Archives: Glossary Terms

How In app notifications Works

  +-----------------+      +-----------------+      +---------------------+      +----------------+
  |   User Action   | →    | Suspicion Trigger| →  | Notification Challenge| →  |  User Response |
  | (e.g., Ad Click)|      | (e.g., High Freq) |    |  (Active or Passive)  |    | (Tap or No-Tap)|
  +-----------------+      +-----------------+      +---------------------+      +----------------+
                                                                                       │
                                                                                       │
                                                                                       ▼
                                                                                +-------------+
                                                                                |  Validation |
                                                                                +-------------+
                                                                                       │
                                                                                       └─→ Invalid Traffic (Block)
                                                                                       │
                                                                                       └─→ Valid Traffic (Allow)

🧠 Core Detection Logic

Example 1: Interactive Engagement Verification

This logic actively challenges a suspicious user to prove they are human. When a session is flagged for unusual behavior (e.g., too many clicks in a short time), a non-intrusive notification is displayed, requiring a simple tap to proceed. This separates automated scripts from real users.

FUNCTION onAdClick(user_session):
  // Check if click frequency is abnormally high
  IF user_session.click_count > 5 AND user_session.time_since_last_click < 1000ms THEN
    // Trigger an interactive notification challenge
    challenge_result = displayVerificationNotification("Please tap here to continue")

    IF challenge_result IS "success" THEN
      // User is likely human, validate the click
      RETURN "VALID_CLICK"
    ELSE
      // No interaction or failed challenge, flag as bot
      RETURN "FRAUDULENT_CLICK"
    END IF
  ELSE
    RETURN "VALID_CLICK"
  END IF
END FUNCTION

Example 2: Silent Environment Check

This logic uses a notification that is invisible to the user. It acts as a trigger to run a client-side script that collects device and environment data. This is useful for detecting emulators, rooted devices, or other signs that the environment is not a standard mobile device.

FUNCTION onAppLaunch(device_info):
  // Trigger a silent notification to run a background check
  triggerSilentCheck()

  // The check gathers environment data
  environment_data = getEnvironmentData()

  IF environment_data.is_emulator == TRUE OR environment_data.is_rooted == TRUE THEN
    // High-risk environment, flag all actions from this device
    SET device_info.trust_score = 0.1
    LOG "Device flagged as high-risk emulator."
  ELSE
    SET device_info.trust_score = 0.9
  END IF
END FUNCTION

Example 3: Latency-Based Anomaly Detection

This logic measures the time it takes for a user to interact with a notification. Human interaction has a natural, variable delay, whereas bots often react instantly or not at all. An extreme latency measurement can indicate automated activity.

FUNCTION onChallengeIssued(timestamp_issued):
  // Display a simple interactive notification
  displaySimpleNotification("Confirmation needed")

  // Wait for user interaction
  WAIT for interaction_event

  // Record the time of interaction
  timestamp_responded = getCurrentTime()
  latency = timestamp_responded - timestamp_issued

  // Check if latency is within human-like range (e.g., >200ms and <5000ms)
  IF latency < 200ms OR latency > 5000ms THEN
    // Inhuman response time, likely a bot
    FLAG "High-risk: Latency anomaly"
    RETURN FALSE
  ELSE
    // Human-like response time
    RETURN TRUE
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Budget Shielding – In-app notifications can issue challenges before an ad click is registered, preventing bots from consuming PPC budgets on fake interactions and ensuring that ad spend is allocated toward genuine potential customers.
• Data Integrity for Analytics – By weeding out non-human traffic, this method ensures that user engagement metrics (like session duration, conversion rates) are accurate. This gives businesses a true understanding of campaign performance and user behavior.
• Improving ROAS – By blocking fraudulent clicks and fake installs attributed to them, businesses can significantly improve their Return on Ad Spend (ROAS), as marketing funds are directed only at traffic with a real potential for conversion.
• User Quality Verification – For apps that rely on acquiring high-quality users, notifications can act as a screening tool to filter out low-quality traffic from bot farms or emulators before they contaminate the user base.

Example 1: Geofencing with a Notification Challenge

A business running a geo-targeted campaign can use notifications to verify users from outside the target area who are using VPNs or proxies. If a user's IP address doesn't match their device's GPS location, a challenge is issued.

FUNCTION onUserImpression(user_data):
  // Campaign targets USA only
  target_country = "US"
  ip_country = getCountryFromIP(user_data.ip)
  gps_country = getCountryFromGPS(user_data.gps)

  // Mismatch detected
  IF ip_country != gps_country AND ip_country != target_country THEN
    // Issue a challenge to verify the user
    is_human = issueInAppChallenge("Please confirm your location to proceed")
    IF is_human == FALSE THEN
      BLOCK_TRAFFIC(user_data.ip)
    END IF
  END IF
END FUNCTION

Example 2: Session Scoring with Passive Checks

An e-commerce app can use silent in-app notifications to score session quality. A notification can trigger checks for bot-like behavior such as unnaturally fast navigation through product pages or adding items to a cart in milliseconds.

FUNCTION analyzeSession(session_events):
  // Passively trigger checks during the session
  session_score = 100
  time_between_events = calculateTimeDiff(session_events)

  // Check for inhuman speed
  IF time_between_events < 50ms THEN
    session_score = session_score - 50
  END IF

  // Check for standard device properties
  device_integrity = runSilentDeviceCheck()
  IF device_integrity IS "Compromised" THEN
    session_score = session_score - 40
  END IF

  // If score is too low, invalidate clicks from this session
  IF session_score < 50 THEN
    INVALIDATE_SESSION_CLICKS(session_events.session_id)
  END IF
END FUNCTION

🐍 Python Code Examples

This Python code simulates checking for rapid-fire clicks from a user. If more than a certain number of clicks occur within a short window, a function to trigger a notification challenge is called.

import time

user_clicks = {}
CLICK_LIMIT = 5
TIME_WINDOW = 2  # in seconds

def on_click(user_id):
    current_time = time.time()
    if user_id not in user_clicks:
        user_clicks[user_id] = []
    
    # Add current click time and filter out old ones
    user_clicks[user_id].append(current_time)
    user_clicks[user_id] = [t for t in user_clicks[user_id] if current_time - t < TIME_WINDOW]
    
    # Check for suspicious activity
    if len(user_clicks[user_id]) > CLICK_LIMIT:
        print(f"Suspicious activity from {user_id}. Triggering notification challenge.")
        trigger_notification_challenge(user_id)
    else:
        print(f"Click from {user_id} is valid.")

def trigger_notification_challenge(user_id):
    # This would call the app's notification system
    print(f"Verification notification sent to {user_id}.")

# Simulate clicks
on_click("user-123")
time.sleep(0.1)
on_click("user-123")
time.sleep(0.1)
on_click("user-123")
time.sleep(0.1)
on_click("user-123")
time.sleep(0.1)
on_click("user-123")
time.sleep(0.1)
on_click("user-123")

This example demonstrates a function that scores traffic based on a mix of factors, including the result of a hypothetical in-app notification challenge. A low score would indicate fraudulent traffic.

def score_traffic(request_data):
    score = 100
    
    # Check if a notification challenge was passed
    if request_data.get("notification_challenge_passed") == False:
        score -= 50
        
    # Penalize traffic from known data centers
    if is_from_datacenter(request_data.get("ip_address")):
        score -= 30
        
    # Check for a suspicious user agent
    if "headless" in request_data.get("user_agent", "").lower():
        score -= 20
        
    print(f"IP {request_data.get('ip_address')} scored {score}")
    
    if score < 50:
        print("Traffic is likely fraudulent.")
        return "FRAUD"
    else:
        print("Traffic appears legitimate.")
        return "LEGITIMATE"

def is_from_datacenter(ip):
    # Dummy function: in reality, this would check against a database of data center IPs
    return ip.startswith("10.0.")

