Archives: Glossary Terms

How Human Traffic Works

Visitor Request → [ 1. Initial Filtering ] → [ 2. Behavioral Analysis ] → [ 3. Scoring Engine ] ┬─> Legitimate (Human) Traffic
                     │                      │                       │                    └─> Fraudulent (Bot) Traffic
                     └──────────────────────┴───────────────────────┴───────────────────────> Block/Flag

Diagram Element Breakdown

Visitor Request

This is the starting point, representing any incoming connection to a webpage where an ad is displayed. Each request carries a set of data (IP, browser type, etc.) that serves as the raw material for analysis.

1. Initial Filtering

This first stage acts as a gatekeeper, performing a quick check for obvious signs of non-human traffic. It uses static blocklists and technical data to weed out known fraudulent sources like data center IPs or outdated user agents. It’s the first line of defense against low-sophistication bots.

2. Behavioral Analysis

This is where the system looks beyond static data to analyze how the visitor interacts with the page. It monitors dynamic actions like mouse movements and click patterns to distinguish the natural, sometimes erratic, behavior of a human from the predictable, automated actions of a bot.

3. Scoring Engine

This component aggregates all the data from the previous stages to make a final judgment. It assigns a risk score based on the evidence collected. A request from a residential IP with natural mouse movements gets a low score, while one from a known bot network with no mouse movement gets a high score.

Legitimate vs. Fraudulent Traffic

This represents the final output of the system. Based on the score, traffic is sorted into two categories. Legitimate (human) traffic is passed through to view the ad, while fraudulent (bot) traffic is blocked, ensuring the advertiser does not pay for fake engagement.

🧠 Core Detection Logic

Example 1: IP Address and User-Agent Filtering

This logic performs a fundamental check on every visitor. It inspects the visitor’s IP address to determine if it originates from a known data center, a proxy service, or a region outside the campaign’s target area. It also validates the user-agent string to ensure it corresponds to a legitimate, modern web browser, filtering out traffic from known bots or headless browsers.

FUNCTION check_visitor(ip_address, user_agent):
  IF is_datacenter_ip(ip_address) OR is_proxy_ip(ip_address):
    RETURN "FRAUD"

  IF NOT is_valid_user_agent(user_agent):
    RETURN "FRAUD"

  RETURN "LEGITIMATE"

Example 2: Click Frequency Analysis

This rule identifies non-human velocity in click behavior. A human user is unlikely to click on ads or links hundreds of times within a very short period. This logic tracks the number of clicks coming from a single IP address or user session over a defined timeframe. A sudden, high-frequency burst of clicks is a strong indicator of an automated bot script.

FUNCTION analyze_click_frequency(session):
  time_window = 60 // seconds
  click_threshold = 15 // max clicks allowed in window

  clicks = get_clicks_in_window(session.id, time_window)

  IF count(clicks) > click_threshold:
    RETURN "FRAUD"

  RETURN "LEGITIMATE"

Example 3: Behavioral Anomaly Detection

This logic checks for contradictions in user behavior that expose automation. For instance, a “click” event that occurs without any preceding mouse movement is impossible for a human user. This type of check can also validate session duration, looking for unnaturally short visits (e.g., under one second) or engagement patterns that lack typical human randomness.

FUNCTION check_behavioral_anomaly(event):
  IF event.type == "click" AND event.has_mouse_movement == FALSE:
    RETURN "FRAUD"

  IF event.session_duration < 1 AND event.clicks > 0:
    RETURN "FRAUD"

  RETURN "LEGITIMATE"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Actively block bots and fraudulent clicks in real-time to prevent them from consuming pay-per-click (PPC) budgets. This ensures that ad spend is directed exclusively toward engaging potential human customers, directly protecting marketing investments.
• Analytics Purification – Filter out non-human traffic from analytics dashboards and reports. This provides a true view of user engagement, conversion rates, and other key performance indicators, enabling businesses to make accurate, data-driven decisions based on real human behavior.
• Lead Generation Integrity – Prevent fake form submissions and sign-ups generated by bots. By ensuring that lead databases are filled with contacts from genuinely interested people, businesses save time and resources for their sales teams and improve lead quality.
• Return on Ad Spend (ROAS) Improvement – By eliminating wasteful spending on fraudulent clicks and impressions, businesses can significantly improve their ROAS. Every dollar is spent on reaching a real person, which increases the likelihood of legitimate conversions and boosts overall campaign profitability.

Example 1: Geolocation Mismatch Rule

// Logic to block traffic from locations outside the target market
FUNCTION check_geo_location(visitor_ip, campaign_target_regions):
  visitor_region = get_region_from_ip(visitor_ip)

  IF visitor_region NOT IN campaign_target_regions:
    block_request(visitor_ip)
    log_event("Blocked: Geo Mismatch")
  ELSE:
    allow_request(visitor_ip)

Example 2: Session Interaction Scoring

// Logic to score a session based on human-like interactions
FUNCTION score_session(session_data):
  score = 0

  IF session_data.mouse_events > 10:
    score += 1

  IF session_data.scroll_depth > 50:
    score += 1

  IF session_data.time_on_page > 15: // seconds
    score += 1

  // A score below a certain threshold may indicate a bot
  IF score < 2:
    flag_as_suspicious(session_data.id)
  ELSE:
    flag_as_human(session_data.id)

🐍 Python Code Examples

This code defines a simple function to check if a visitor's IP address belongs to a known data center blocklist. This helps filter out common sources of non-human traffic, as legitimate users typically do not browse from data center servers.

# List of known IP ranges for data centers
DATACENTER_IPS = ["198.51.100.0/24", "203.0.113.0/24"]

def is_from_datacenter(visitor_ip):
    """Checks if a visitor IP belongs to a known data center range."""
    # In a real application, this would use a proper IP address library
    for dc_ip_range in DATACENTER_IPS:
        if visitor_ip.startswith(dc_ip_range.split('.')):
            return True
    return False

# Example
print(is_from_datacenter("198.51.100.10")) # Output: True
print(is_from_datacenter("8.8.8.8"))      # Output: False

This example demonstrates how to detect abnormally high click frequencies from a single IP address. By tracking click timestamps, the function can identify automated scripts that generate an unrealistic number of clicks in a short period, a strong indicator of click fraud.

import time

CLICK_LOG = {}
TIME_WINDOW = 60  # seconds
CLICK_LIMIT = 20  # max clicks per window

def is_click_fraud(ip_address):
    """Detects rapid, repeated clicks from the same IP."""
    current_time = time.time()
    if ip_address not in CLICK_LOG:
        CLICK_LOG[ip_address] = []

    # Filter out clicks older than the time window
    CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]

    # Add the current click
    CLICK_LOG[ip_address].append(current_time)

    # Check if the click count exceeds the limit
    if len(CLICK_LOG[ip_address]) > CLICK_LIMIT:
        return True
    return False

# Example
for _ in range(25):
    print(is_click_fraud("192.168.1.100"))
# The last 5 outputs will be True

Types of Human Traffic

• Verified Human Traffic – This is traffic that has passed multiple checks, such as CAPTCHA, behavioral analysis, and IP reputation analysis, to confirm a real person is behind the interaction. It is considered the highest quality traffic for advertising purposes because it carries a very low risk of fraud.
• Unverified Human Traffic – This traffic appears to be from a human based on initial checks (e.g., from a residential IP and standard browser) but has not undergone deeper behavioral analysis. While often legitimate, it carries a higher risk of being sophisticated bot traffic designed to mimic human users.
• Low-Quality Human Traffic – This refers to clicks and impressions from real people who have no genuine interest in the ad's content. This can be generated by click farms, where low-paid workers are instructed to click on ads, or through incentivized traffic, where users are rewarded for interacting with ads.
• Proxied Human Traffic – This is traffic from real users that is routed through a VPN or proxy server. While the user is human, the proxy masks their true location and identity, which is a common tactic used in fraudulent activities. Ad security systems often flag this traffic as suspicious due to its lack of transparency.

How Human Verification Works

  +-----------------+      +--------------------+      +-----------------+      +---------------+
  |  Visitor Click  | →    |  Data Collection   | →    |  Analysis Engine| →    |   Decision    |
  | (User Request)  |      | (Signals & Params) |      | (Rules & ML)    |      | (Valid/Fraud) |
  +-----------------+      +--------------------+      +-----------------+      +---------------+
                                     │                                                 │
                                     └─────────────────────┐                             │
                                                           ↓                             ↓
                                                 +-------------------+         +-----------------+
                                                 | Heuristic Checks  |         | Block or Allow  |
                                                 | & Signature Match |         |      Traffic    |
                                                 +-------------------+         +-----------------+

🧠 Core Detection Logic

Example 1: Datacenter IP Filtering

This logic blocks traffic originating from known datacenter or server IP ranges, which are rarely used by genuine human users for browsing. It serves as a frontline defense, filtering out a significant volume of basic bot traffic before more complex analysis is needed.

FUNCTION on_visitor_request(ip_address):
  // Predefined list of IP ranges belonging to hosting providers
  datacenter_ip_ranges = ["192.0.2.0/24", "203.0.113.0/24", ...]

  FOR range IN datacenter_ip_ranges:
    IF ip_address in range:
      RETURN "BLOCK" // Flag as fraudulent traffic
  
  RETURN "ALLOW" // IP is not from a known datacenter

Example 2: Session Click Frequency Analysis

This heuristic identifies non-human behavior by tracking the number of clicks from a single user (identified by IP or device fingerprint) within a short timeframe. An impossibly high click frequency suggests an automated script rather than a human, who requires time to interact with a page.

// Session data is stored in memory, mapping user_id to their click timestamps
session_clicks = {user_123: [timestamp1, timestamp2, ...]}
MAX_CLICKS_PER_MINUTE = 10

FUNCTION check_click_frequency(user_id):
  current_time = now()
  user_timestamps = session_clicks.get(user_id, [])

  // Filter timestamps to the last minute
  recent_clicks = [t for t in user_timestamps if current_time - t < 60_seconds]

  IF len(recent_clicks) > MAX_CLICKS_PER_MINUTE:
    RETURN "FRAUD"
  
  RETURN "VALID"

Example 3: Geo-Location Mismatch

This rule checks for inconsistencies between a user’s IP address location and other location-based data, such as browser timezone or language settings. A significant mismatch, like an IP from Vietnam with a browser set to US English and a New York timezone, is a strong indicator of proxy usage or a bot attempting to mask its origin.

