicks exceeds the limit
    if len(ip_clicks[ip_address]) > CLICK_LIMIT:
        print(f"Fraud Detected: IP {ip_address} exceeded click limit.")
        return True
        
    return False

# Simulation
is_click_fraud("203.0.113.10") # Returns False
# Simulate 10 more rapid clicks from the same IP
for _ in range(11):
    is_click_fraud("203.0.113.10") # Will return True after the 10th click

This example demonstrates filtering traffic based on a blocklist of suspicious user agents. Many bots use generic or outdated user agent strings, and this code checks an incoming request's user agent against a predefined set to block known bad actors.

# A set of known suspicious or outdated user agent strings
SUSPICIOUS_USER_AGENTS = {
    "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", # Example bot
    "DataCha0s/2.0",
    "abot/0.1"
}

def filter_by_user_agent(user_agent_string):
    if user_agent_string in SUSPICIOUS_USER_AGENTS:
        print(f"Blocking request from suspicious user agent: {user_agent_string}")
        return False # Block request
    return True # Allow request

# Simulation
filter_by_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36") # Allowed
filter_by_user_agent("DataCha0s/2.0") # Blocked

Types of adTech

• Rule-Based Detection Systems – These systems use predefined rules and thresholds to identify fraud. For instance, a rule might block any IP address that generates more than 10 clicks in one minute. This type is effective against simple, brute-force bots but can be less effective against sophisticated attacks.
• Heuristic and Behavioral Analysis – This type of adTech analyzes patterns of user behavior over time. It looks for anomalies in navigation paths, mouse movements, and session duration to distinguish human users from bots. It is more adaptive than simple rule-based systems and can detect more subtle forms of fraud.
• Machine Learning-Based Systems – These systems use AI algorithms to analyze vast datasets and identify complex, evolving fraud patterns. They can adapt to new threats without manual intervention by learning from new traffic data, making them highly effective against sophisticated and previously unseen bot activity.
• Signature-Based Detection – This method involves identifying and cataloging the unique "signatures" of known bots or malware, such as specific user agent strings or JavaScript footprints. When traffic matches a known malicious signature, it is automatically blocked. This is effective but requires constant updates to the signature database.

How Advanced Threat Protection Works

Incoming Traffic (Click/Impression)
           │
           ▼
+----------------------+
│ 1. Data Collection   │
│ (IP, UA, Timestamp)  │
└──────────┬───────────┘
           │
           ▼
+----------------------+
│ 2. Signal Analysis   │
│ (Heuristics & Rules) │
└──────────┬───────────┘
           │
           ▼
+----------------------+
│ 3. Behavioral Scan   │
│ (Session Analytics)  │
└──────────┬───────────┘
           │
           ▼
+----------------------+      +----------------+
│ 4. Scoring & Decision├─────>│  Threat Intel  │
│ (Valid/Invalid?)     │      │  (Blocklists)  │
└──────────┬───────────┘      +----------------+
           │
           │
  ┌────────┴────────┐
  ▼                 ▼
+-----------+    +---------------+
│ Allow     │    │ Block & Log   │
│ (Valid)   │    │ (Fraudulent)  │
+-----------+    +---------------+

🧠 Core Detection Logic

Example 1: IP Reputation and Filtering

This logic checks the incoming IP address against known databases of malicious sources, such as data centers, VPNs, and proxies often used by bots. It’s a first line of defense in traffic protection, weeding out traffic that has a high probability of being non-human or fraudulent before it consumes resources.

FUNCTION checkIpReputation(ip_address):
  // Query internal and external threat intelligence feeds
  is_datacenter_ip = queryDatacenterList(ip_address)
  is_known_proxy = queryProxyList(ip_address)
  is_on_blocklist = queryGlobalBlocklist(ip_address)

  IF is_datacenter_ip OR is_known_proxy OR is_on_blocklist THEN
    RETURN "fraudulent"
  ELSE
    RETURN "valid"
  END IF
END FUNCTION

Example 2: Session Heuristics and Velocity Scoring

This logic analyzes the timing and frequency of user actions within a session to detect automated behavior. It’s effective against bots programmed to perform actions faster than a human possibly could, such as clicking an ad fractions of a second after a page loads or performing numerous clicks in rapid succession.

FUNCTION analyzeSessionVelocity(session_data):
  // session_data contains timestamps for page_load, ad_render, click_time
  time_to_click = session_data.click_time - session_data.ad_render
  clicks_in_last_minute = getClickCount(session_data.ip, 60)

  // A human needs time to see and react to an ad
  IF time_to_click < 1.0 SECONDS THEN
    RETURN "high_risk"
  END IF
  
  // More than 10 clicks in a minute from one IP is suspicious
  IF clicks_in_last_minute > 10 THEN
    RETURN "high_risk"
  END IF
  
  RETURN "low_risk"
END FUNCTION

Example 3: Behavioral Anomaly Detection

This logic tracks user interactions on the landing page after a click to verify engagement. Lack of typical human behavior, such as scrolling, mouse movement, or time spent on the page, indicates the “user” might be a bot that only clicked the ad without any real interest in the content.