# Simulate scoring two different requests
legit_request = {"ip_address": "8.8.8.8", "user_agent": "Mozilla/5.0", "notification_challenge_passed": True}
fraud_request = {"ip_address": "10.0.0.1", "user_agent": "HeadlessChrome", "notification_challenge_passed": False}

score_traffic(legit_request)
score_traffic(fraud_request)

Types of In app notifications

• Active Challenge Notifications

  These are explicit prompts that require direct user interaction. For example, a banner or modal may appear asking the user to tap a button or solve a simple puzzle. Their purpose is to confirm active human presence and engagement.

• Passive Verification Notifications

  These notifications are invisible to the user and run in the background. They trigger a script to collect data about the device environment, such as checking for emulators, root access, or other signs of a non-standard, automated setup. This provides verification without interrupting the user experience.

• Contextual Triggered Alerts

  These notifications are deployed only when a user's behavior crosses a predefined risk threshold, such as an impossible number of clicks per second or navigating the app with inhuman speed. The alert serves as a real-time check in response to a specific suspicious action.

• Administrative Fraud Alerts

  Unlike user-facing notifications, these are alerts sent directly to system administrators or advertisers. They are triggered when a significant pattern of fraudulent activity is detected, providing real-time insights for manual review or automated blocking of the identified fraud source.

How In app purchase Works

+-----------------+      +--------------------+      +----------------+      +---------------+
|   User Action   |----->|   App/SDK Event    |----->|  Validation    |----->| Fraud System  |
| (Makes Purchase)|      | (Incl. Receipt)    |      |  Server (MMP)  |      | (Analyzes Data) |
+-----------------+      +--------------------+      +----------------+      +---------------+
        │                                                    │                      │
        │                                                    │                      │
        └────────────────────────────────────────────────────┼──────────────────────┘
                                                             │
                                                    +----------------+
                                                    |  Store API     |
                                                    | (Apple/Google) |
                                                    +----------------+

🧠 Core Detection Logic

Example 1: Receipt Validation

This is the most fundamental logic. It checks if a revenue event reported by an ad network is accompanied by a valid purchase receipt from the app store. It prevents fraud where publishers send fake purchase events to make their traffic appear more valuable.

FUNCTION handle_purchase_event(event_data):
    IF event_data.has("receipt"):
        receipt = event_data.get("receipt")
        is_valid = validate_with_app_store(receipt)

        IF is_valid == TRUE:
            // Legitimate purchase
            ATTRIBUTE_REVENUE(event_data.source, event_data.amount)
        ELSE:
            // Invalid receipt
            FLAG_FRAUD(event_data.source, "Invalid Receipt")
    ELSE:
        // Missing receipt, indicates fraud
        FLAG_FRAUD(event_data.source, "Missing Purchase Receipt")
END FUNCTION

Example 2: Purchase Behavior Anomaly

This logic analyzes the timing and frequency of purchases to spot non-human behavior. A user making multiple high-value purchases immediately after install, or multiple users from the same source doing so, is highly suspicious and likely indicates automated bot activity.

FUNCTION check_purchase_behavior(user_id, install_timestamp, purchase_event):
    time_since_install = purchase_event.timestamp - install_timestamp
    purchase_amount = purchase_event.amount

    // Flag if a large purchase happens too quickly after install
    IF time_since_install < 60 seconds AND purchase_amount > 50.00:
        FLAG_FRAUD(user_id, "Anomalous First Purchase")
        RETURN

    // Flag if purchase frequency is too high
    recent_purchases = GET_PURCHASES(user_id, last_hour)
    IF count(recent_purchases) > 10:
        FLAG_FRAUD(user_id, "High Purchase Frequency")
END FUNCTION

Example 3: Geo-Mismatch Detection

This logic compares the geographic location of the click, the install, and the purchase. A significant mismatch—for instance, a click from Vietnam, an install in the US, and a purchase with a Brazilian currency—suggests the use of proxies or other masking techniques common in ad fraud.

FUNCTION check_geo_mismatch(click_data, install_data, purchase_data):
    click_country = click_data.country
    install_country = install_data.country
    purchase_currency = purchase_data.currency

    // Mapping currency to expected country for simplicity
    expected_country = get_country_for_currency(purchase_currency)

    IF click_country != install_country OR install_country != expected_country:
        FLAG_FRAUD(click_data.source, "Geo-Location Mismatch")
    ELSE:
        // Countries align, likely legitimate
        PROCESS_AS_VALID(purchase_data)
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Optimization – Businesses can automatically pause or defund campaigns from ad networks that deliver traffic with low rates of verified in-app purchases, reallocating budget to high-performing, legitimate sources.
• Protecting ROAS Metrics – By filtering out fraudulent revenue events, companies ensure their Return on Ad Spend (ROAS) calculations are based on real income, leading to more accurate and reliable business decisions.
• User Quality Verification – IAP validation serves as definitive proof that an acquired user is genuine and engaged, helping app marketers build a clean, high-value user base and avoid rewarding publishers for fake users.
• Refund Fraud Detection – By tracking which purchases are later refunded through the app stores, businesses can identify advertising partners who drive users that exploit refund policies, a common form of IAP fraud.

Example 1: New User Purchase Velocity Rule

This pseudocode checks if a new user, attributed to a specific ad partner, makes an unusually high number of purchases within the first 24 hours. This helps catch bots programmed to simulate high engagement immediately after an install.

FUNCTION analyze_new_user_purchases(user):
  IF user.install_age < 24 hours:
    purchases = get_validated_purchases(user.id)
    
    IF count(purchases) > 5:
      // Flag the ad partner for review
      FLAG_PARTNER(user.source_partner, "High New User Purchase Velocity")
      // Invalidate revenue from this user for ROAS calculation
      MARK_USER_AS_SUSPICIOUS(user.id)

Example 2: Cross-Device Purchase Validation

This logic flags traffic as suspicious if multiple distinct user accounts, all attributed to the same advertising click ID, make separate purchases. This pattern can indicate a single fraudulent actor using a device farm or emulators to generate fake conversions.

FUNCTION check_click_to_purchase_ratio(click_id):
  // Get all users and purchases attributed to a single ad click
  associated_users = get_users_for_click(click_id)
  total_purchases = 0
  
  FOR user IN associated_users:
    total_purchases += count_validated_purchases(user.id)
  
  // A single click should ideally lead to one user's purchases
  IF count(associated_users) > 1 AND total_purchases > 1:
    FLAG_CLICK(click_id, "Click ID associated with multiple purchasers")

🐍 Python Code Examples

This code demonstrates a simple function to validate an in-app purchase. It checks for the presence of a receipt and simulates calling an external service to verify its authenticity, which is a core step in preventing revenue fraud.

def validate_purchase(purchase_event):
    """
    Validates an in-app purchase by checking for a receipt and its authenticity.
    Returns True for valid purchases, False for fraudulent ones.
    """
    receipt = purchase_event.get("receipt_data")
    source_publisher = purchase_event.get("publisher_id")

    if not receipt:
        print(f"FRAUD: No receipt found for purchase from {source_publisher}.")
        return False

    # In a real system, this would be an API call to Apple/Google
    is_authentic = external_receipt_validator(receipt)

    if not is_authentic:
        print(f"FRAUD: Invalid or reused receipt from {source_publisher}.")
        return False

    print(f"SUCCESS: Validated purchase from {source_publisher}.")
    return True

# --- Helper for simulation ---
def external_receipt_validator(receipt):
    # Simulate validation: reject receipts that are empty or contain "fake"
    return receipt is not None and "fake" not in receipt

# --- Example Usage ---
valid_event = {"publisher_id": "network_A", "revenue": 9.99, "receipt_data": "valid_receipt_string"}
fraud_event_1 = {"publisher_id": "network_B", "revenue": 29.99, "receipt_data": None}
fraud_event_2 = {"publisher_id": "network_C", "revenue": 49.99, "receipt_data": "fake_receipt"}

validate_purchase(valid_event)
validate_purchase(fraud_event_1)
validate_purchase(fraud_event_2)

This example identifies suspicious purchase frequency from a single user or IP address. It helps detect non-human or bot-like behavior where a user makes an unrealistic number of purchases in a short time, a common indicator of automated fraud.