FUNCTION verify_geolocation(ip_address, browser_timezone, browser_language):
  ip_location = get_location_from_ip(ip_address) // e.g., 'Vietnam'
  expected_timezone = get_timezone_from_location(ip_location) // e.g., 'Asia/Ho_Chi_Minh'

  // Check for major inconsistencies
  IF ip_location is not "USA" AND browser_timezone is "America/New_York":
    RETURN "SUSPICIOUS"

  IF ip_location is "Germany" AND browser_language is not "de-DE":
    // Can be a weaker signal, but adds to a risk score
    increment_risk_score(2)

  RETURN "OK"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects PPC campaign budgets by blocking fraudulent clicks from bots and competitors in real-time, ensuring ad spend is only used to reach genuine potential customers.
• Analytics Purification – Ensures marketing analytics and reports are based on real human interactions, leading to more accurate data-driven business decisions and a clearer understanding of campaign performance.
• Lead Generation Security – Prevents bots from submitting fake forms on landing pages, which improves the quality of sales leads, saves time for sales teams, and reduces costs associated with fake lead follow-up.
• Return on Ad Spend (ROAS) Optimization – Improves ROAS by eliminating wasteful spending on invalid traffic that will never convert. This allows advertisers to reinvest their budget into channels and campaigns that attract authentic users.

Example 1: Geofencing Protection Rule

A business targeting customers only in the United Kingdom can use human verification to enforce strict geofencing. This logic blocks any click originating from an IP address outside the target country, preventing budget waste on irrelevant international traffic that could be from click farms or bots.

// Rule: Only allow traffic from the United Kingdom
FUNCTION apply_geofencing(visitor_ip):
  country_code = get_country_from_ip(visitor_ip)

  IF country_code is not "GB":
    log_event("Blocked non-UK IP: " + visitor_ip)
    BLOCK_TRAFFIC()
  ELSE:
    ALLOW_TRAFFIC()

Example 2: Traffic Authenticity Scoring

Instead of a simple block/allow decision, this logic calculates a trust score for each visitor based on multiple signals. A low score, resulting from factors like a datacenter IP, a mismatched timezone, and no mouse movement, would flag the traffic as high-risk and block it, protecting ad interactions from sophisticated bots.

FUNCTION calculate_authenticity_score(visitor_data):
  score = 100 // Start with a perfect score

  IF is_datacenter_ip(visitor_data.ip):
    score -= 50
  
  IF has_geolocation_mismatch(visitor_data.ip, visitor_data.timezone):
    score -= 30

  IF has_no_mouse_movement(visitor_data.behavior):
    score -= 20

  // If score is below a certain threshold, block the click
  IF score < 50:
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"

🐍 Python Code Examples

This Python function simulates checking for abnormally high click frequency from a single IP address. It maintains a simple in-memory dictionary to track click counts within a specific time window, blocking IPs that exceed a defined threshold, which is a common pattern for bot activity.

import time

CLICK_LOG = {}
TIME_WINDOW = 60  # seconds
MAX_CLICKS = 10

def is_click_fraud(ip_address):
    current_time = time.time()
    
    # Remove old entries from the log
    if ip_address in CLICK_LOG:
        CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add the new click
    clicks = CLICK_LOG.setdefault(ip_address, [])
    clicks.append(current_time)
    
    # Check if the click count exceeds the maximum allowed
    if len(clicks) > MAX_CLICKS:
        return True
    return False

# --- Simulation ---
# print(is_click_fraud("198.51.100.5")) # False
# print(is_click_fraud("198.51.100.5")) # ... 10 more times -> True

This code filters incoming web requests by examining the `User-Agent` string. It blocks requests from common automated tools and libraries like Scrapy and Python's `requests` library, which are often used for web scraping and other bot-driven activities, but are not legitimate browsers used by human visitors.

SUSPICIOUS_USER_AGENTS = ["Scrapy", "python-requests", "curl", "bot"]

def filter_by_user_agent(headers):
    user_agent = headers.get("User-Agent", "").lower()
    
    for agent in SUSPICIOUS_USER_AGENTS:
        if agent in user_agent:
            print(f"Blocking suspicious User-Agent: {user_agent}")
            return False # Block request
            
    return True # Allow request

# --- Simulation ---
# legitimate_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."}
# suspicious_headers = {"User-Agent": "python-requests/2.25.1"}
# print(filter_by_user_agent(legitimate_headers)) # True
# print(filter_by_user_agent(suspicious_headers)) # False

Types of Human Verification

• Passive Verification – This method analyzes user behavior and technical signals in the background without requiring user interaction. It tracks mouse movements, typing rhythm, and device fingerprints to distinguish humans from bots based on natural, subconscious patterns.
• Active Challenge Verification – This type directly challenges the user to prove they are human, most commonly through a CAPTCHA. The user might be asked to solve a puzzle, identify objects in an image, or retype distorted text, tasks that are generally difficult for bots to perform correctly.
• Heuristic-Based Verification – This approach uses a set of predefined rules and thresholds to identify suspicious activity. It flags traffic based on patterns like an unusually high click rate from one IP, traffic from known data centers, or mismatches between a user's browser and network settings.
• Biometric Verification – While less common for ad traffic, this method uses unique biological traits for verification, such as fingerprint scans or facial recognition. It offers a high level of security but is more typically used for authenticating access to secure systems rather than filtering ad clicks.

How Hybrid app Works

Incoming Ad Click → [+ Layer 1: Rules Engine] → [+ Layer 2: Behavioral Scan] → [+ Layer 3: Anomaly Detection] → Final Decision
        │                      │                          │                            │
        │                      └─ (Block known bad IPs)    │                            │
        │                                                 └─ (Analyze mouse movement)   │
        │                                                                              └─ (Score deviations)
        │
        └───────────────────────────────────────────────────────────────────────────────────→ [Valid/Invalid]

🧠 Core Detection Logic

Example 1: IP-Based Threat Intelligence

This logic checks an incoming click’s IP address against a known blacklist of fraudulent sources. It serves as a first line of defense, quickly eliminating traffic from data centers, proxies, and botnets before it consumes more advanced analytical resources. This is a fundamental component of rule-based filtering.

FUNCTION check_ip(click_event):
  ip_address = click_event.ip
  blacklist = get_threat_blacklist()

  IF ip_address IN blacklist:
    RETURN "invalid_traffic"
  ELSE:
    RETURN "needs_further_analysis"
END FUNCTION

Example 2: Session Click Frequency Analysis

This heuristic logic analyzes user behavior by tracking how many times a single user (identified by a session ID or device fingerprint) clicks an ad within a specific time window. Unnaturally high click frequency is a strong indicator of bot activity, as humans do not typically click the same ad repeatedly in seconds.

FUNCTION analyze_click_frequency(session_id, click_timestamp):
  // Retrieve past clicks for this session
  session_clicks = get_clicks_for_session(session_id, last_60_seconds)

  // Add current click to the list
  ADD click_timestamp to session_clicks

  // Check if count exceeds threshold
  IF count(session_clicks) > 5:
    RETURN "suspicious_frequency"
  ELSE:
    RETURN "normal_frequency"
END FUNCTION

Example 3: Geo-Mismatch Detection

This contextual logic compares the declared timezone of the user’s browser/device with the geographical location inferred from their IP address. A significant mismatch can indicate the use of a VPN or proxy to spoof location, a common tactic in ad fraud to target high-value geographic campaigns illegitimately.

FUNCTION check_geo_mismatch(click_event):
  ip_geo_country = get_country_from_ip(click_event.ip)
  browser_timezone = click_event.device.timezone

  // Get expected timezones for the IP's country
  expected_timezones = get_timezones_for_country(ip_geo_country)

  IF browser_timezone NOT IN expected_timezones:
    RETURN "geo_mismatch_detected"
  ELSE:
    RETURN "geo_consistent"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – A hybrid app automatically blocks invalid clicks from bots and competitors in real time. This directly protects PPC campaign budgets from being wasted on traffic that will never convert, ensuring ad spend is allocated toward reaching genuine customers.
• Data Integrity for Analytics – By filtering out bot traffic before it pollutes analytics platforms, businesses can trust their data. This leads to accurate insights into key metrics like click-through rates and user engagement, enabling better strategic decision-making and optimization.
• Lead Generation Funnel Protection – For businesses relying on lead forms, a hybrid approach ensures that submissions are from legitimate human users. It filters out bot-generated spam and fake sign-ups, improving the quality of sales leads and saving time for the sales team.
• Return on Ad Spend (ROAS) Improvement – By eliminating fraudulent ad interactions that drain budgets and skew performance data, a hybrid system directly contributes to a higher ROAS. Advertisers pay only for clicks with the potential for genuine engagement, maximizing the return on their investment.

Example 1: Time-Between-Events Rule

This logic prevents bots from executing actions faster than a human possibly could, such as clicking a button fractions of a second after a page loads.

FUNCTION check_action_timing(page_load_time, click_time):
  // Calculate time elapsed in seconds
  time_elapsed = click_time - page_load_time

  // Set minimum humanly possible time
  MIN_THRESHOLD = 0.5 // seconds

  IF time_elapsed < MIN_THRESHOLD:
    RETURN "Block: Action too fast, likely bot"
  ELSE:
    RETURN "Allow: Human-like speed"
END IF

Example 2: Session Authenticity Scoring

This pseudocode demonstrates scoring a session based on multiple signals. A hybrid system combines these scores to make a final decision, providing a more nuanced judgment than a single rule.

FUNCTION score_session(session_data):
  score = 0

  IF session_data.source is "Known Good Publisher":
    score = score + 20
  IF session_data.ip_type is "Data Center":
    score = score - 50
  IF session_data.has_mouse_events:
    score = score + 30
  IF session_data.click_frequency > 10 per minute:
    score = score - 40

  // Decision based on final score
  IF score < 0:
    RETURN "Invalid"
  ELSE:
    RETURN "Valid"
END IF

🐍 Python Code Examples

This function simulates checking a click's IP address against a predefined set of suspicious network types, such as data centers or public proxies. This helps filter out non-human traffic sources common in bot-driven fraud.

# A set of known fraudulent Autonomous System Numbers (ASNs)
FRAUDULENT_ASNS = {'ASN12345', 'ASN67890'}

def filter_by_asn(click_ip):
    """Flags an IP if it belongs to a known fraudulent ASN."""
    click_asn = get_asn_for_ip(click_ip) # Placeholder for an IP-to-ASN lookup service
    if click_asn in FRAUDULENT_ASNS:
        print(f"Blocking {click_ip}: Belongs to fraudulent ASN {click_asn}")
        return False
    return True

# Example for a real IP lookup would require a service like MaxMind
def get_asn_for_ip(ip):
    # This is a mock function. In a real scenario, you'd use a geoIP database.
    if ip.startswith("52.20."):
        return "ASN12345" # Example ASN for a data center
    return "ASN_NORMAL"

# --- Simulation ---
filter_by_asn("52.20.15.10") # Returns False
filter_by_asn("8.8.8.8")      # Returns True

This example demonstrates how to detect abnormally frequent clicks from a single user ID within a short time frame. Such rapid-fire activity is a strong indicator of an automated script or bot rather than genuine user interest.

from collections import defaultdict
import time

# Store click timestamps for each user ID
user_clicks = defaultdict(list)
CLICK_LIMIT = 5 # Max clicks
TIME_WINDOW = 10 # Within 10 seconds

def is_click_flood(user_id):
    """Checks if a user has clicked too frequently."""
    current_time = time.time()
    # Remove timestamps older than the time window
    user_clicks[user_id] = [t for t in user_clicks[user_id] if current_time - t < TIME_WINDOW]

    # Add the new click
    user_clicks[user_id].append(current_time)

    # Check the count
    if len(user_clicks[user_id]) > CLICK_LIMIT:
        print(f"Click flood detected for user {user_id}")
        return True
    return False

# --- Simulation ---
for i in range(6):
    is_click_flood("user-123")
    time.sleep(1)

Types of Hybrid app

• Layered Hybrid Model – This model processes traffic through a sequence of filters, starting with the fastest, low-cost checks (like IP blacklisting) and progressing to more resource-intensive analysis (like behavioral modeling). It efficiently removes obvious bots early, saving computational power for more sophisticated threats.
• Ensemble Hybrid Model – This approach uses multiple detection algorithms in parallel and combines their outputs to reach a final decision, often through a voting or weighting system. It increases accuracy by leveraging the diverse strengths of different models (e.g., combining a random forest with a neural network).
• Human-in-the-Loop Model – This type combines automated detection systems with manual review by human fraud analysts. The system flags ambiguous or high-risk traffic for an expert to examine, which helps reduce false positives and train the automated models with verified data, improving future accuracy.
• Adaptive Hybrid Model – This model uses machine learning to continuously adjust its own rules and parameters based on newly identified fraud patterns. It automatically learns from the traffic it analyzes, allowing the system to adapt to evolving bot tactics without needing constant manual reprogramming.