FUNCTION checkPostClickBehavior(behavior_metrics):
  // behavior_metrics includes scroll_depth, mouse_events, dwell_time
  
  // A real user usually moves their mouse
  IF behavior_metrics.mouse_events == 0 THEN
    RETURN "suspicious"
  END IF
  
  // A bounce in under 2 seconds is a strong indicator of a bot
  IF behavior_metrics.dwell_time < 2 SECONDS THEN
    RETURN "suspicious"
  END IF
  
  // No scrolling on a long page is unnatural
  IF behavior_metrics.scroll_depth == 0 AND page_height > 2000 PIXELS THEN
    RETURN "suspicious"
  END IF
  
  RETURN "normal"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Proactively blocks invalid traffic from interacting with ads, ensuring that pay-per-click (PPC) budgets are spent only on genuine, high-intent users and not wasted on bots or click farms.
• Data Integrity – Filters out fraudulent clicks and impressions from analytics platforms. This provides businesses with clean, reliable data to make accurate decisions about marketing strategy, budget allocation, and campaign performance.
• ROAS Optimization – Improves Return on Ad Spend (ROAS) by eliminating wasteful spending on fraudulent interactions. By ensuring ads are shown to real potential customers, ATP helps increase the likelihood of conversions and maximizes campaign profitability.
• Lead Quality Assurance – Prevents fake form submissions and protects lead generation campaigns from being polluted by bot-generated data. This saves sales teams time and resources by ensuring they follow up on legitimate prospects only.

Example 1: Geofencing and Mismatch Detection

This logic is used to enforce targeting rules and block traffic originating from unexpected or high-risk geographic locations. It is highly effective for businesses running local or country-specific campaigns.

FUNCTION applyGeofencing(click_data):
  // Allowed countries for the campaign are defined
  allowed_countries = ["US", "CA", "GB"]
  
  // IP geolocation provides the user's country
  user_country = getCountryFromIP(click_data.ip_address)
  
  // Timezone from browser should align with IP location
  timezone_country = getCountryFromTimezone(click_data.browser_timezone)

  IF user_country NOT IN allowed_countries THEN
    RETURN "Block: Out of target area"
  END IF
  
  IF user_country != timezone_country THEN
    RETURN "Block: Geo mismatch anomaly"
  END IF
  
  RETURN "Allow"
END FUNCTION

Example 2: Session Scoring for Conversion Fraud

This logic assigns a fraud score to a user session based on multiple risk factors. It is useful for identifying sophisticated bots that might pass individual checks but show a combination of suspicious traits.

FUNCTION calculateSessionScore(session):
  score = 0
  
  IF isProxy(session.ip) THEN
    score = score + 40
  END IF
  
  IF hasUnnaturalClickPattern(session.clicks) THEN
    score = score + 30
  END IF
  
  IF hasDeviceAnomaly(session.fingerprint) THEN
    score = score + 30
  END IF
  
  // A score over 70 is considered high risk
  IF score > 70 THEN
    RETURN "Fraudulent"
  ELSE
    RETURN "Legitimate"
  END IF
END FUNCTION

🐍 Python Code Examples

This code simulates the detection of abnormally frequent clicks from a single IP address, a common sign of basic bot activity. It maintains a simple in-memory log to track click timestamps and flags IPs that exceed a defined threshold.

from collections import defaultdict
from time import time

CLICK_LOG = defaultdict(list)
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 15

def is_suspicious_frequency(ip_address):
    """Checks if an IP has an abnormal click frequency."""
    current_time = time()
    
    # Remove old timestamps outside the time window
    CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add the current click timestamp
    CLICK_LOG[ip_address].append(current_time)
    
    # Check if click count exceeds the threshold
    if len(CLICK_LOG[ip_address]) > CLICK_THRESHOLD:
        print(f"Flagged IP: {ip_address} for high frequency.")
        return True
        
    return False

# --- Simulation ---
test_ip = "192.168.1.100"
for _ in range(20):
    is_suspicious_frequency(test_ip)

This example demonstrates filtering traffic based on suspicious user-agent strings. Bots often use generic, outdated, or inconsistent user agents that can be identified and blocked using a predefined deny list.