from collections import defaultdict

# Store purchase timestamps per user_id
purchase_logs = defaultdict(list)
PURCHASE_TIME_THRESHOLD_SECONDS = 60 # 1 minute
MAX_PURCHASES_IN_THRESHOLD = 3

def record_and_check_purchase(user_id, timestamp):
    """
    Records a purchase and checks if the frequency is suspiciously high.
    """
    purchase_logs[user_id].append(timestamp)
    
    # Get recent purchases within the time window
    recent_timestamps = [t for t in purchase_logs[user_id] if timestamp - t < PURCHASE_TIME_THRESHOLD_SECONDS]
    
    if len(recent_timestamps) > MAX_PURCHASES_IN_THRESHOLD:
        print(f"FRAUD ALERT: User {user_id} made {len(recent_timestamps)} purchases in under a minute.")
        return False
        
    print(f"User {user_id} purchase recorded.")
    return True

# --- Example Simulation ---
user_A = "user_123"
record_and_check_purchase(user_A, 1672531200) # Purchase 1
record_and_check_purchase(user_A, 1672531210) # Purchase 2
record_and_check_purchase(user_A, 1672531220) # Purchase 3
record_and_check_purchase(user_A, 1672531230) # Purchase 4 -> triggers alert

Types of In app purchase

• Receipt Validation – This is the most direct form of IAP analysis. It involves sending the purchase receipt generated by the app store to a server for verification. This confirms the transaction was real and not a fake event sent by a fraudulent publisher to claim credit for a high-value user.
• Purchase Velocity Analysis – This method analyzes the time between an app install and the first purchase, as well as the frequency of subsequent purchases. A burst of rapid purchases immediately after install is a strong indicator of automated bot activity, not genuine user behavior.
• Refund and Chargeback Monitoring – This type tracks which users, and by extension which acquisition sources, have a high rate of refunded purchases. Fraudsters often make real purchases to trigger a CPA event and then request a refund, making this a critical metric for identifying IAP abuse.
• SKU and Price Point Analysis – This involves monitoring the types of items and price points being purchased. Fraudulent activity may focus on specific, low-friction SKUs or show unusual patterns, like purchasing items in a nonsensical order, which deviates from legitimate user behavior.
• Geographic Mismatch Detection – This technique cross-references the location of the user’s device, the currency used for the purchase, and the region of the app store. A mismatch, such as a purchase in Russian rubles from a device located in Vietnam, is a red flag for fraud.

How In game purchase Works

+----------------+      +--------------------+      +------------------+      +-------------------+      +-------------------+
|   Fraud Bot    |----->| Fake In-Game Actions|----->| Trigger Ad Event |----->|  Simulate Click/  |----->|   Ad Network      |
| (Emulator/Script)|      | (e.g., Level Up)   |      | (View/Install)   |      |  In-App Purchase  |      |  (Records Invalid Data) |
+----------------+      +--------------------+      +------------------+      +-------------------+      +-------------------+
        │                      │                             │                            │                      │
        └──────────────────────┴─────────────┬─────────────┴────────────────────────────┴──────────────────────┘
                                             │
                               +-----------------------------+
                               | Traffic Security System     |
                               | (Analyzes & Flags Anomaly) |
                               +-----------------------------+

🧠 Core Detection Logic

Example 1: Behavioral Heuristics

This logic identifies non-human patterns by analyzing the timing and sequence of events within a user session. Real players exhibit variability in their actions, while bots are often repetitive and unnaturally fast. This check fits within a real-time traffic filtering layer to flag suspicious sessions for deeper inspection or immediate blocking.

FUNCTION check_behavioral_heuristics(session_events):
  // Rule 1: Check for unnaturally short time between key events
  level_start_time = session_events.get_event_time("level_start")
  level_complete_time = session_events.get_event_time("level_complete")
  time_to_complete = level_complete_time - level_start_time

  IF time_to_complete < MIN_LEGITIMATE_DURATION:
    RETURN "FLAGGED: Impossibly fast completion"

  // Rule 2: Check for repetitive, non-varying action sequences
  action_pattern = session_events.get_action_sequence()
  IF is_highly_repetitive(action_pattern):
    RETURN "FLAGGED: Repetitive bot-like behavior"

  // Rule 3: Check for ad interaction without core gameplay
  IF session_events.has("ad_click") AND NOT session_events.has("core_gameplay_action"):
    RETURN "FLAGGED: Ad interaction without engagement"

  RETURN "PASSED"

Example 2: Purchase Receipt Validation

This logic validates in-app purchases that trigger cost-per-action (CPA) ad events. It ensures a purchase is legitimate by checking its transaction receipt with the corresponding app store (Apple or Google). This is a critical backend process to prevent fraudsters from faking high-value conversion events.

FUNCTION validate_purchase_event(purchase_data):
  receipt = purchase_data.get_receipt()
  transaction_id = purchase_data.get_transaction_id()
  app_id = purchase_data.get_app_id()

  IF receipt IS NULL:
    RETURN "REJECTED: Missing purchase receipt" // Flag suspicious transactions without receipts.

  // Send receipt to the app store's validation service
  is_valid_receipt = app_store_api.validate(receipt, transaction_id)

  IF NOT is_valid_receipt:
    RETURN "REJECTED: Invalid app store receipt"

  // Check if receipt details match the transaction
  receipt_app_id = receipt.get_app_id()
  IF app_id != receipt_app_id:
    RETURN "REJECTED: App ID mismatch"

  RETURN "VERIFIED"

Example 3: Device Integrity & Environment Check

This logic checks the user's device for signs of tampering or virtualization, which are common hallmarks of bot farms. It identifies emulators, rooted (Android) or jailbroken (iOS) devices, and other environments frequently used to scale fraudulent activities. This check is often performed by an SDK integrated into the app.

FUNCTION check_device_integrity(device_info):
  // Check 1: Detect if the app is running in an emulator
  IF device_info.is_emulator():
    RETURN "FLAGGED: Running on an emulator"

  // Check 2: Detect if the device has root or jailbreak access
  IF device_info.is_rooted() OR device_info.is_jailbroken():
    RETURN "FLAGGED: Compromised device (root/jailbreak)"

  // Check 3: Check for known fraudulent device signatures
  device_signature = device_info.get_fingerprint()
  IF is_in_fraud_database(device_signature):
    RETURN "FLAGGED: Device signature is blacklisted"

  // Check 4: Check for VPN or Proxy usage to mask location
  IF device_info.is_using_proxy() OR device_info.is_using_vpn():
    RETURN "FLAGGED: Connection masked by Proxy/VPN"

  RETURN "PASSED"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects cost-per-install (CPI) and cost-per-action (CPA) campaigns by ensuring payments are for real users and events, not bot-generated fakes. This directly prevents budget waste on fraudulent channels.
• Data Integrity for LTV – Ensures that user lifetime value (LTV) models are built on clean data from genuine players, leading to more accurate revenue forecasting and smarter user acquisition strategies.
• Blocking Ad Farming – Prevents bots from repeatedly "watching" rewarded video ads or clicking banners solely to generate ad revenue for a fraudulent publisher, which protects brand safety and marketing ROI.
• Preventing Chargeback Fraud – In cases where fraudsters use stolen credit cards for in-app purchases, detection helps refuse the transaction, saving the business from chargeback fees and revenue loss.

Example 1: Session Velocity Rule

This logic flags users who trigger an unusually high number of ad events in a short period, a strong indicator of automated ad farming. It's used to protect the budget allocated for rewarded ads.

// Logic to detect ad farming velocity
DEFINE RULE high_ad_velocity:
  WHEN user_session
  AGGREGATE COUNT(rewarded_ad_view) AS ad_count
  OVER 1_HOUR

  CONDITION:
    ad_count > 25

  ACTION:
    FLAG_USER_AS_SUSPICIOUS
    PAUSE_ADS_FOR_USER(24_HOURS)

Example 2: Conversion Behavior Scoring

This pseudocode scores a user based on post-install behavior. A low score indicates a likely fake install, where the "user" installs the app to trigger a CPI event but shows no genuine engagement afterward.