How Hybrid Cloud Solutions Works

Incoming Ad Click → [On-Premises Gateway] ─┬─→ (Clean Traffic) → Ad Destination
                     │                     │
                     │ (Low-Latency Check) │
                     │                     └─→ (Suspicious Event) → [Public Cloud Platform]
                     │                                                      │
                     ↓ (Block/Allow)                                        │ (Deep Analysis: ML, Big Data)
                                                                            │
               [Updated Rules] ←────────────────────────────────────────────┘

🧠 Core Detection Logic

Example 1: On-Premises IP Reputation Check

This logic executes on the on-premises gateway for maximum speed. It checks an incoming click’s IP address against a local, high-speed database of blacklisted IPs associated with data centers, known proxies, or previously identified bot networks. This filter blocks the most obvious non-human traffic before it consumes further resources.

FUNCTION handle_click(request):
  ip = request.get_ip()
  
  // Load local, cached blocklist for speed
  local_ip_blocklist = load_blocklist_from_cache()

  IF ip IN local_ip_blocklist:
    RETURN block_traffic("IP found in on-prem blocklist")
  ELSE:
    // If not on local list, pass for further checks or to cloud
    RETURN process_further(request)

Example 2: Cloud-Based Behavioral Analysis

When an on-premises gateway flags a session as suspicious (e.g., unusual user agent), it forwards session data to the public cloud. The cloud service analyzes behavioral metrics like click frequency and time between events to identify patterns indicative of automation. This logic is too resource-intensive for an on-premises gateway to perform at scale.

FUNCTION analyze_session_in_cloud(session_data):
  session_id = session_data.get_id()
  clicks = get_clicks_for_session(session_id)
  
  // Cloud model determines a dynamic threshold
  max_clicks_per_minute = get_dynamic_threshold_from_ml_model()
  
  first_click_time = clicks.timestamp
  last_click_time = clicks[-1].timestamp
  duration_seconds = last_click_time - first_click_time
  
  IF duration_seconds > 0:
    clicks_per_minute = len(clicks) / (duration_seconds / 60)
  ELSE:
    clicks_per_minute = len(clicks) * 60

  IF clicks_per_minute > max_clicks_per_minute:
    RETURN flag_as_fraud("Abnormal click frequency detected")

Example 3: Large-Scale Pattern Correlation

The public cloud aggregates anonymized data from thousands of campaigns to detect coordinated fraud. This logic identifies attackers using the same device fingerprints or IP subnets across different websites or apps, a pattern invisible at the level of a single on-premises gateway.

FUNCTION find_coordinated_attacks_in_cloud(click_event):
  device_id = click_event.get_device_id()
  
  // Query a massive, cloud-based dataset
  related_clicks = query_global_database_by_device(device_id)
  
  campaign_ids = extract_campaigns(related_clicks)
  unique_campaigns = set(campaign_ids)
  
  // If a single device hits many unrelated campaigns in a short time
  IF len(unique_campaigns) > 10:
    RETURN flag_as_fraud("Device linked to multi-campaign fraud ring")

📈 Practical Use Cases for Businesses

• Campaign Budget Protection: Block invalid clicks in real time with on-premises rules to prevent immediate budget waste, while using the cloud to analyze patterns from blocked traffic to predict and preempt future, more sophisticated attacks.
• Ensuring Data Integrity: Use the hybrid model to filter bot traffic before it contaminates marketing analytics and CRM systems. This ensures that business intelligence and performance metrics are based on genuine human engagement.

–

• Improving Return on Ad Spend (ROAS): By ensuring ads are served only to valid users, businesses improve ROAS. The hybrid system fine-tunes this by using cloud-based AI to adapt defenses to new fraud techniques, maximizing the value of every ad dollar.
• Real-Time Bid Filtering: In programmatic advertising, use the on-premises component to instantly reject bid requests from fraudulent publishers or suspicious users, while the cloud component refines the blocklists based on global threat intelligence.

Example 1: Geolocation Mismatch Rule

This rule runs on the on-premises gateway to catch obvious attempts at location spoofing. It compares the IP address’s country of origin with the user’s browser-reported timezone. A significant mismatch is a strong indicator of a proxy or VPN being used to disguise traffic.

FUNCTION check_geo_mismatch(request):
  ip_location = get_country_from_ip(request.ip) // e.g., "USA"
  browser_timezone = request.headers.get("Timezone") // e.g., "Asia/Tokyo"
  
  // Load mapping of timezones to countries
  tz_to_country_map = load_timezone_map()
  
  expected_country = tz_to_country_map.get(browser_timezone)
  
  IF ip_location != expected_country:
    RETURN flag_as_suspicious("IP location does not match browser timezone")

Example 2: Session Authenticity Scoring

This logic is executed in the cloud to score the overall authenticity of a user session. It aggregates multiple weak signals (e.g., lack of mouse movement, generic user-agent, short time-on-page) into a single fraud score. If the score exceeds a threshold, the user’s IP and fingerprint are added to the blocklist.

FUNCTION calculate_session_fraud_score(session_data):
  score = 0
  
  IF session_data.mouse_events < 2:
    score += 30 // High probability of bot
  
  IF is_generic_user_agent(session_data.user_agent):
    score += 20 // Common with bots
    
  IF session_data.time_on_page < 3 seconds:
    score += 15 // Unlikely human behavior
    
  IF is_datacenter_ip(session_data.ip):
    score += 35 // Very strong indicator
  
  // Threshold learned from cloud ML models
  IF score > 75:
    RETURN block_user(session_data.id)

🐍 Python Code Examples

This function simulates a rapid, on-premises check against a set of known fraudulent IP addresses or subnets. This is a first-line defense to block obvious bad actors with minimal latency before they can interact with an ad.

# A set of known bad IPs, loaded into memory for fast lookups
FRAUDULENT_IP_BLOCKLIST = {"10.0.0.1", "192.168.1.10", "203.0.113.55"}

def is_ip_blocked(ip_address: str) -> bool:
    """
    Simulates an on-premises check against a cached IP blocklist.
    """
    if ip_address in FRAUDULENT_IP_BLOCKLIST:
        print(f"Blocking IP {ip_address}: Found in on-prem blocklist.")
        return True
    return False

# --- Usage ---
is_ip_blocked("203.0.113.55") # Returns True

This code snippet simulates a cloud-based analysis to detect abnormal click frequency from a single session. It collects timestamps and flags the session if the number of clicks within a short time window exceeds a reasonable threshold, a common sign of bot activity.

from collections import defaultdict
import time

# Store click timestamps for each session ID (simulates cloud data store)
session_clicks = defaultdict(list)
CLICK_LIMIT = 5
TIME_WINDOW_SECONDS = 10

def record_and_check_click(session_id: str) -> bool:
    """
    Records a click and checks if it violates frequency rules.
    This logic would run in a scalable cloud environment.
    """
    current_time = time.time()
    session_clicks[session_id].append(current_time)
    
    # Filter out old timestamps that are outside the time window
    recent_clicks = [t for t in session_clicks[session_id] if current_time - t <= TIME_WINDOW_SECONDS]
    session_clicks[session_id] = recent_clicks
    
    if len(recent_clicks) > CLICK_LIMIT:
        print(f"Flagging session {session_id}: Abnormal click frequency.")
        return True # Fraudulent
    return False # Not yet fraudulent

# --- Usage ---
for _ in range(6):
    record_and_check_click("user-session-abc-123")

Types of Hybrid Cloud Solutions

• Edge-Heavy Model: Prioritizes speed by performing most real-time filtering and decision-making on-premises or at the network edge. The public cloud is used mainly for offline tasks like training machine learning models and generating periodic threat intelligence updates that are pushed to the edge devices.
• Cloud-Centric Model: A lightweight on-premises agent captures traffic data and forwards it to the public cloud for all significant processing, analysis, and decision-making. This approach offers maximum scalability and analytical power but introduces higher latency for initial threat response.
• Tiered Analysis Model: A balanced approach where on-premises systems handle high-volume, deterministic checks (e.g., known bad IPs, basic signatures). Traffic deemed suspicious is escalated to the cloud for probabilistic, resource-intensive analysis like behavioral scoring and anomaly detection.
• Federated Learning Model: A decentralized architecture where multiple on-premises environments contribute to training a central, global fraud detection model in the cloud without sharing raw, sensitive user data. This enhances privacy while building a more robust and diverse threat detection model.

How Hybrid Video On Demand HVOD Works

Incoming Traffic → [Real-Time Filter] → Is it suspicious?
                         │                     │
                         │ No (Valid)          │ Yes (Flagged)
                         │                     ↓
                         └─ Allow         [On-Demand Analysis Queue] → [Session Replay & Behavioral Scan] → Verdict → [Block/Allow]

🧠 Core Detection Logic

Example 1: Session Velocity Heuristics

This logic tracks the rate of actions within a single user session. It’s designed to catch bots that perform actions much faster than a human could. This check occurs in the real-time filtering stage to quickly identify hyperactive automated scripts.

FUNCTION check_session_velocity(session):
  IF (session.clicks > 10 AND session.duration_seconds < 5) THEN
    RETURN "FRAUD"
  
  IF (session.pages_viewed > 20 AND session.duration_seconds < 15) THEN
    RETURN "FRAUD"

  RETURN "VALID"
END FUNCTION

Example 2: Behavioral Pattern Matching

This logic is used in the on-demand analysis phase. It analyzes recorded mouse movement data to check for patterns that are not characteristic of human behavior, such as perfectly straight lines or instant jumps across the screen, which indicate automation.