SUSPICIOUS_USER_AGENTS = [
    "bot",
    "spider",
    "headlesschrome", # Often used in automation scripts
    "okhttp", # Common in non-browser HTTP clients
]

def filter_by_user_agent(user_agent_string):
    """Filters traffic based on suspicious user agent keywords."""
    ua_lower = user_agent_string.lower()
    
    for keyword in SUSPICIOUS_USER_AGENTS:
        if keyword in ua_lower:
            print(f"Blocking suspicious user agent: {user_agent_string}")
            return False # Block request
            
    return True # Allow request

# --- Simulation ---
filter_by_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36")
filter_by_user_agent("AhrefsBot/7.0; +http://ahrefs.com/robot/")

Types of Advanced Threat Protection

• Heuristic-Based ATP

  This type uses a set of predefined rules and logic to identify suspicious patterns. It checks for anomalies like abnormally high click-through rates, rapid clicks from a single IP, or mismatches between a user’s IP location and their browser’s language setting. It is effective against predictable, script-based bots.

• Behavioral ATP

  This method focuses on analyzing user interactions on a landing page after a click. It tracks mouse movements, scroll depth, time on page, and other engagement metrics to differentiate between genuine human curiosity and the simplistic, non-interactive patterns of a bot. It is key to catching sophisticated bots that mimic human clicks.

• Signature-Based ATP

  This functions like traditional antivirus software, matching incoming traffic against a database of known fraudulent signatures. These signatures can include specific IP addresses, device fingerprints, or characteristics of known botnets. Its effectiveness depends on the continuous updating of the threat database.

• Machine Learning-Powered ATP

  This is the most sophisticated type, using AI models to analyze vast datasets and identify complex, evolving fraud patterns that other methods might miss. It can adapt to new threats in real-time by learning from new data, making it highly effective against advanced, coordinated fraud attacks.

How Advertising Video on Demand AVOD Works

+---------------------+      +----------------------+      +---------------------+
|   User Request      | →    |   Ad Decisioning     | →    |    Ad Insertion     |
+---------------------+      +----------------------+      +---------------------+
           │                            │                            │
           ↓                            ↓                            ↓
+---------------------+      +----------------------+      +---------------------+
|  Initial Traffic    |      |  Real-Time Analysis  |      |   Content Delivery  |
|    Validation       |      | (Behavioral/IP)      |      | (with Verified Ads) |
+---------------------+      +----------------------+      +---------------------+
           │                            │                            │
           └───────────→    |   Fraud Scoring      |      ←────────────┘
                            +----------------------+
                                         │
                                         ↓
                               +---------------------+
                               |   Blocking/Alerting  |
                               +---------------------+

🧠 Core Detection Logic

Example 1: Session Velocity Analysis

This logic tracks the frequency of ad requests from a single user session or IP address within a specific timeframe. An abnormally high number of requests can indicate a bot programmed to generate impressions rapidly. This is a crucial heuristic for identifying non-human traffic patterns that deviate from normal viewing behavior.

FUNCTION check_session_velocity(session_id, time_window, max_requests):
  request_log = get_requests_for_session(session_id, time_window)
  
  IF count(request_log) > max_requests:
    FLAG_AS_FRAUD(session_id, "High Request Velocity")
    RETURN True
  
  RETURN False

Example 2: Geographic Mismatch Detection

This technique compares the user’s declared geographic location (e.g., from their profile) with the location derived from their IP address. A significant mismatch can suggest the use of a VPN or proxy to mask the user’s true origin, a common tactic in ad fraud to mimic high-value traffic.

FUNCTION check_geo_mismatch(user_profile_country, ip_address):
  ip_country = get_country_from_ip(ip_address)
  
  IF user_profile_country IS NOT ip_country:
    FLAG_AS_SUSPICIOUS(ip_address, "Geographic Mismatch")
    RETURN True
  
  RETURN False

Example 3: Viewer Interaction Analysis

This logic analyzes in-stream user behavior, such as mouse movements, click patterns, and video player engagement (e.g., pausing, rewinding). Bots often exhibit predictable, non-human patterns, like no mouse movement or clicking in the exact same spot on every ad. Deviations from organic human interaction are flagged as suspicious.