// Score user quality post-install to validate install events
FUNCTION score_user_engagement(user_id, time_since_install):
  IF time_since_install > 72_HOURS:
    events = GET_USER_EVENTS(user_id)

    score = 0
    IF events.contains("tutorial_completed"): score += 20
    IF events.contains("level_5_reached"): score += 30
    IF events.contains("made_in_app_purchase"): score += 50

    IF score < 10:
      // This user is likely a fake install with no real engagement
      MARK_INSTALL_AS_INVALID(user_id)
    ELSE:
      MARK_INSTALL_AS_VALID(user_id)

🐍 Python Code Examples

This code simulates checking for click flooding, where a single IP address generates an unreasonable number of clicks in a short time. This helps block IPs that are part of a botnet or click farm.

# Dictionary to store click timestamps for each IP
ip_click_logs = {}
CLICK_LIMIT = 10
TIME_WINDOW_SECONDS = 60

def is_click_flood(ip_address, current_time):
    """Checks if an IP is generating too many clicks."""
    if ip_address not in ip_click_logs:
        ip_click_logs[ip_address] = []

    # Remove clicks outside the time window
    ip_click_logs[ip_address] = [t for t in ip_click_logs[ip_address] if current_time - t < TIME_WINDOW_SECONDS]

    # Add the new click
    ip_click_logs[ip_address].append(current_time)

    # Check if the click limit is exceeded
    if len(ip_click_logs[ip_address]) > CLICK_LIMIT:
        print(f"FLAGGED: Click flood detected from IP {ip_address}")
        return True
    return False

# Example usage
import time
is_click_flood("192.168.1.101", time.time())

This example demonstrates how to identify bot traffic by analyzing user-agent strings. Bots often use generic, outdated, or inconsistent user agents that differ from those of legitimate mobile devices.

def analyze_user_agent(user_agent):
    """Analyzes a user-agent string for signs of being a bot."""
    suspicious_keywords = ["bot", "spider", "headless", "okhttp"]
    legit_mobile_keywords = ["Mobile", "Android", "iPhone"]

    ua_lower = user_agent.lower()

    # Rule 1: Check for explicit bot keywords
    if any(keyword in ua_lower for keyword in suspicious_keywords):
        print(f"FLAGGED: Suspicious keyword found in User-Agent: {user_agent}")
        return False

    # Rule 2: Check for presence of typical mobile identifiers
    if not any(keyword in user_agent for keyword in legit_mobile_keywords):
        print(f"FLAGGED: Non-standard or missing mobile identifier: {user_agent}")
        return False

    print("PASSED: User-Agent appears legitimate.")
    return True

# Example Usage
analyze_user_agent("Mozilla/5.0 (Linux; Android 12; Pixel 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Mobile Safari/537.36")
analyze_user_agent("python-requests/2.28.1")

Types of In game purchase

• Click Injection Fraud – A malicious app on a user's device detects when another app is being installed and triggers a fake click just before the installation completes. This allows the fraudster to illegitimately claim credit for an organic install and receive a payout.
• Ad Farming Bots – Automated scripts or bots run inside a game with the sole purpose of repeatedly viewing ads to collect in-game rewards. This generates a high volume of fake ad impressions, draining advertiser budgets on users who have no genuine interest in the game or the ads.
• Purchase Receipt Forgery – Fraudsters use hacked or fake purchase receipts to trick an app into unlocking premium content or features. When this fake purchase is tied to a Cost-Per-Action (CPA) campaign, it causes the advertiser to pay for a nonexistent sale.
• SDK Spoofing – Bots mimic the communication signals sent by a legitimate ad SDK (Software Development Kit) to an ad network's servers. This creates completely fabricated ad impressions and clicks without an ad ever being displayed in a real app, making it appear as if legitimate activity occurred.
• Refund Abuse for CPA – A user, often a fraudster, makes a legitimate in-app purchase using a real payment method to trigger a CPA event for an advertiser. Shortly after, they request a refund from the app store, effectively getting the product for free while the advertiser still pays for the "conversion."

How In stream ads Works

Ad Impression/Click Request
           │
           ▼
+-------------------------+
│   In-Stream Gateway     │
│  (Traffic Interceptor)  │
+-------------------------+
           │
           ▼
+-------------------------+
│  Real-Time Analysis     │◀───[Fraud Signature & Rule Database]
│  (IP, UA, Behavior)     │
+-------------------------+
           │
           ▼
+-------------------------+
│     Decision Engine     │
+-------------------------+
      │             └─┐
      ▼               ▼
[ Allow ]        [ Block/Flag ]
   │                 │
   ▼                 ▼
Ad Served        No Ad Served /
(Valid)           (Invalid)

🧠 Core Detection Logic

Example 1: Timestamp Anomaly Detection

This logic identifies non-human click velocity by tracking the time between clicks from a single source. It is applied in-stream to detect and block bots programmed to click ads at a rate impossible for a human, preventing rapid-fire attacks that drain budgets.

FUNCTION checkTimestamp(request):
  ip = request.get_ip()
  currentTime = now()
  
  IF ip in recent_clicks:
    lastClickTime = recent_clicks[ip]
    timeDifference = currentTime - lastClickTime
    
    IF timeDifference < THRESHOLD_SECONDS:
      RETURN "BLOCK"  // Click is too fast
      
  recent_clicks[ip] = currentTime
  RETURN "ALLOW"

Example 2: User-Agent and Header Consistency Check

This logic validates the identity of a visitor by checking for inconsistencies between the User-Agent (UA) string and other HTTP headers. For instance, a UA might claim to be a mobile browser, but the other headers might match a desktop Linux server. This is a common sign of a simple bot and is checked in-stream to block low-quality automated traffic.

FUNCTION checkHeaders(request):
  ua_string = request.headers['User-Agent']
  accept_language = request.headers['Accept-Language']
  
  // Example rule: A Chrome UA should typically have a specific language format
  IF "Chrome" in ua_string AND not accept_language.startswith("en-US"):
     // This is a simplified rule; real rules are more complex
     IF "Headless" in ua_string:
        RETURN "BLOCK" // Known headless browser
        
  // Example rule: Check for known bot signatures in UA
  IF "bot" in ua_string.lower() or "spider" in ua_string.lower():
    RETURN "BLOCK"
    
  RETURN "ALLOW"

Example 3: Geo-IP vs. Timezone Mismatch

This rule flags fraudulent traffic by comparing the geographic location derived from an IP address with the user's browser timezone. A significant mismatch—for example, an IP address in Vietnam with a browser timezone set to America/New_York—suggests the use of a proxy or VPN to disguise the user's true origin.

FUNCTION checkGeoMismatch(request):
  ip_geo = get_geo_from_ip(request.get_ip()) // e.g., "Vietnam"
  browser_timezone = request.get_timezone()  // e.g., "America/New_York"
  
  expected_timezone_region = get_region_from_timezone(browser_timezone) // "North America"
  
  IF ip_geo.country != expected_timezone_region.country:
    score_risk(request, HIGH_RISK_FACTOR)
    RETURN "BLOCK"
    
  RETURN "ALLOW"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects advertising budgets by applying real-time filters that block bots and other invalid traffic before a click is charged, ensuring spend is allocated toward genuine potential customers.
• Lead Generation Integrity – Improves the quality of incoming leads by preventing fake form submissions from bots, ensuring that sales and marketing teams engage with real prospects.
• Accurate Performance Analytics – Ensures marketing data is clean and reliable by filtering out non-human interactions. This leads to more accurate metrics like CTR and conversion rates, enabling better strategic decisions.
• Retargeting Audience Purification – Prevents bots from being added to retargeting lists. This stops ad spend from being wasted on showing ads to automated scripts and improves the efficiency of retargeting campaigns.

Example 1: Data Center IP Blocking Rule

This pseudocode demonstrates a fundamental rule used to protect campaigns from non-human traffic originating from servers, which is a primary source of bot activity. By checking if the source IP belongs to a known data center, businesses can immediately block a significant portion of automated fraud.