FUNCTION analyze_mouse_movements(mouse_path_data):
  // Check for unnaturally straight mouse paths
  IF is_path_perfectly_linear(mouse_path_data) THEN
    RETURN "BOT_SUSPECTED"

  // Check for instant coordinate jumps
  IF has_instantaneous_jumps(mouse_path_data) THEN
    RETURN "BOT_SUSPECTED"

  RETURN "HUMAN_LIKE"
END FUNCTION

Example 3: Geo-Mismatch Detection

This rule checks for inconsistencies between a user's reported timezone (from their browser) and the geographical location of their IP address. A significant mismatch often suggests the use of proxies or VPNs to disguise the user's true origin, a common tactic in ad fraud.

FUNCTION check_geo_mismatch(ip_location, browser_timezone):
  expected_timezone = get_timezone_from_location(ip_location)

  IF (browser_timezone != expected_timezone) THEN
    // Flag for on-demand analysis
    RETURN "SUSPICIOUS_GEO_MISMATCH"
  
  RETURN "CONSISTENT_GEO"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding: HVOD automatically blocks fraudulent clicks on PPC campaigns in real-time while analyzing suspicious traffic, preventing budget waste and protecting advertisers from paying for fake engagement.
• Analytics Purification: By filtering out bot and fraudulent traffic, HVOD ensures that website analytics reflect genuine human user behavior, leading to more accurate data and better business decisions.
• Lead Generation Integrity: For businesses relying on lead forms, this system validates traffic sources to prevent fake sign-ups and form submissions from automated scripts, ensuring higher lead quality.
• Return on Ad Spend (ROAS) Improvement: By stopping financial drain from fraudulent activities and improving targeting based on clean data, businesses can achieve a significantly better return on their advertising investments.

Example 1: Geofencing Rule for Local Businesses

A local service business wants to ensure its ads are only shown to and clicked by users within its service area. This pseudocode blocks clicks from outside the target country and flags clicks from unexpected regions for deeper analysis.

FUNCTION apply_geofence(user_ip_data):
  country = user_ip_data.country
  region = user_ip_data.region

  IF country != "USA" THEN
    BLOCK(user_ip_data.ip)
    RETURN "BLOCKED_GEO"
  
  IF region NOT IN ["California", "Nevada"] THEN
    FLAG_FOR_ANALYSIS(user_ip_data.ip)
    RETURN "SUSPICIOUS_GEO"

  RETURN "VALID_GEO"
END FUNCTION

Example 2: Session Authenticity Scoring

To protect an e-commerce site, this logic calculates a trust score for each session. A low score doesn't immediately block the user but triggers on-demand analysis, such as a CAPTCHA or further behavioral monitoring, before allowing a purchase.

FUNCTION calculate_session_score(session_data):
  score = 100

  IF session_data.uses_known_datacenter_ip THEN
    score = score - 50
  
  IF session_data.user_agent_is_outdated THEN
    score = score - 20

  IF session_data.click_frequency > 5_clicks_per_second THEN
    score = score - 30

  IF score < 50 THEN
    TRIGGER_ON_DEMAND_VERIFICATION(session_data)

  RETURN score
END FUNCTION

🐍 Python Code Examples

This function simulates checking for abnormally high click frequency from a single IP address, a common sign of bot activity. It helps block basic denial-of-service attacks or low-quality click spam in real time.

ip_click_counts = {}
CLICK_THRESHOLD = 15

def is_suspicious_frequency(ip_address):
    """Checks if an IP exceeds a click frequency threshold."""
    if ip_address in ip_click_counts:
        ip_click_counts[ip_address] += 1
    else:
        ip_click_counts[ip_address] = 1

    if ip_click_counts[ip_address] > CLICK_THRESHOLD:
        print(f"FLAG: High frequency from {ip_address}")
        return True
    return False

This example demonstrates filtering traffic based on the user-agent string. It checks against a list of known bot signatures to identify and block automated clients trying to access a website or click on an ad.

KNOWN_BOT_AGENTS = ["BadBot/1.0", "FraudClient/2.2", "DataScraper/3.0"]

def is_known_bot(user_agent):
    """Checks if the user agent matches a known bot signature."""
    for bot_signature in KNOWN_BOT_AGENTS:
        if bot_signature in user_agent:
            print(f"BLOCK: Known bot detected with agent: {user_agent}")
            return True
    return False

Types of Hybrid Video On Demand HVOD

• Real-time Hybrid Analysis: This type prioritizes speed by using aggressive, lightweight rules to block obvious fraud instantly. Suspicious traffic is passed for on-demand analysis but the primary focus is on immediate front-line defense, making it ideal for high-volume campaigns where latency is critical.
• Forensic Hybrid Analysis: Focused on accuracy over speed, this method flags a wider range of traffic as suspicious and subjects it to deep, meticulous on-demand analysis. It is primarily used for post-campaign analysis, understanding sophisticated fraud patterns, and gathering evidence for ad network disputes.
• Behavioral Hybrid Analysis: This variation emphasizes the on-demand component, focusing heavily on session replay and user interaction patterns like mouse movements and scroll velocity. It is best suited for detecting advanced bots that can mimic human behavior and evade simple real-time filters.
• Adaptive Hybrid Analysis: This type uses machine learning to dynamically adjust its filtering rules. Based on the findings from its on-demand analyses, it updates its real-time filters to recognize new fraud patterns automatically, creating a self-improving feedback loop between its two stages.

How Hyper Personalization Works

Incoming Ad Traffic
        │
        ▼
+---------------------+      +-----------------------+      +---------------------+
│  1. Data Collection │ ---> │ 2. Profile Generation │ ---> │ 3. Anomaly Detection│
│ (IP, Device, Behavior)│      │  (Unique Fingerprint) │      │  (Rule & AI Scans)  │
+---------------------+      +-----------------------+      +---------------------+
        │                                                            │
        │                                                            ▼
        └───────────────────────────--► Labeled as Legitimate         +-------------------+
                                                                     │ 4. Action/Filter  │
                                                                     │ (Block or Flag)   │
                                                                     +-------------------+

🧠 Core Detection Logic

Example 1: Behavioral Heuristic Scoring

This logic assesses the quality of a click by scoring various behavioral attributes of a user’s session in real-time. Instead of a simple pass/fail rule, it builds a “trust score” for each user. This is central to hyper-personalization because it judges a user based on their specific actions, not just a single attribute like their IP address. This score helps differentiate between a curious human and a low-quality bot.

FUNCTION calculate_behavior_score(session_data):
    score = 0
    
    // Rule 1: Time on page before click
    IF session_data.time_on_page < 2 SECONDS:
        score = score - 20 // Unlikely human behavior
    ELSE IF session_data.time_on_page > 10 SECONDS:
        score = score + 10 // More likely human
        
    // Rule 2: Mouse movement
    IF session_data.has_mouse_movement == FALSE:
        score = score - 30 // Strong indicator of a simple bot
    
    // Rule 3: Click frequency from IP
    IF session_data.clicks_from_ip_last_hour > 10:
        score = score - 15 // Suspiciously high frequency
    
    // Rule 4: Browser properties
    IF session_data.browser_is_headless == TRUE:
        score = -100 // Definitive bot
        
    RETURN score
    
// --- Decision Logic ---
user_session = get_current_user_data()
trust_score = calculate_behavior_score(user_session)

IF trust_score < -50:
    block_click("Low Behavioral Score")
ELSE:
    allow_click()

Example 2: Cross-Session IP & Device Anomaly

This logic protects against fraudsters who try to appear as different users by slightly changing their attributes. It correlates data across multiple sessions to see if a device fingerprint is trying to use many different IP addresses, or if one IP is being used by an unnatural number of distinct devices. This personalized history is key to spotting coordinated, fraudulent activity.

FUNCTION check_historical_anomaly(user_data):
    
    // Get historical data for the user's device fingerprint
    device_history = DATABASE.query("SELECT ip_addresses FROM history WHERE device_id = ?", user_data.device_id)
    
    // Get historical data for the user's IP address
    ip_history = DATABASE.query("SELECT device_ids FROM history WHERE ip_address = ?", user_data.ip_address)

    // Check 1: Device using too many IPs
    IF count(device_history.ip_addresses) > 5 WITHIN 24 HOURS:
        RETURN {is_fraud: TRUE, reason: "Device associated with excessive IPs"}
        
    // Check 2: IP used by too many devices
    IF count(ip_history.device_ids) > 10 WITHIN 24 HOURS:
        RETURN {is_fraud: TRUE, reason: "IP associated with excessive devices"}
        
    RETURN {is_fraud: FALSE}

// --- Decision Logic ---
current_user = get_current_user_data()
fraud_check = check_historical_anomaly(current_user)

IF fraud_check.is_fraud == TRUE:
    block_click(fraud_check.reason)
ELSE:
    // Update history for future checks
    DATABASE.update_history(current_user)
    allow_click()

Example 3: Geo-Location Mismatch

This logic identifies fraud by comparing the geographical location of the user's IP address with other location data points, such as browser time zone or language settings. A significant mismatch often indicates the use of a proxy, VPN, or a datacenter IP to disguise the user's true origin, a common tactic in click fraud.

FUNCTION check_geo_mismatch(user_data):
    
    // Get location from IP address
    ip_location = get_location_from_ip(user_data.ip_address) // e.g., "Germany"
    
    // Get timezone from user's browser
    browser_timezone = user_data.browser_timezone // e.g., "America/New_York"
    
    // Infer country from timezone
    inferred_location = get_country_from_timezone(browser_timezone) // e.g., "USA"
    
    // Compare locations
    IF ip_location != inferred_location:
        RETURN {is_fraud: TRUE, reason: "IP country (" + ip_location + ") mismatches timezone country (" + inferred_location + ")"}
    
    // Check for datacenter IP
    IF is_datacenter_ip(user_data.ip_address):
        RETURN {is_fraud: TRUE, reason: "Traffic originated from a known datacenter"}
        
    RETURN {is_fraud: FALSE}

// --- Decision Logic ---
current_user = get_current_user_data()
fraud_check = check_geo_mismatch(current_user)

IF fraud_check.is_fraud == TRUE:
    block_click(fraud_check.reason)
ELSE:
    allow_click()

📈 Practical Use Cases for Businesses

• Campaign Shielding – Hyper-personalization automatically identifies and blocks invalid traffic from bots and competitors in real-time. This protects advertising budgets by ensuring that ad spend is only used on genuine, high-intent visitors, directly improving cost-effectiveness.
• Lead Quality Enhancement – By filtering out fraudulent and low-quality traffic sources, businesses can ensure their analytics data is clean. This leads to more accurate insights into customer behavior, better strategic decisions, and a higher return on ad spend (ROAS).
• Conversion Fraud Prevention – The system can distinguish between legitimate user engagement and automated scripts designed to trigger fake conversions. This protects the integrity of performance metrics and prevents businesses from paying commissions on fraudulent affiliate or lead-generation activity.
• Geographic Targeting Enforcement – It ensures ad campaigns are only shown to users in specified regions by detecting and blocking VPN or proxy usage. This is critical for local businesses or campaigns with geographical restrictions, preventing budget waste on irrelevant audiences.