FUNCTION analyze_viewer_interaction(session_data):
  mouse_events = session_data.mouse_events
  click_coordinates = session_data.click_coordinates
  
  IF count(mouse_events) < MIN_EXPECTED_MOVEMENTS:
    FLAG_AS_FRAUD(session_data.id, "Lack of Mouse Activity")
    RETURN True
  
  IF has_repetitive_click_pattern(click_coordinates):
    FLAG_AS_FRAUD(session_data.id, "Repetitive Click Pattern")
    RETURN True
  
  RETURN False

📈 Practical Use Cases for Businesses

• Campaign Budget Protection: Prevents ad spend from being wasted on fraudulent impressions generated by bots, ensuring that budgets are spent on reaching real, potential customers.
• Data Integrity for Analytics: Ensures that marketing analytics and performance metrics are based on genuine user interactions, leading to more accurate insights and better strategic decisions.
• Improved Return on Ad Spend (ROAS): By filtering out invalid traffic, AVOD fraud protection ensures that ads are shown to a receptive audience, thereby increasing the likelihood of conversions and improving overall ROAS.
• Brand Safety Maintenance: Protects brand reputation by preventing ads from being displayed in fraudulent or inappropriate contexts, which can be a side effect of certain ad fraud schemes.

Example 1: IP Blocklist Rule

This pseudocode demonstrates a basic IP filtering rule. A business can maintain a dynamic blocklist of IP addresses that have been identified as sources of fraudulent activity. Before an ad is served, the system checks the user's IP against this list.

FUNCTION should_serve_ad(user_ip):
  ip_blocklist = get_global_ip_blocklist()
  
  IF user_ip IN ip_blocklist:
    RETURN False  // Do not serve the ad
  
  RETURN True  // Serve the ad

Example 2: Session Score for Conversion Funnels

This logic scores a user's session based on various fraud indicators. Businesses can use this score to decide whether to trust a conversion event (e.g., a lead submission). A session with a high fraud score might have its conversion event flagged or disregarded to maintain clean performance data.

FUNCTION calculate_session_fraud_score(session_data):
  score = 0
  
  IF is_from_datacenter(session_data.ip):
    score += 40
  
  IF has_no_mouse_movement(session_data.events):
    score += 30
    
  IF session_data.request_frequency > HIGH_THRESHOLD:
    score += 30
    
  RETURN score

// Business Logic
session_score = calculate_session_fraud_score(current_session)
IF session_score < 70:
  process_conversion_event(current_session)
ELSE:
  flag_conversion_as_suspicious(current_session)

🐍 Python Code Examples

This Python function checks if a given IP address belongs to a known data center, which is often a source of non-human traffic. This helps in filtering out bot-generated impressions at the entry point of the ad-serving process.

# Example list of known data center IP ranges
DATACENTER_IP_RANGES = [
    "192.168.0.0/16",
    "10.0.0.0/8" 
]

def is_datacenter_ip(ip_address):
    """Checks if an IP address falls within known data center ranges."""
    from ipaddress import ip_address as ip_addr, ip_network
    
    try:
        incoming_ip = ip_addr(ip_address)
        for ip_range in DATACENTER_IP_RANGES:
            if incoming_ip in ip_network(ip_range):
                return True
    except ValueError:
        return False  # Invalid IP address format
    return False

# --- Usage ---
# print(is_datacenter_ip("10.1.2.3")) # Returns True

This code analyzes a list of timestamps from a single user session to detect abnormally high click frequency. By calculating the time difference between consecutive clicks, it can identify automated scripts designed to generate fraudulent clicks.

def has_abnormal_click_frequency(timestamps, threshold_seconds=1):
    """Detects if clicks are occurring faster than a humanly possible rate."""
    if len(timestamps) < 2:
        return False
    
    for i in range(1, len(timestamps)):
        time_diff = timestamps[i] - timestamps[i-1]
        if time_diff.total_seconds() < threshold_seconds:
            return True # Flag as suspicious
            
    return False

# --- Usage ---
# from datetime import datetime, timedelta
# clicks = [datetime.now(), datetime.now() + timedelta(milliseconds=100)]
# print(has_abnormal_click_frequency(clicks)) # Returns True

Types of Advertising Video on Demand AVOD

• Server-Side Ad Insertion (SSAI): Ads are stitched directly into the video content on the server before it reaches the user's device. This method makes it harder for ad blockers to stop the ads and provides a smoother viewing experience, but can also be exploited by sophisticated bots that mimic legitimate server calls.
• Client-Side Ad Insertion (CSAI): The user's device (the client) requests ads from an ad server separately from the video content. This is more common but easier for ad blockers to intercept. From a fraud perspective, it allows for more direct measurement of client-side signals like mouse movement and visibility.
• Hybrid AVOD-SVOD Models: Platforms offer a tiered subscription model, where a free or low-cost tier is supported by ads (AVOD), while a premium tier is ad-free (SVOD). Fraud detection in this model focuses on the AVOD tier, where invalid traffic directly impacts advertising revenue.
• Contextual Ad Targeting: Ads are served based on the content of the video being watched rather than on user data. In fraud detection, this involves verifying that ad placements are relevant and that bots are not generating views on high-value content to attract expensive ads fraudulently.