// Rule: Block traffic from known data centers
FUNCTION handle_request(ip_address):
  is_datacenter_ip = check_ip_against_datacenter_list(ip_address)

  IF is_datacenter_ip:
    ACTION: BLOCK_REQUEST
    LOG ("Blocked data center IP: " + ip_address)
  ELSE:
    ACTION: ALLOW_REQUEST

Example 2: Session Click Frequency Cap

This logic prevents a single user (or bot) from clicking on ads an excessive number of times within a short session, a common pattern in both competitor-driven click fraud and sophisticated bot attacks. This protects campaign budgets from being drained by a single malicious actor.

// Rule: Limit clicks per session
FUNCTION handle_click(session_id, click_timestamp):
  session = get_session(session_id)
  
  IF session.click_count > 5 AND (click_timestamp - session.first_click_time) < 3600:
    ACTION: INVALIDATE_CLICK
    LOG ("Session click limit exceeded for: " + session_id)
  ELSE:
    session.click_count += 1
    ACTION: VALIDATE_CLICK

🐍 Python Code Examples

This Python function simulates a basic in-stream check for rapid-fire clicks from the same IP address. It uses a dictionary to track the timestamp of the last click from each IP, blocking any subsequent clicks that occur within a prohibitively short time frame (e.g., 2 seconds).

import time

CLICK_HISTORY = {}
THRESHOLD_SECONDS = 2

def is_click_fraudulent(ip_address):
    current_time = time.time()
    
    if ip_address in CLICK_HISTORY:
        last_click_time = CLICK_HISTORY[ip_address]
        if current_time - last_click_time < THRESHOLD_SECONDS:
            print(f"Fraudulent click detected from {ip_address}")
            return True
            
    CLICK_HISTORY[ip_address] = current_time
    print(f"Legitimate click from {ip_address}")
    return False

# --- Simulation ---
is_click_fraudulent("8.8.8.8")
time.sleep(1)
is_click_fraudulent("8.8.8.8") # This will be flagged as fraudulent
time.sleep(3)
is_click_fraudulent("8.8.8.8") # This will be allowed

This code provides a simple filter to identify requests coming from known bot User-Agents. It checks the User-Agent string against a predefined list of patterns associated with automated crawlers and bots, blocking any matches to prevent them from interacting with ads.

BOT_SIGNATURES = ["bot", "spider", "crawler", "headlesschrome"]

def is_user_agent_a_bot(user_agent_string):
    ua_lower = user_agent_string.lower()
    for signature in BOT_SIGNATURES:
        if signature in ua_lower:
            print(f"Bot signature '{signature}' found in User-Agent.")
            return True
    print("User-Agent appears legitimate.")
    return False

# --- Simulation ---
ua1 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
ua2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

is_user_agent_a_bot(ua1) # Will be detected as a bot
is_user_agent_a_bot(ua2) # Will be considered legitimate

Types of In stream ads

• Signature-Based Filtering: This type operates by checking incoming traffic against a known blocklist of malicious actors. It identifies and blocks requests from IP addresses, device IDs, or user agents that have been previously flagged for fraudulent activity, acting as a real-time security checkpoint.
• Heuristic Rule-Based Analysis: This method applies a set of logical rules to identify suspicious behavior in real time. For example, a rule might block a click if it originates from a server IP (data center) or if the time between impression and click is impossibly short, indicating non-human activity.
• Behavioral Analysis: This type analyzes patterns in user interactions as they happen. It looks at metrics like mouse movement, click speed, and navigation flow to determine if the behavior is consistent with a human or an automated script. Traffic exhibiting robotic behavior is blocked instantly.
• Geographic and Network Anomaly Detection: This focuses on identifying inconsistencies in the traffic's network data. It blocks clicks that show a mismatch between IP address location and browser language or timezone, or flags traffic coming through anonymous proxies and VPNs commonly used to mask fraudulent origins.

How Instant apps Works

User Click on Ad ─→ Ad Server │ │ └─> Deliver Ad Content │ └─> Deploy Instant App (JavaScript Snippet) │ └─> Client-Side Analysis +──────────────+──────────────+ │ │ │ ▼ ▼ ▼ IP & Proxy Check Device Fingerprint Behavioral Heuristics │ │ │ └───────────┼───────────┘ │ ▼ Security System Decision │ ├─> [VALID] ─> Allow & Log Conversion └─> [INVALID] ─> Block, Flag & Report

🧠 Core Detection Logic

Example 1: Behavioral Anomaly Detection

This logic analyzes user interaction patterns in real-time to distinguish between human and bot behavior. It is crucial for catching sophisticated bots that can mimic human-like device properties but fail to replicate natural engagement. This check happens instantly upon the user landing on the page.

FUNCTION check_behavior(session_data):
  # Rule 1: Check for immediate bounce (time on page < 1 second)
  IF session_data.time_on_page < 1 THEN
    RETURN "INVALID"

  # Rule 2: Check for lack of mouse movement or scrolling
  IF session_data.mouse_movements == 0 AND session_data.scroll_events == 0 THEN
    RETURN "INVALID"
    
  # Rule 3: Check for impossibly fast form submission
  IF session_data.form_fill_time < 2 SECONDS THEN
    RETURN "INVALID"

  RETURN "VALID"
END FUNCTION

Example 2: Device & Browser Fingerprinting

This technique creates a unique signature from a user’s device and browser attributes. It helps identify bots that cycle through IPs but retain the same underlying device configuration. This logic is applied the moment the Instant App snippet loads, providing a baseline for identifying repeat offenders.

FUNCTION analyze_fingerprint(device_info):
  # Create a unique hash from device properties
  fingerprint = HASH(device_info.os + device_info.browser + device_info.resolution + device_info.plugins)

  # Check if fingerprint is associated with known fraud
  IF is_in_blacklist(fingerprint) THEN
    RETURN "INVALID"

  # Check for inconsistencies (e.g., mobile user agent on desktop resolution)
  IF device_info.user_agent.contains("Android") AND device_info.resolution == "1920x1080" THEN
    RETURN "INVALID"

  RETURN "VALID"
END FUNCTION

Example 3: IP Reputation & Geolocation Mismatch

This rule checks the user’s IP address against known fraud databases (like data centers, proxies, or VPNs) and validates its location against campaign targeting parameters. It’s a fundamental, first-line defense against common bot traffic and irrelevant clicks from outside the target market.

FUNCTION validate_ip(ip_address, campaign_targeting):
  # Check if IP is from a known data center or VPN
  IF get_ip_type(ip_address) IN ["DATACENTER", "VPN", "PROXY"] THEN
    RETURN "INVALID"

  # Check if the IP's country matches the campaign's target country
  ip_country = get_country(ip_address)
  IF ip_country != campaign_targeting.country THEN
    RETURN "INVALID"

  RETURN "VALID"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects PPC campaign budgets by deploying real-time analysis to block clicks from bots, data centers, and VPNs before they are charged, ensuring ad spend is directed only at genuine potential customers.
• Data Integrity – Ensures marketing analytics are clean and reliable by filtering out non-human and fraudulent traffic. This leads to more accurate KPIs, such as CTR and conversion rates, and better-informed strategic decisions.
• Lead Generation Quality – Improves the quality of incoming leads by preventing fake form submissions from bots. This saves sales teams time and resources by ensuring they only follow up on leads from genuine human interactions.
• ROAS Optimization – Maximizes Return on Ad Spend (ROAS) by reducing wasted expenditure on fraudulent interactions. By paying only for valid traffic, businesses improve the overall efficiency and profitability of their advertising efforts.

Example 1: Geolocation Fencing Rule

# This rule blocks any click originating from a country not specified in the campaign's targeting.
# It is used to prevent budget waste on irrelevant geographic locations.

DEFINE_RULE GeoFence:
  WHEN click.ip_geolocation.country NOT IN campaign.target_countries
  THEN BLOCK_CLICK
  REASON "Geographic Mismatch"
END

Example 2: Session Interaction Scoring

# This logic scores a session based on behavior. A session with no interaction (scrolling, moving the mouse)
# receives a high fraud score and is flagged. It helps filter out simple bots that load a page but do not interact.