Example 1: Dynamic Geofencing Rule

This pseudocode demonstrates a rule that blocks traffic originating from outside a campaign's specified target countries. It goes beyond a simple IP check by also flagging mismatches between the IP's location and the user's browser language, a common sign of proxy use.

FUNCTION apply_geofencing(user, campaign):
    // Get user's location from their IP address
    user_country = get_country_from_ip(user.ip_address)

    // Check if user country is in the campaign's allowed list
    IF user_country NOT IN campaign.target_countries:
        block_traffic(user, "Outside of campaign geographic area")
        RETURN

    // Bonus check: look for language/country mismatch
    user_language = user.browser_language // e.g., "ru-RU"
    IF user_country == "USA" AND user_language.starts_with("ru"):
        flag_traffic(user, "Potential proxy: US-based IP with Russian language setting")
        RETURN

    allow_traffic(user)

// --- Execution ---
current_user = get_user_data()
active_campaign = get_campaign_details("Local_Business_Promo")
apply_geofencing(current_user, active_campaign)

Example 2: Session Quality Scoring

This logic evaluates a user's authenticity by scoring their on-site behavior during a session. A user who immediately clicks an ad without any other interaction is scored lower than a user who browses first. This helps filter out low-intent users and simple bots, ensuring cleaner traffic.

FUNCTION score_session_quality(session):
    quality_score = 100 // Start with a perfect score

    // Deduct points for suspicious behavior
    IF session.time_on_site < 3 SECONDS:
        quality_score -= 40
    
    IF session.pages_viewed < 2:
        quality_score -= 20
        
    IF session.mouse_movement_events == 0:
        quality_score -= 50 // Strong bot indicator

    RETURN quality_score

// --- Execution ---
user_session = get_session_data()
score = score_session_quality(user_session)

// Block clicks from very low-quality sessions
IF score < 30:
    block_ad_click(user_session.user_id, "Session quality score too low")

🐍 Python Code Examples

This code defines a function to check for click fraud based on the frequency of clicks from a single IP address within a short time frame. It simulates a database of click timestamps to identify and block IPs exhibiting machine-like, rapid-fire clicking patterns that are a hallmark of bot activity.

# In-memory store to simulate a database of click timestamps
CLICK_LOG = {}
TIME_WINDOW_SECONDS = 10
MAX_CLICKS_IN_WINDOW = 5

def is_rapid_fire_click(ip_address):
    """Checks if an IP is clicking too frequently."""
    import time
    current_time = time.time()
    
    # Get click history for this IP, or initialize it
    ip_clicks = CLICK_LOG.get(ip_address, [])
    
    # Filter out clicks that are older than our time window
    recent_clicks = [t for t in ip_clicks if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add the current click timestamp
    recent_clicks.append(current_time)
    CLICK_LOG[ip_address] = recent_clicks
    
    # Check if the number of recent clicks exceeds the limit
    if len(recent_clicks) > MAX_CLICKS_IN_WINDOW:
        print(f"FRAUD DETECTED: IP {ip_address} blocked for rapid-fire clicking.")
        return True
        
    print(f"INFO: IP {ip_address} click is valid. Count: {len(recent_clicks)}/{MAX_CLICKS_IN_WINDOW}")
    return False

# --- Simulation ---
is_rapid_fire_click("192.168.1.100")
is_rapid_fire_click("192.168.1.100")
is_rapid_fire_click("203.0.113.55")
is_rapid_fire_click("192.168.1.100")
is_rapid_fire_click("192.168.1.100")
is_rapid_fire_click("192.168.1.100")
is_rapid_fire_click("192.168.1.100") # This one will be flagged as fraud

This example provides a function to analyze User-Agent strings to identify suspicious visitors. It checks against a list of known bot identifiers and flags traffic that lacks a User-Agent, which is often characteristic of simple, poorly configured bots or automated scripts used in fraudulent activities.

def analyze_user_agent(user_agent_string):
    """Analyzes a User-Agent string for signs of fraud."""
    
    if not user_agent_string:
        print("FRAUD DETECTED: Empty User-Agent string.")
        return False

    suspicious_keywords = ["bot", "spider", "headlesschrome", "scraping"]
    
    ua_lower = user_agent_string.lower()
    
    for keyword in suspicious_keywords:
        if keyword in ua_lower:
            print(f"FRAUD DETECTED: Suspicious keyword '{keyword}' in User-Agent.")
            return False
            
    print("INFO: User-Agent appears to be legitimate.")
    return True

# --- Simulation ---
legit_ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
bot_ua = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
headless_ua = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/108.0.0.0 Safari/537.36"
empty_ua = ""

analyze_user_agent(legit_ua)
analyze_user_agent(bot_ua)
analyze_user_agent(headless_ua)
analyze_user_agent(empty_ua)

Types of Hyper Personalization

• Behavioral Fingerprinting – This method creates a unique profile based on a user's interaction patterns, such as mouse movements, typing speed, and navigation habits. It is highly effective at distinguishing between humans and bots, as automated scripts typically fail to replicate the subtle, variable behavior of a real person.
• Device & Network Fingerprinting – This involves collecting technical attributes from a visitor's device and network connection, including OS, browser, IP address, ISP, and screen resolution. This fingerprint helps identify users even if they clear cookies or use private browsing, flagging anomalies like a single device appearing from multiple locations simultaneously.
• Heuristic Rule-Based Analysis – This type uses a set of sophisticated, adaptive "if-then" rules to score traffic. For example, a rule might flag a click as suspicious if it comes from a datacenter IP address and occurs within one second of the page loading. These rules are personalized based on historical data patterns.
• Predictive AI Modeling – Leveraging machine learning, this is the most advanced type of hyper-personalization. It analyzes vast datasets of past fraudulent and legitimate behavior to build a model that predicts the probability of a new click being fraudulent. This allows it to identify new and evolving threats that don't match any predefined rules.

How Identifier for advertisers IDFA Works

  User Action             Ad Network Request        Fraud Detection System          Ad Server
+----------------+      +-------------------+      +-----------------------+      +-------------+
| Clicks Ad/     |------>|  Request with     |----->|  Analyze IDFA         |----->| Serve Ad or |
| Installs App   |      |  IDFA             |      |  - Check History      |      | Block       |
|                |      |  (Device A)       |      |  - Check Frequency    |      | Request     |
+----------------+      +-------------------+      |  - Cross-ref IPs      |      +-------------+
                                                     └───────────┬────────────┘
                                                                 │
                                                      ┌──────────┴───────────┐
                                                      │  Fraudulent Pattern?   │
                                                      │  (e.g., Device Farm,   │
                                                      │   Click Spam)          │
                                                      └────────────────────────┘

🧠 Core Detection Logic

Example 1: Click Frequency Analysis

This logic detects click spamming by monitoring how often a single IDFA generates click events. An abnormally high frequency within a short time frame suggests automated, non-human activity. It is a fundamental check in real-time traffic filtering.

FUNCTION check_click_frequency(click_event):
  idfa = click_event.idfa
  timestamp = click_event.timestamp

  // Retrieve past clicks for this IDFA from cache
  recent_clicks = get_clicks_from_cache(idfa)

  // Count clicks within the last 60 seconds
  clicks_in_last_minute = 0
  FOR each_click IN recent_clicks:
    IF timestamp - each_click.timestamp < 60:
      clicks_in_last_minute += 1

  // Define a threshold for suspicious frequency
  IF clicks_in_last_minute > 10:
    RETURN "BLOCK" // Flag as fraudulent
  ELSE:
    add_click_to_cache(idfa, timestamp)
    RETURN "ALLOW"

Example 2: Device and IP Correlation

This logic identifies device farms or proxy abuse by checking how many different IDFAs are associated with a single IP address. A large number of unique devices from one IP address is a strong indicator of coordinated fraud.

FUNCTION check_ip_idfa_correlation(click_event):
  idfa = click_event.idfa
  ip_address = click_event.ip_address

  // Get IDFAs seen from this IP in the last 24 hours
  seen_idfas = get_idfas_for_ip(ip_address)

  // Add current IDFA to the list if not present
  IF idfa NOT IN seen_idfas:
    add_idfa_to_ip_list(ip_address, idfa)

  // Check if the number of unique IDFAs exceeds a threshold
  IF count(seen_idfas) > 50:
    RETURN "FLAG_IP_FOR_REVIEW" // High probability of device farm
  ELSE:
    RETURN "ALLOW"

Example 3: IDFA Reset Abuse Detection

Fraudsters frequently reset their IDFA to appear as new users and bypass detection. This logic identifies such behavior by looking for other persistent signals (like IP subnet and device model) associated with a high rate of “new” IDFAs.

FUNCTION check_idfa_reset_abuse(click_event):
  ip_subnet = get_subnet(click_event.ip_address)
  device_model = click_event.device_model
  idfa = click_event.idfa

  // Create a fingerprint from stable identifiers
  device_fingerprint = create_fingerprint(ip_subnet, device_model)

  // Check if this fingerprint has produced many "new" IDFAs
  new_idfa_count = get_new_idfa_count(device_fingerprint)

  IF is_new_idfa(idfa):
    increment_new_idfa_count(device_fingerprint)

  // Flag if the count of new IDFAs from this fingerprint is suspiciously high
  IF new_idfa_count > 20 IN last_24_hours:
    RETURN "BLOCK_FINGERPRINT"
  ELSE:
    RETURN "ALLOW"

📈 Practical Use Cases for Businesses

• Campaign Budget Protection: Businesses use IDFA to verify that clicks and installs are from legitimate users, preventing ad spend from being wasted on bots and fraudulent schemes like device farms.
• Data Integrity for Analytics: By filtering out fraudulent traffic identified via IDFA, businesses ensure their user acquisition data is clean. This leads to more accurate analysis of campaign performance and user behavior.
• Attribution Accuracy: IDFA provides a deterministic way to connect ad interactions to app installs. This helps businesses accurately attribute conversions to the correct ad network and campaign, optimizing their marketing mix.
• Return on Ad Spend (ROAS) Improvement: By eliminating fraud and ensuring marketing efforts reach real people, businesses can significantly improve their ROAS. Clean traffic means higher quality users who are more likely to engage and make purchases.

Example 1: Geolocation Mismatch Rule

This pseudocode checks if the reported country of the IP address matches the country where the app is being advertised. A mismatch can indicate the use of a proxy or VPN to commit fraud.

FUNCTION validate_geo(ip_address, campaign_target_country):
  // Use a Geo-IP lookup service
  click_country = geo_lookup(ip_address).country

  IF click_country != campaign_target_country:
    // Flag the click as suspicious and potentially fraudulent
    score = get_fraud_score(click)
    update_fraud_score(score + 10)
    RETURN "SUSPICIOUS"
  ELSE:
    RETURN "VALID"

Example 2: Install Hijacking Detection

This logic identifies install hijacking, where a fraudulent app claims credit for an install it didn’t generate. It checks for an unusually short time between a click and the subsequent install, which is often a sign of this type of fraud.

FUNCTION detect_install_hijacking(click_timestamp, install_timestamp):
  // Calculate Time-to-Install (TTI) in seconds
  tti = install_timestamp - click_timestamp

  // A very short TTI (e.g., under 10 seconds) is physically improbable
  // for a user to download and open an app.
  IF tti < 10:
    RETURN "HIGH_RISK_INSTALL"
  ELSE:
    RETURN "NORMAL_INSTALL"

🐍 Python Code Examples

This code demonstrates how to identify click spamming by tracking the number of clicks from a single IDFA within a given time window. It helps block automated scripts that generate a high volume of fake clicks.

# Dictionary to store click timestamps for each IDFA
click_logs = {}
from collections import deque
import time

# Function to detect frequent clicks from the same IDFA
def is_click_spam(idfa, time_window=60, max_clicks=10):
    current_time = time.time()
    if idfa not in click_logs:
        click_logs[idfa] = deque()

    # Remove old timestamps outside the window
    while (click_logs[idfa] and current_time - click_logs[idfa] > time_window):
        click_logs[idfa].popleft()

    # Add the current click time
    click_logs[idfa].append(current_time)

    # Check if click count exceeds the limit
    if len(click_logs[idfa]) > max_clicks:
        print(f"Fraud Detected: IDFA {idfa} exceeded {max_clicks} clicks in {time_window}s.")
        return True
    return False

# Simulate incoming clicks
is_click_spam("A1B2-C3D4-E5F6-G7H8")
is_click_spam("A1B2-C3D4-E5F6-G7H8") # ... (repeated 10 times)
is_click_spam("A1B2-C3D4-E5F6-G7H8")

This example shows how to filter out traffic from known fraudulent IP addresses. Maintaining a blocklist of IPs associated with botnets or data centers is a common and effective method for traffic protection.

# A set of known fraudulent IP addresses
IP_BLOCKLIST = {"203.0.113.1", "198.51.100.5", "192.0.2.100"}

def filter_by_ip(ip_address):
    """
    Checks if an IP address is in the blocklist.
    """
    if ip_address in IP_BLOCKLIST:
        print(f"Blocking request from known fraudulent IP: {ip_address}")
        return False
    else:
        print(f"Allowing request from IP: {ip_address}")
        return True

# Simulate incoming traffic
filter_by_ip("203.0.113.1") # This will be blocked
filter_by_ip("8.8.8.8")       # This will be allowed

Types of Identifier for advertisers IDFA

• Valid and Consented IDFA: A standard, user-approved IDFA that is passed in ad requests. This is the ideal state, allowing for accurate tracking and fraud detection based on a persistent device identifier. Its presence confirms the user has opted into tracking under the ATT framework.
• Zeroed-Out IDFA: Represented as a string of zeros (00000000-0000-0000-0000-000000000000). This occurs when a user has opted out of tracking via Apple's AppTrackingTransparency (ATT) prompt. It prevents cross-app tracking and limits the data available for fraud detection to other signals.
• Reset IDFA: A user can manually reset their IDFA at any time in their device settings. Fraudsters abuse this by repeatedly resetting the ID to appear as a new device, a scheme known as Device ID Reset Fraud, which aims to bypass frequency caps and detection rules.
• Identifier for Vendor (IDFV): An alternative identifier that is consistent across all apps from a single developer on a device. While not useful for cross-publisher ad fraud detection, it can be used to identify fraudulent activity within a publisher's own ecosystem of apps.

How Identifier For Vendors IDFV Works

User Device (iOS)
│
├── App A (Vendor X) → Generates/Accesses IDFV: "ABC-123"
│    │
│    └─► Ad Click/Event Data + IDFV Sent to Server
│
├── App B (Vendor X) → Generates/Accesses IDFV: "ABC-123" (Same IDFV)
│    │
│    └─► Ad Click/Event Data + IDFV Sent to Server
│
├── App C (Vendor Y) → Generates/Accesses IDFV: "XYZ-789" (Different IDFV)
│
└─► Server-Side Analysis
    │
    ├─► Collects data from App A & App B
    │
    └─► Compares traffic using shared IDFV "ABC-123"
        │
        └─► Identify suspicious patterns (e.g., high-frequency clicks from one IDFV across multiple apps) → Flag as potential fraud.

🧠 Core Detection Logic

Example 1: Cross-App Frequency Capping

This logic prevents ad fatigue and identifies non-human, rapid-fire clicking by limiting the number of times a user (identified by their IDFV) can interact with ads across a single vendor’s portfolio of apps in a given timeframe. It’s a first line of defense against simple bots.

// Define a threshold for maximum clicks per IDFV per hour
MAX_CLICKS_PER_HOUR = 20;

function onAdClick(idfv, timestamp) {
  // Get the current click count for this IDFV in the last hour
  click_count = getRecentClicksForIDFV(idfv, 1_hour);

  if (click_count >= MAX_CLICKS_PER_HOUR) {
    // Flag this click as fraudulent or suspicious
    logFraudulentActivity(idfv, "Exceeded cross-app frequency cap");
    return BLOCK_TRAFFIC;
  } else {
    // Record the valid click
    recordClick(idfv, timestamp);
    return ALLOW_TRAFFIC;
  }
}

Example 2: Behavioral Anomaly Detection

This logic identifies suspicious behavior by analyzing the time between events from the same IDFV across different apps. A human user cannot realistically open, interact with, and switch between multiple apps in a few seconds. This helps detect automated scripts.

// Define a minimum time threshold between actions in different apps
MIN_TIME_BETWEEN_APPS = 10_seconds;

function onAppEvent(idfv, app_id, timestamp) {
  last_event = getLastEventForIDFV(idfv);

  if (last_event && last_event.app_id != app_id) {
    time_diff = timestamp - last_event.timestamp;

    if (time_diff < MIN_TIME_BETWEEN_APPS) {
      logFraudulentActivity(idfv, "Implausible time between cross-app events");
      // This IDFV can be added to a watchlist for further monitoring
      addToWatchlist(idfv);
    }
  }
  // Record the current event
  recordAppEvent(idfv, app_id, timestamp);
}

Example 3: Install Validation

This logic helps prevent app install fraud. If an app install is attributed to a click, the system checks if the IDFV from the click matches the IDFV from the newly installed app. A mismatch could indicate that the install was not a direct result of the ad campaign, or it could be a sign of a more sophisticated attack.

function validateInstall(click_id, install_idfv, install_timestamp) {
  // Retrieve the click data associated with this install
  click_data = getClickData(click_id);

  if (!click_data) {
    logSuspiciousInstall(install_idfv, "Install without a corresponding click");
    return;
  }

  click_idfv = click_data.idfv;

  // Check if the IDFV from the click event matches the install event
  if (click_idfv != install_idfv) {
    logFraudulentActivity(click_idfv, "IDFV mismatch between click and install");
  } else {
    // IDFV matches, the install is likely legitimate from a cross-promotion
    logValidInstall(install_idfv);
  }
}

📈 Practical Use Cases for Businesses

The Identifier for Vendors (IDFV) is a unique, alphanumeric identifier assigned by Apple to all apps from the same developer on a device. It allows businesses to track user activity across their own apps without user consent, which is crucial for fraud detection, cross-promotion, and analytics, especially with the limitations on the IDFA. By using the IDFV, companies can identify suspicious patterns and protect their advertising budgets.

• Cross-Promotional Campaign Attribution: Use IDFV to accurately attribute app installs that originate from ads shown in other apps you own. This ensures you are not paying for organic installs and helps measure the true effectiveness of your internal campaigns.
• Fraudulent User Segmentation: Identify and segment users (IDFVs) that exhibit bot-like behavior across your app portfolio. This allows you to exclude them from future campaigns, ensuring your ad spend is focused on real users and improving campaign ROI.
• Internal Ad Frequency Capping: By tracking an IDFV across your apps, you can control how many times a specific user sees an ad from your network. This prevents ad fatigue, improves the user experience, and stops bots from generating excessive, low-quality impressions.
• Securing In-App Purchases: Monitor purchase behavior tied to a specific IDFV across all your apps. This can help identify users who abuse refund policies or use fraudulent payment methods in one app and attempt to do the same in another.

Example 1: Cross-Promotion Install Validation Rule

// Logic to validate an install coming from a cross-promotional ad
function validateCrossPromoInstall(click_idfv, install_idfv, campaign_type) {
  if (campaign_type === "CROSS_PROMOTION") {
    if (click_idfv === install_idfv) {
      // The install is from the same device that clicked the ad.
      return "VALID_INSTALL";
    } else {
      // The IDFVs do not match, indicating potential install fraud.
      return "FRAUDULENT_INSTALL";
    }
  }
  return "NOT_CROSS_PROMOTION";
}

Example 2: Bot Behavior Scoring Logic

// Pseudocode to score an IDFV based on suspicious cross-app activity
function calculateIdfvFraudScore(idfv) {
  let score = 0;
  const events = getEventsForIdfv(idfv, last_24_hours);

  // High number of events across multiple apps
  if (events.length > 500) {
    score += 30;
  }

  // Time between events is too short
  for (let i = 1; i < events.length; i++) {
    if (events[i].timestamp - events[i-1].timestamp < 2) { // Less than 2 seconds
      score += 5;
    }
  }

  // Same click pattern across different apps
  if (hasRepetitivePattern(events)) {
    score += 40;
  }

  return score; // Higher score means higher fraud probability
}

🐍 Python Code Examples

This Python code demonstrates a simple way to detect abnormal click frequency from the same Identifier for Vendors (IDFV) across a portfolio of apps. It works by tracking the timestamps of clicks for each IDFV and flagging those with an unusually high number of clicks in a short period, which is a common sign of bot activity.

from collections import defaultdict
from datetime import datetime, timedelta

# In-memory store for recent clicks (in a real system, use a database like Redis)
CLICK_EVENTS = defaultdict(list)
TIME_WINDOW = timedelta(minutes=5)
FREQUENCY_THRESHOLD = 15

def record_click(idfv: str, app_id: str):
    """Records a click event for a given IDFV and app."""
    now = datetime.now()
    
    # Clean up old events to save memory
    recent_clicks = [t for t in CLICK_EVENTS[idfv] if now - t < TIME_WINDOW]
    CLICK_EVENTS[idfv] = recent_clicks
    
    # Add the new click
    CLICK_EVENTS[idfv].append(now)
    
    print(f"Click recorded for IDFV: {idfv} from App: {app_id}")

def check_for_fraud(idfv: str) -> bool:
    """Checks if the IDFV has exceeded the click frequency threshold."""
    is_fraudulent = len(CLICK_EVENTS[idfv]) > FREQUENCY_THRESHOLD
    if is_fraudulent:
        print(f"  [!] Fraud Alert: High click frequency detected for IDFV {idfv}")
    return is_fraudulent

# --- Simulation ---
suspicious_idfv = "FRAUD-IDFV-1234"
normal_idfv = "NORMAL-IDFV-5678"

# Simulate a burst of clicks from a suspicious IDFV
for i in range(20):
    record_click(suspicious_idfv, f"App-{i % 3}")
check_for_fraud(suspicious_idfv)

# Simulate normal activity
record_click(normal_idfv, "App-A")
record_click(normal_idfv, "App-B")
check_for_fraud(normal_idfv)

This example shows how to analyze session behavior to identify suspicious users. The code calculates the time difference between consecutive events from the same IDFV across different apps. If the time is unnaturally short, it suggests automated behavior, as a human user cannot switch between and interact with apps that quickly.