FUNCTION score_session(events):
  score = 0
  IF events.scroll_depth < 10 THEN score += 40
  IF events.mouse_movement_distance < 50 THEN score += 50
  IF events.time_on_page < 2 THEN score += 60
  
  IF score > 90 THEN
    FLAG_AS_FRAUD "Behavioral analysis failed"
  END
END

🐍 Python Code Examples

This function simulates checking for abnormally high click frequency from a single IP address within a short time frame. It helps detect basic bot attacks or click farm activity by flagging IPs that exceed a reasonable click threshold.

CLICK_LOGS = {}
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 5

def is_frequent_click(ip_address, current_time):
    """Checks if an IP has an unusually high click frequency."""
    if ip_address not in CLICK_LOGS:
        CLICK_LOGS[ip_address] = []
    
    # Remove clicks outside the time window
    CLICK_LOGS[ip_address] = [t for t in CLICK_LOGS[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add current click and check threshold
    CLICK_LOGS[ip_address].append(current_time)
    
    if len(CLICK_LOGS[ip_address]) > CLICK_THRESHOLD:
        print(f"ALERT: High frequency detected for IP {ip_address}")
        return True
        
    return False

# Example usage
# is_frequent_click("192.168.1.10", time.time())

This example demonstrates filtering traffic based on suspicious user agents. It blocks requests from known bot libraries or those with inconsistent or missing user agent strings, providing a simple yet effective layer of bot protection.

SUSPICIOUS_AGENTS = ["python-requests", "curl", "headless-chrome-bot"]

def filter_by_user_agent(request_headers):
    """Filters traffic based on the User-Agent header."""
    user_agent = request_headers.get("User-Agent", "").lower()
    
    if not user_agent:
        print("BLOCK: Missing User-Agent")
        return False
        
    for agent in SUSPICIOUS_AGENTS:
        if agent in user_agent:
            print(f"BLOCK: Suspicious User-Agent detected: {user_agent}")
            return False
            
    print("ALLOW: User-Agent looks clean.")
    return True

# Example usage
# headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."}
# filter_by_user_agent(headers)

Types of Instant apps

• Heuristic-Based Snippets – These apps use predefined rule sets to identify fraud. For instance, a rule might flag a click as fraudulent if the time between the click and the page load is impossibly short. They are fast but can be outsmarted by new fraud tactics.
• Behavioral Analysis Snippets – This type focuses on user interactions like mouse movements, scroll speed, and keyboard input patterns. It detects non-human behavior by comparing session activity against established benchmarks for legitimate users, making it effective against more sophisticated bots.
• Device Fingerprinting Snippets – This code collects a detailed set of device and browser attributes (e.g., OS, screen resolution, installed fonts) to create a unique ID. This helps in identifying and blocking fraudsters who use different IP addresses but operate from the same device.
• Challenge-Based Snippets – These snippets present micro-challenges that are invisible to humans but difficult for simple bots to solve. This could involve requiring JavaScript execution to calculate a specific value or responding to a hidden event listener before a click is validated.

How Intent Based Targeting Works

+---------------------+      +----------------------+      +--------------------+
|   Incoming Traffic  |----->| Intent Analyzer (ML) |----->|  Decision Engine   |
| (Click/Impression)  |      |                      |      |                    |
+---------------------+      +----------+-----------+      +----------+---------+
         │                             │                           │
         │                             │                           │
         ▼                             ▼                           ▼
+---------------------+      +----------------------+      +--------------------+
|  Data Collection    |      |  Behavioral Signals  |      |   Action Taken     |
| (IP, UA, Referrer)  |      | (e.g., Mouse, Time)  |      | (Block/Allow/Flag) |
+---------------------+      +----------------------+      +--------------------+
         │                             │                           │
         └─────────────-───────>|   Risk Scoring       |<────────-─────────┘
                               +----------------------+

🧠 Core Detection Logic

Example 1: Session Velocity Scoring

This logic tracks the speed and frequency of a user's actions within a single session. It helps identify bots that attempt to perform actions much faster than a typical human user would. This is a crucial component of real-time traffic filtering, as it catches automated scripts designed for rapid, repeated clicks.

FUNCTION calculate_session_velocity(session_data):
  click_timestamps = session_data.get_timestamps("click")
  page_load_timestamps = session_data.get_timestamps("load")

  IF count(click_timestamps) < 2:
    RETURN "LOW_VELOCITY"

  time_diffs = []
  FOR i FROM 1 TO count(click_timestamps) - 1:
    diff = click_timestamps[i] - click_timestamps[i-1]
    time_diffs.append(diff)

  average_time_between_clicks = average(time_diffs)

  IF average_time_between_clicks < 2 seconds:
    RETURN "HIGH_RISK_VELOCITY"
  ELSE IF average_time_between_clicks < 10 seconds:
    RETURN "MEDIUM_RISK_VELOCITY"
  ELSE:
    RETURN "NORMAL_VELOCITY"

Example 2: Geographic Mismatch Detection

This logic compares the user's IP-based geolocation with other location signals, such as timezone settings from their browser or language preferences. A mismatch can indicate the use of a proxy or VPN to mask the user's true location, a common tactic in sophisticated ad fraud. This helps ensure that geo-targeted campaigns reach the intended audience.

FUNCTION check_geo_mismatch(ip_address, browser_headers):
  ip_geo = get_geolocation(ip_address) // e.g., {country: "US", timezone: "America/New_York"}
  browser_timezone = browser_headers.get("Timezone") // e.g., "Asia/Tokyo"
  browser_language = browser_headers.get("Accept-Language") // e.g., "ja-JP"

  IF ip_geo.country != get_country_from_timezone(browser_timezone):
    RETURN "GEO_MISMATCH_DETECTED"

  IF ip_geo.country == "US" AND browser_language.starts_with("ru"):
    RETURN "LANGUAGE_MISMATCH_DETECTED"

  RETURN "GEO_CONSISTENT"

Example 3: Behavioral Heuristics Analysis

This logic analyzes on-page behavior, such as mouse movements and scroll patterns, to distinguish between human and bot activity. Bots often exhibit unnatural, perfectly straight mouse paths or no movement at all. This type of analysis is key to detecting advanced bots that can successfully mimic basic user attributes but fail to replicate human-like interaction.

FUNCTION analyze_behavior(mouse_events, scroll_events):
  mouse_path = mouse_events.get_path()
  scroll_depth = scroll_events.get_max_depth()
  
  // Rule 1: No mouse movement before click is suspicious
  IF is_empty(mouse_path):
    RETURN "BOT_BEHAVIOR_SUSPECTED"

  // Rule 2: Perfectly linear mouse movement is a strong bot signal
  IF is_linear(mouse_path) AND count(mouse_path) > 10:
    RETURN "LINEAR_MOUSE_PATH_BOT"

  // Rule 3: Instant scroll to bottom of page is not human-like
  IF scroll_depth == 100% AND session_duration < 3 seconds:
    RETURN "INSTANT_SCROLL_BOT"

  RETURN "HUMAN_LIKE_BEHAVIOR"

📈 Practical Use Cases for Businesses

• Campaign Shielding: Protects PPC campaign budgets by proactively blocking clicks from known bots, click farms, and competitors before they deplete advertising funds.
• Data Integrity: Ensures marketing analytics are based on genuine human engagement by filtering out fraudulent traffic that would otherwise skew key metrics like click-through rates and conversion rates.
• Lead Generation Filtering: Improves the quality of leads generated from online forms by analyzing user intent to discard submissions from automated scripts or malicious actors.
• Return on Ad Spend (ROAS) Optimization: Increases ROAS by ensuring ad spend is directed only toward authentic audiences who have a genuine potential for conversion, rather than being wasted on invalid clicks.

Example 1: Geofencing Rule for Local Services

A local service business wants to ensure its ads are only clicked by users genuinely located within its service area. This pseudocode filters out clicks originating from outside the target country and flags those using proxies to appear local.

PROCEDURE enforce_geofencing(click_data):
  user_ip = click_data.get("ip")
  ip_info = get_ip_details(user_ip)
  
  target_country = "US"
  
  IF ip_info.country != target_country:
    BLOCK_CLICK(user_ip, "OUTSIDE_SERVICE_AREA")
    
  IF ip_info.is_proxy == TRUE:
    BLOCK_CLICK(user_ip, "PROXY_DETECTED")

Example 2: Session Authenticity Scoring

An e-commerce site scores user sessions to identify non-genuine shoppers before they can trigger conversion events. The score is based on a combination of behavioral signals, with a high score indicating probable fraud.

FUNCTION get_session_authenticity_score(session):
  score = 0
  
  // Abnormal click frequency
  IF session.clicks_per_minute > 30:
    score += 50
    
  // Lack of mouse movement
  IF session.mouse_movement_events == 0:
    score += 30

  // Known fraudulent user agent
  IF is_known_bot_user_agent(session.user_agent):
    score += 100

  RETURN score
  
// In practice: IF get_session_authenticity_score(current_session) > 80 THEN invalidate_session()

🐍 Python Code Examples

This code demonstrates a basic check for abnormal click frequency from a single IP address. Tracking the number of clicks within a short time window helps detect simple bots or manual fraud attempts designed to rapidly deplete an ad budget.

from collections import defaultdict
import time

CLICK_LOGS = defaultdict(list)
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 15

def is_click_fraud(ip_address):
    """Checks if an IP exceeds the click threshold within the time window."""
    current_time = time.time()
    
    # Filter out clicks older than the time window
    CLICK_LOGS[ip_address] = [t for t in CLICK_LOGS[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add the current click
    CLICK_LOGS[ip_address].append(current_time)
    
    # Check if the number of clicks exceeds the threshold
    if len(CLICK_LOGS[ip_address]) > CLICK_THRESHOLD:
        print(f"Fraud Detected: IP {ip_address} exceeded {CLICK_THRESHOLD} clicks in {TIME_WINDOW} seconds.")
        return True
        
    return False

# Simulation
test_ips = ["192.168.1.101"] * 20
for ip in test_ips:
    is_click_fraud(ip)
    time.sleep(1)

This example provides a function to filter traffic based on suspicious user agent strings. Bots often use generic, outdated, or known fraudulent user agents, making this a straightforward yet effective method for initial traffic filtering.

SUSPICIOUS_USER_AGENTS = [
    "bot",
    "spider",
    "headlesschrome", # Often used in automated scripts
    "phantomjs"
]

def filter_by_user_agent(user_agent_string):
    """Filters traffic based on a list of suspicious user agent keywords."""
    ua_lower = user_agent_string.lower()
    for suspicious_ua in SUSPICIOUS_USER_AGENTS:
        if suspicious_ua in ua_lower:
            print(f"Suspicious User Agent Detected: {user_agent_string}")
            return True # Indicates traffic should be blocked or flagged
            
    return False

# Example Usage
ua_human = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
ua_bot = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

print(f"Human UA: {'Blocked' if filter_by_user_agent(ua_human) else 'Allowed'}")
print(f"Bot UA: {'Blocked' if filter_by_user_agent(ua_bot) else 'Allowed'}")

Types of Intent Based Targeting

• First-Party Intent Analysis: This method relies on data collected directly from your own digital properties, such as your website or app. It analyzes how users interact with your content—like pages visited or time spent—to gauge their interest level and identify anomalies indicative of non-genuine traffic.
• Behavioral Intent Analysis: This focuses on specific user actions and patterns, like repeated visits to competitor sites, searches for product reviews, or unusually rapid click-through rates. It is highly effective for spotting both automated bots and organized human fraud by identifying behaviors outside the norm.
• Bidstream Intent Data: This type uses data available within the programmatic advertising ecosystem to determine intent based on the context of the pages a user visits. While broad, it can help identify trends and filter out traffic from sources known for low-quality or fraudulent activity before a bid is even placed.
• Predictive Intent Modeling: This advanced approach uses AI and machine learning to forecast a user's intent based on historical and real-time data. In fraud detection, it can predict which traffic segments are most likely to be fraudulent, allowing for proactive blocking and more efficient allocation of security resources.

How Intent To Treat Analysis Works

Visitor Arrives → [ Data Collection ] → [ Intent Analysis Engine ] → [ Risk Scoring ] ┐
      (User/Bot)          │                │                       │              │
                          │                │                       │              ├─→ [ Allow ] → Legitimate User
                          └────────────────┼───────────────────────┼──────────────┘
                                           │                       │
                                           └───────────────────────┼──────────────→ [ Block ] → Fraudulent Bot
                                                                   │
                                                                   └──────────────→ [ Flag/Monitor ] → Suspicious User

🧠 Core Detection Logic

Example 1: Behavioral Anomaly Detection

This logic focuses on how a user interacts with a page before clicking. It distinguishes between human-like randomness and the predictable patterns of a bot. This is critical for catching sophisticated bots that can mimic device and IP characteristics but fail to replicate natural user behavior.

function analyze_behavior(session) {
  // Rule 1: No mouse movement before click
  if (session.mouse_movements.count == 0 && session.time_to_click_sec < 2) {
    return "FRAUD";
  }

  // Rule 2: Perfectly linear mouse path
  if (is_linear(session.mouse_path)) {
    return "FRAUD";
  }

  // Rule 3: Instantaneous click upon page load
  if (session.time_to_click_sec < 0.5) {
    return "FRAUD";
  }

  return "LEGITIMATE";
}

Example 2: IP and User-Agent Congruity Check

This logic cross-references technical data points that fraudsters often manipulate. A bot might use a residential IP address from a proxy network but forget to spoof a corresponding common user-agent string. This check finds contradictions that expose the traffic as non-human.

function check_congruity(request) {
  ip_info = get_ip_data(request.ip); // Returns ISP, country, type (datacenter/residential)
  user_agent = parse_user_agent(request.user_agent);

  // Rule 1: IP from a known data center (server)
  if (ip_info.type == "datacenter") {
    return "BLOCK";
  }

  // Rule 2: User-agent is outdated or rare
  if (user_agent.is_rare || user_agent.is_outdated) {
    return "FLAG_FOR_REVIEW";
  }
  
  // Rule 3: Mobile user-agent but desktop screen resolution
  if (user_agent.is_mobile && request.screen_resolution > "1920x1080") {
    return "BLOCK";
  }

  return "ALLOW";
}

Example 3: Click Velocity and Frequency Analysis

This logic tracks the rate and timing of clicks originating from a single source (like an IP address) or targeting a single campaign. It's effective against click farms and botnets programmed to execute rapid, repetitive clicks to deplete an ad budget quickly.

function check_click_velocity(ip_address, campaign_id) {
  timestamp = current_time();
  
  // Get historical clicks from this IP for this campaign
  clicks = get_recent_clicks(ip_address, campaign_id, last_60_seconds);

  // Rule 1: More than 5 clicks in a minute
  if (clicks.count > 5) {
    add_to_blocklist(ip_address);
    return "FRAUDULENT_VELOCITY";
  }
  
  // Rule 2: Clicks are spaced exactly 10 seconds apart (programmatic)
  if (are_clicks_rhythmic(clicks, interval_sec=10)) {
    return "SUSPICIOUS_RHYTHM";
  }

  record_click(ip_address, campaign_id, timestamp);
  return "OK";
}

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects active pay-per-click (PPC) campaigns by analyzing traffic intent before a click is registered, preventing bots and competitors from exhausting the ad budget on fraudulent interactions.
• Analytics Purification – Ensures that marketing analytics and performance data are based on genuine human interest. By filtering out non-human traffic, businesses can make more accurate decisions based on real user engagement.
• Return on Ad Spend (ROAS) Optimization – Maximizes the effectiveness of the ad budget by ensuring that ads are shown primarily to legitimate potential customers. This directly improves ROAS by reducing wasted spend on clicks that have no chance of converting.
• Lead Generation Integrity – Safeguards lead generation forms from being flooded with fake submissions by bots. This ensures that the sales team receives qualified leads from real users, saving time and resources.

Example 1: Geofencing and Proxy Detection Rule

This logic prevents fraud from regions outside the campaign's target area and blocks users hiding their location behind proxies or VPNs, a common tactic for fraudsters.