# In-memory store for the last event from an IDFV
LAST_EVENT = {}
IMPLAUSIBLE_TIME_SECONDS = 2

def process_app_event(idfv: str, app_id: str):
    """Analyzes time between events to detect suspicious activity."""
    now = datetime.now()
    is_suspicious = False
    
    if idfv in LAST_EVENT:
        last_app, last_time = LAST_EVENT[idfv]
        
        # Check if the event is from a different app
        if app_id != last_app:
            time_diff = (now - last_time).total_seconds()
            if time_diff < IMPLAUSIBLE_TIME_SECONDS:
                print(f"  [!] Fraud Alert: Implausibly fast switch ({time_diff:.2f}s) for IDFV {idfv} between {last_app} and {app_id}")
                is_suspicious = True

    # Update the last event for this IDFV
    LAST_EVENT[idfv] = (app_id, now)
    return is_suspicious

# --- Simulation ---
bot_idfv = "BOT-IDFV-9012"

# Simulate a bot switching and clicking apps rapidly
process_app_event(bot_idfv, "GameApp")
import time
time.sleep(0.5) # Simulate a very short delay
process_app_event(bot_idfv, "SocialApp")

Types of Identifier For Vendors IDFV

• Standard IDFV: This is the default implementation from Apple, providing a consistent identifier for all apps from a single vendor on a user's device. It is the primary method for tracking a device's activity within a developer's own ecosystem without requiring App Tracking Transparency consent.
• Server-Validated IDFV: In this approach, the IDFV collected on the client-side is sent to a server and cross-referenced with other data points (like IP address or user agent) for validation. This helps ensure the IDFV is coming from a legitimate device and hasn't been tampered with or submitted via a fraudulent script.
• IDFV with Session Clustering: This method involves grouping multiple IDFVs that exhibit identical behavioral patterns (e.g., synchronized clicks, similar conversion times across different devices). This can help identify large-scale, coordinated fraud attacks where bots use different devices but are controlled by a single source.
• IDFV with Probabilistic Matching: When an IDFV is unavailable or changes (e.g., after app reinstallation), this technique uses other non-persistent signals like IP address, device model, and OS version to probabilistically link the new IDFV to the old one. This helps maintain a continuous user profile for fraud analysis.

How In app bidding Works

[User Action] → Ad Impression Available → App SDK → [In-App Bidding Auction]
                                                     │
               +─────────────────────────────────────+─────────────────────────────────────+
               │                                     │                                     │
         [Bid Request] → Demand Source A       [Bid Request] → Demand Source B       [Bid Request] → Demand Source C
               │             (Bid: $1.50)            │             (Bid: $0.75)            │             (Bid: $1.65 - Invalid)
               │                                     │                                     │
               ↓                                     ↓                                     ↓
     [Security Analysis]                     [Security Analysis]                     [Security Analysis]
       └─ IP Check: OK                         └─ Behavior Check: OK                    └─ Bot Signature: MATCH
       └─ Geo Check: OK                        └─ History Check: OK                     └─ IP Reputation: BAD
               │                                     │                                     │
            [VALID]                               [VALID]                               [INVALID]
               │                                     │                                     │
               +──────────────────┐                  │                  ┌──────────────────+
                                  │                  │                  │
                                  └─────→ [Auction Logic] ←─────────────┘
                                              │
                                              ↓
                                        [Highest Valid Bid Wins] → Ad Served (Source A)

🧠 Core Detection Logic

Example 1: Bid Request Velocity Analysis

This logic identifies non-human behavior by tracking the frequency of bid requests from a single device ID. An impossibly high number of requests in a short period indicates that a bot or script is operating the device, not a human. It is applied pre-bid to filter out suspicious devices before the auction.

FUNCTION check_request_velocity(device_id, request_timestamp):
  // Retrieve past request timestamps for the device_id
  request_history = get_request_history(device_id)

  // Count requests in the last 60 seconds
  recent_requests = count(t for t in request_history if now() - t < 60)

  IF recent_requests > 20: // Threshold for abnormal frequency
    FLAG as "Suspicious: High Request Velocity"
    RETURN INVALID
  ELSE:
    // Add current request to history
    add_to_history(device_id, request_timestamp)
    RETURN VALID

Example 2: App Bundle ID Spoofing Detection

This logic prevents a common type of fraud where a low-quality app pretends to be a high-value, popular app to attract higher bids. It cross-references the app’s claimed Bundle ID with a known, verified list of app store IDs. This check ensures the bid request is coming from a legitimate, correctly identified application.

FUNCTION verify_bundle_id(claimed_bundle_id, device_os):
  // Get verified list of bundle IDs from official app stores
  verified_list_ios = get_app_store_ids("iOS")
  verified_list_android = get_play_store_ids("Android")

  IF device_os == "iOS":
    IF claimed_bundle_id NOT IN verified_list_ios:
      FLAG as "Fraud: Spoofed Bundle ID"
      RETURN INVALID
  ELSE IF device_os == "Android":
    IF claimed_bundle_id NOT IN verified_list_android:
      FLAG as "Fraud: Spoofed Bundle ID"
      RETURN INVALID
  ELSE:
    RETURN VALID

Example 3: Geolocation Mismatch Detection

This logic identifies fraud by comparing the IP address location from the bid request with the device’s self-reported GPS location (if available and consented). A significant mismatch between the two can indicate the use of a proxy or VPN to fake a more valuable location, or that the IP address belongs to a data center.

FUNCTION check_geo_mismatch(ip_address, device_gps_coords):
  // Get geographic location from IP address
  ip_location = get_geo_from_ip(ip_address)

  // Get geographic location from GPS coordinates
  gps_location = get_geo_from_coords(device_gps_coords)

  // Calculate distance between the two locations
  distance = calculate_distance(ip_location, gps_location)

  IF distance > 100: // Set a reasonable threshold in kilometers
    FLAG as "Suspicious: Geo Mismatch"
    RETURN INVALID
  ELSE:
    RETURN VALID

📈 Practical Use Cases for Businesses

For businesses, in-app bidding’s data transparency is a powerful tool against ad fraud. By analyzing real-time bid streams, companies can protect their advertising budgets, ensure campaign data is clean, and improve return on ad spend (ROAS). The auction mechanics allow for pre-bid filtering, where traffic is vetted before a purchase is made, preventing wasted spend on fraudulent impressions generated by bots or other invalid sources. This leads to more accurate performance metrics and better-informed strategic decisions.

• Campaign Shielding – Protects active campaigns by using real-time bid data to identify and block traffic from known fraudulent sources like data centers or botnets before ad spend is committed.
• Performance Integrity – Ensures marketing analytics are based on real human interactions, not inflated by invalid clicks or impressions. This leads to more reliable key performance indicators (KPIs) and accurate ROAS calculations.
• Budget Optimization – Prevents ad budgets from being wasted on non-viewable or fraudulent inventory. By filtering out invalid traffic pre-bid, ad spend is automatically allocated toward legitimate, high-quality impressions that have a chance of converting.
• Supply Path Auditing – Provides transparency into the ad supply chain, allowing businesses to evaluate the quality of traffic from different publishers and ad exchanges, and to blacklist those with high rates of invalid traffic.

Example 1: Data Center IP Filtering Rule

This logic prevents bids originating from servers in data centers, which are a common source of non-human traffic. It checks the bid request’s IP against a known list of data center IP ranges. This is a fundamental pre-bid check to eliminate obvious bot traffic.

FUNCTION block_datacenter_traffic(bid_request):
  ip = bid_request.ip_address
  datacenter_ip_list = get_known_datacenter_ips()

  IF ip IN datacenter_ip_list:
    REJECT_BID("Source identified as data center")
    RETURN FALSE
  ELSE:
    ACCEPT_BID()
    RETURN TRUE

Example 2: Session Scoring for Engagement Fraud

This logic scores user sessions to detect sophisticated invalid traffic (SIVT) where a bot might mimic some human behavior. It analyzes a combination of signals from the bid request—like time-to-install, click frequency, and device properties—to assign a fraud score. Bids from sessions with scores above a certain threshold are blocked.

FUNCTION score_session_validity(bid_request):
  score = 0
  
  // Rule 1: Abnormally fast click-to-install time
  IF bid_request.ctit < 10 seconds:
    score += 40

  // Rule 2: Multiple rapid clicks from same device
  IF bid_request.click_frequency > 5 in last minute:
    score += 30

  // Rule 3: Mismatched device language and timezone
  IF bid_request.device_language != bid_request.timezone_inferred_language:
    score += 15

  // Rule 4: Outdated or unusual OS version
  IF bid_request.os_version is_known_compromised:
    score += 15

  IF score > 50: // Threshold for blocking
    REJECT_BID("Session score exceeds fraud threshold")
    RETURN "INVALID"
  ELSE:
    RETURN "VALID"

🐍 Python Code Examples

This Python function demonstrates a basic way to filter out bid requests coming from known fraudulent IP addresses, such as those associated with data centers or public proxies. By checking each incoming IP against a blocklist, businesses can perform a simple yet effective pre-bid check to reject obviously non-human traffic.

# A blocklist of known fraudulent IP addresses
FRAUDULENT_IPS = {"198.51.100.5", "203.0.113.10", "192.0.2.14"}

def filter_suspicious_ips(bid_request):
    """
    Checks if a bid request's IP is in a blocklist.
    """
    ip_address = bid_request.get("ip")
    if ip_address in FRAUDULENT_IPS:
        print(f"Blocking bid from suspicious IP: {ip_address}")
        return None
    
    print(f"Accepting bid from IP: {ip_address}")
    return bid_request

# Simulate incoming bid requests
bid1 = {"id": "xyz-123", "ip": "8.8.8.8"}
bid2 = {"id": "abc-456", "ip": "203.0.113.10"}

filter_suspicious_ips(bid1)
filter_suspicious_ips(bid2)

This example simulates the detection of click injection, a type of mobile ad fraud where malware on a device tries to claim credit for an app install. The code checks the time between a click and the subsequent install; an abnormally short time indicates that a script, not a user, likely triggered the install immediately after detecting a download.

import datetime

def detect_click_injection(click_timestamp, install_timestamp):
    """
    Analyzes the time between a click and an install (CTIT).
    A very short duration can indicate fraud.
    """
    time_delta = install_timestamp - click_timestamp
    
    # If install happens less than 10 seconds after the click, it's suspicious
    if time_delta.total_seconds() < 10:
        print(f"Fraud Alert: Click injection suspected. CTIT: {time_delta.total_seconds()}s")
        return True
        
    print(f"Valid Install: CTIT of {time_delta.total_seconds()}s is acceptable.")
    return False

# Simulate event timestamps
now = datetime.datetime.now()
click_time_valid = now - datetime.timedelta(minutes=5)
click_time_fraud = now - datetime.timedelta(seconds=3)
install_time = now

detect_click_injection(click_time_valid, install_time)
detect_click_injection(click_time_fraud, install_time)

This code analyzes user agent strings from bid requests to identify traffic from bots or emulators instead of genuine mobile devices. It flags requests that contain common bot signatures or lack standard mobile browser identifiers, helping to filter out non-human traffic sources.

def analyze_user_agent(bid_request):
    """
    Inspects the user agent string for signs of bots or emulators.
    """
    user_agent = bid_request.get("user_agent", "").lower()
    
    # Common bot/crawler signatures
    bot_signatures = ["bot", "crawler", "spider", "headlesschrome"]
    
    # Standard mobile identifiers
    mobile_identifiers = ["iphone", "android", "mobile"]
    
    is_bot = any(sig in user_agent for sig in bot_signatures)
    is_mobile = any(iden in user_agent for iden in mobile_identifiers)

    if is_bot or not is_mobile:
        print(f"Flagging suspicious user agent: {user_agent}")
        return False
        
    print(f"Valid mobile user agent: {user_agent}")
    return True

# Simulate incoming bid requests
bid_real_user = {"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1"}
bid_bot = {"user_agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"}
bid_emulator = {"user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/103.0.5060.114 Safari/537.36"}

analyze_user_agent(bid_real_user)
analyze_user_agent(bid_bot)
analyze_user_agent(bid_emulator)

Types of In app bidding

• Pre-Bid Filtering – This is a real-time defense where incoming bid requests are scanned for fraudulent signals before they enter the auction. It blocks traffic from known bad IPs, suspicious devices, or non-compliant apps, preventing advertisers from ever bidding on invalid inventory.
• Post-Bid Analysis – This method analyzes impression-level data after an ad has been won and served. It detects anomalies like ad stacking, hidden ads, or abnormal click patterns. While it doesn't prevent the initial spend, it provides data to blacklist fraudulent publishers and claim refunds.
• Hybrid Bidding Model – This approach combines in-app bidding with traditional waterfall setups. A bidding auction runs first, and if the winning bid doesn't meet a certain price floor, the ad request then proceeds down a waterfall of ad networks. For fraud, this can add complexity but allows for layered security checks.
• Unified Auction – This is the purest form of in-app bidding, where all demand sources (ad networks, exchanges, DSPs) bid simultaneously in a single, flat auction. From a security standpoint, this type offers maximum transparency, as all bidders and their bid prices are visible at once, making it easier to spot collusion or widespread fraud patterns.

How In app events Works

[User Action in App] → [SDK Records Event] → [Data Sent to Server] → [+ Fraud Analysis +] → [Attribution Decision]
      │                     │                       │                      │                       └─ Legitimate: Attribute Install
      │                     │                       │                      │
      └─────────────────────┴───────────────────────┴──────────────────────┴─ Fraudulent: Block & Report

🧠 Core Detection Logic

Example 1: Event Timing Anomaly Detection

This logic identifies fraud by measuring the time between consecutive in-app events. Bots often trigger events at a speed no human could achieve. Detecting these impossibly short timeframes helps filter out automated traffic and protect attribution data.

FUNCTION check_event_timing(events):
  SORT events BY timestamp

  FOR i FROM 1 TO length(events):
    time_diff = events[i].timestamp - events[i-1].timestamp
    
    // Check time between install and first action
    IF events[i-1].name == "install" AND events[i].name == "purchase":
      IF time_diff < 10 SECONDS:
        RETURN "Fraud: Implausible install-to-purchase time."

    // Check time between sequential game levels
    IF events[i-1].name == "level_1_complete" AND events[i].name == "level_2_complete":
      IF time_diff < 5 SECONDS:
        RETURN "Fraud: Unnaturally fast level completion."
        
  RETURN "Legitimate"

Example 2: Behavioral Sequence Validation

This logic validates that in-app events occur in a logical order. Real users follow predictable paths (e.g., adding an item to a cart before purchasing). Bots may skip steps, and this rule catches illogical event sequences that expose non-human behavior.

FUNCTION validate_event_sequence(user_events):
  has_added_to_cart = FALSE
  has_purchased = FALSE

  FOR event IN user_events:
    IF event.name == "add_to_cart":
      has_added_to_cart = TRUE
    IF event.name == "purchase":
      has_purchased = TRUE
      IF has_added_to_cart == FALSE:
        RETURN "Fraud: Purchase event occurred without add_to_cart event."
  
  RETURN "Legitimate"

Example 3: Engagement Ratio Analysis

This logic assesses the quality of traffic from a specific source by comparing the number of installs to the number of meaningful post-install events. A high number of installs with almost no subsequent engagement is a strong indicator of an install farm or bot traffic.

FUNCTION analyze_publisher_quality(publisher_id):
  installs = get_installs_for_publisher(publisher_id)
  key_events = get_key_events_for_publisher(publisher_id) // e.g., level_complete, purchase

  IF count(installs) > 1000 AND count(key_events) == 0:
    RETURN "Fraud: High install volume with zero user engagement."
  
  engagement_ratio = count(key_events) / count(installs)
  
  IF engagement_ratio < 0.01: // Threshold for low engagement
    RETURN "Suspicious: Extremely low engagement ratio."

  RETURN "Legitimate"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Reallocating advertising budgets away from fraudulent publishers and channels that deliver fake installs with no real user activity, thereby maximizing ROI.
• ROAS Protection – Ensuring that Return on Ad Spend (ROAS) calculations are based on genuine revenue-generating events, like real purchases, not faked actions from bots.
• Analytics Integrity – Keeping user analytics data clean from the noise of fake events, which allows for accurate product and marketing decisions based on real user behavior.
• Publisher Vetting – Identifying and blocking publishers who consistently send low-quality traffic characterized by high install counts but a complete lack of post-install engagement.

Example 1: New User Onboarding Funnel

This logic ensures that new users follow a plausible sequence of events during their first session. It helps catch bots that trigger a registration or purchase event immediately after install without completing the necessary intermediate steps like a tutorial.

FUNCTION check_new_user_funnel(user_id):
  events = get_events_for_user(user_id)
  
  install_time = find_event_timestamp(events, "install")
  tutorial_complete_time = find_event_timestamp(events, "tutorial_complete")
  registration_time = find_event_timestamp(events, "register")

  IF registration_time AND install_time:
    // Registration must happen after install
    IF registration_time < install_time:
      RETURN "Fraud: Registration before install."

    // Registration should follow tutorial
    IF registration_time < tutorial_complete_time:
      RETURN "Fraud: Registration before tutorial completion."
      
  RETURN "Legitimate"

Example 2: Purchase Value Anomaly Detection

This logic flags sources that generate an unusually high number of high-value purchase events. This is a common pattern in CPA fraud, where fraudsters aim to maximize payouts by faking the most valuable actions.

FUNCTION check_purchase_anomalies(publisher_id):
  purchases = get_purchase_events(publisher_id)
  
  high_value_purchases = 0
  FOR purchase IN purchases:
    IF purchase.value > 100: // Define high-value threshold
      high_value_purchases += 1
      
  total_purchases = count(purchases)
  
  IF total_purchases > 50:
    high_value_ratio = high_value_purchases / total_purchases
    IF high_value_ratio > 0.90:
      RETURN "Fraud: Suspiciously high ratio of high-value purchases."
      
  RETURN "Legitimate"

🐍 Python Code Examples

This Python code demonstrates how to calculate the Click-to-Install Time (CTIT) from a list of user events. Abnormally short CTIT values are a strong indicator of click injection fraud, where a fraudulent click is fired just before an install is completed to steal attribution.

import datetime

def analyze_ctit(events):
    """Analyzes click-to-install time to detect fraud."""
    click_time, install_time = None, None
    for event in events:
        if event['name'] == 'click':
            click_time = datetime.datetime.fromisoformat(event['timestamp'])
        if event['name'] == 'install':
            install_time = datetime.datetime.fromisoformat(event['timestamp'])

    if click_time and install_time:
        ctit = (install_time - click_time).total_seconds()
        if ctit < 10:  # A threshold of less than 10 seconds is highly suspicious
            print(f"Fraud detected: CTIT is suspiciously low at {ctit} seconds.")
            return False
    print("No fraud detected based on CTIT.")
    return True

# Example Data
user_events = [
    {'name': 'click', 'timestamp': '2023-10-27T10:00:00'},
    {'name': 'install', 'timestamp': '2023-10-27T10:00:05'}
]
analyze_ctit(user_events)

This example simulates checking for event frequency anomalies. It identifies users who generate an excessive number of events in a short period, a pattern that is characteristic of bot activity rather than genuine human interaction.

from collections import defaultdict

def check_event_frequency(event_stream, time_window_seconds=300, max_events=50):
    """Flags users with abnormal event frequency."""
    user_event_counts = defaultdict(int)
    
    for event in event_stream:
        user_id = event['user_id']
        user_event_counts[user_id] += 1

    for user, count in user_event_counts.items():
        if count > max_events:
            print(f"Fraud alert: User {user} generated {count} events in {time_window_seconds}s.")

# Example Data (simulating a stream of events over 5 minutes)
event_stream = [
    {'user_id': 'user_A', 'event': 'login'},
    {'user_id': 'user_B', 'event': 'level_up'},
    # ... imagine user_B has 99 more events here
]
# To simulate a full stream for user_B
for _ in range(99):
    event_stream.append({'user_id': 'user_B', 'event': 'action'})

check_event_frequency(event_stream, max_events=100)

Types of In app events

• Standard Events – These are common, predefined actions tracked across most apps, such as 'registration', 'login', or 'purchase'. Their standardized nature allows for easy, cross-platform analysis and benchmarking, providing a foundational layer for detecting broad, non-sophisticated fraud patterns.
• Custom Events – These are unique actions defined by the app developer, specific to the app's functionality, like 'character_upgrade' in a game or 'playlist_created' in a music app. They offer granular behavioral insights, making it harder for bots to mimic the full range of authentic user engagement.
• Revenue Events – A critical subcategory of events that includes a monetary value, such as 'af_revenue' for an in-app purchase. These are prime targets for fraudsters, and validating them is crucial for protecting against CPA fraud and ensuring accurate ROI calculations.
• Engagement Events – These actions signify active use but may not have direct monetary value, such as 'tutorial_complete' or 'level_achieved'. Tracking these helps build a behavioral profile to differentiate between genuinely engaged users and fraudulent installs that show no post-install activity.
• Sentinel Events – These are non-visible or dummy events implemented specifically as fraud traps. A real user would never trigger them, so any activity on these events is an immediate and definitive signal of a bot or a malicious actor interacting with the app's code.