FUNCTION evaluate_geo_traffic(user_ip, campaign_target_countries):
  user_location = get_geolocation(user_ip)
  is_proxy = check_proxy_status(user_ip)

  IF is_proxy:
    RETURN "BLOCK" # Block all proxy/VPN traffic

  IF user_location.country NOT IN campaign_target_countries:
    RETURN "BLOCK" # Block traffic from outside target countries
  
  ELSE:
    RETURN "ALLOW"

Example 2: Session Authenticity Scoring

This logic aggregates multiple risk signals during a user's session into a single score. If the score crosses a certain threshold, the user is deemed fraudulent and blocked before they can click on an ad. This provides a more nuanced approach than relying on a single data point.

FUNCTION calculate_session_score(session_data):
  score = 0
  
  // Check for known bot signatures in user agent
  IF contains_bot_signature(session_data.user_agent):
    score += 50
  
  // Check for robotic mouse movement (e.g., straight lines)
  IF has_robotic_movement(session_data.mouse_events):
    score += 30
    
  // Check if IP is from a known data center
  IF is_datacenter_ip(session_data.ip):
    score += 40

  // Decision based on score
  IF score >= 70:
    RETURN "FRAUDULENT"
  ELSE IF score >= 40:
    RETURN "SUSPICIOUS"
  ELSE:
    RETURN "GENUINE"

🐍 Python Code Examples

This function simulates checking a click's timestamp to detect abnormally high frequency from a single IP address. It's a simple way to identify and flag basic bots or manual fraud attempts designed to rapidly deplete an ad budget.

CLICK_HISTORY = {}
TIME_THRESHOLD_SEC = 5  # Min time between clicks
MAX_CLICKS_PER_MINUTE = 10

def is_click_frequent(ip_address):
    import time
    current_time = time.time()
    
    if ip_address not in CLICK_HISTORY:
        CLICK_HISTORY[ip_address] = []
    
    # Filter clicks in the last minute
    recent_clicks = [t for t in CLICK_HISTORY[ip_address] if current_time - t < 60]
    
    if len(recent_clicks) >= MAX_CLICKS_PER_MINUTE:
        return True # Too many clicks in the last minute
        
    if recent_clicks and (current_time - recent_clicks[-1]) < TIME_THRESHOLD_SEC:
        return True # Clicked too soon after the last one

    CLICK_HISTORY[ip_address].append(current_time)
    return False

This example demonstrates how to parse a user agent string to identify known suspicious patterns. This helps block traffic from non-standard browsers or known bot frameworks before they can generate fraudulent clicks.

def is_suspicious_user_agent(user_agent_string):
    # List of known bot-related substrings
    suspicious_signatures = ["bot", "spider", "headless", "phantomjs"]
    
    ua_lower = user_agent_string.lower()
    
    for signature in suspicious_signatures:
        if signature in ua_lower:
            return True
            
    # Check for empty or missing user agent
    if not user_agent_string:
        return True
        
    return False

# Example Usage
ua = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
print(f"Is suspicious: {is_suspicious_user_agent(ua)}")

This code analyzes a simplified list of mouse coordinates to detect inhuman, perfectly straight-line movements. Real user mouse movements have natural curves and variations, so this helps distinguish legitimate users from simple bots.

def has_robotic_mouse_movement(mouse_coordinates):
    # Expects a list of (x, y) tuples
    if len(mouse_coordinates) < 3:
        return False # Not enough data to analyze

    # Check if all points lie on the same line (simplified check)
    x0, y0 = mouse_coordinates
    x1, y1 = mouse_coordinates

    if (x1 - x0) == 0: # Vertical line
        for x, y in mouse_coordinates[2:]:
            if x != x0:
                return False # Not a straight vertical line
    else:
        slope = (y1 - y0) / (x1 - x0)
        for x, y in mouse_coordinates[2:]:
            # Check if the point satisfies the line equation y = mx + c
            if abs((y - y0) - slope * (x - x0)) > 1e-9: # Allow for small float inaccuracies
                return False # Point deviates from the line

    return True # All points are on a straight line

Types of Intent To Treat Analysis

• Heuristic-Based Analysis – This type uses a set of predefined rules to score traffic. For example, a rule might state that any visitor with a data center IP address and no mouse movement is fraudulent. It's fast and effective against known, simple fraud patterns.
• Behavioral Analysis – This method focuses on user actions, such as mouse dynamics, scroll speed, and time between events, to detect non-human patterns. It is particularly effective at identifying more sophisticated bots designed to mimic human technical attributes but failing to replicate natural, random behavior.
• Signature-Based Analysis – This approach checks visitor attributes against a known database of fraudulent signatures. These signatures can include malicious IP addresses, device fingerprints, or user-agent strings associated with botnets. It is excellent for blocking recognized threats quickly.
• Predictive Analysis – Leveraging machine learning, this type analyzes vast datasets of past traffic to build models that predict the likelihood of fraud from new, unseen visitors. It can identify emerging threats and complex fraud patterns that may not be caught by fixed rules or known signatures.

How Interstitials Works

[User Click] → [Interstitial Gateway] → +------------------+ → [Valid/Invalid Decision]
                                      | Data Collection  |
                                      |  - IP Address    |
                                      |  - User Agent    |
                                      |  - Fingerprint   |
                                      |  - JS Challenge  |
                                      +------------------+
                                                │
                                                ↓
                                      +------------------+
                                      |   Risk Analysis  |
                                      +------------------+
                                                │
                                                ↓
                                    ┌───────────┴───────────┐
                                    │                       │
                              [Allow to Content]     [Block/Flag Traffic]

🧠 Core Detection Logic

Example 1: JavaScript Challenge

This logic tests if a visitor’s browser can execute JavaScript, a common method for filtering out simple bots. A silent challenge runs in the background to verify the client is a real browser without requiring user interaction. It’s fundamental for detecting non-human traffic that can’t render or interact with scripts.

function runJsChallenge(visitor) {
  if (visitor.hasJavaScriptEnabled() && visitor.solvesPuzzle()) {
    return 'human';
  } else {
    return 'bot';
  }
}

// Decision
if (runJsChallenge(current_visitor) === 'bot') {
  blockAccess();
} else {
  grantAccess();
}

Example 2: IP Reputation and Geolocation Mismatch

This logic checks the visitor’s IP address against known blocklists (e.g., data centers, proxies) and compares its geographic location with expected user locations. This is useful for blocking traffic from sources commonly used for fraudulent activities or from regions outside a campaign’s target area.

function checkIpProfile(ip_address, target_country) {
  let ip_info = getIpData(ip_address);

  if (ip_info.is_datacenter || ip_info.is_known_proxy) {
    return 'fraudulent';
  }

  if (ip_info.country !== target_country) {
    return 'suspicious';
  }

  return 'clean';
}

Example 3: Behavioral Heuristics (Click Speed)

This logic analyzes the time between when a page or ad is rendered and when a click occurs. Clicks that happen too quickly for a human to realistically react are flagged as suspicious. This heuristic helps identify automated scripts designed to perform rapid, non-human clicks on ads.

function checkClickSpeed(page_load_time, click_time) {
  const MIN_CLICK_DELAY_MS = 500; // Minimum 0.5 seconds
  let time_to_click = click_time - page_load_time;

  if (time_to_click < MIN_CLICK_DELAY_MS) {
    return 'automated';
  } else {
    return 'human-like';
  }
}

📈 Practical Use Cases for Businesses

• Campaign Shielding: Prevents ad budgets from being wasted on clicks from bots and click farms, ensuring that ad spend is directed toward genuine potential customers.
• Lead Generation Integrity: Ensures that forms and lead-capture pages are filled out by real people, not scripts, improving the quality of sales leads and reducing follow-up on fake submissions.
• Analytics Accuracy: Filters out non-human traffic before it pollutes analytics data, providing businesses with a clear and accurate understanding of real user behavior, engagement, and conversion rates.
• E-commerce Protection: Protects online stores from automated threats like inventory hoarding, credential stuffing, and other fraudulent activities that can disrupt business operations and harm the user experience.

Example 1: Geofencing Rule

This pseudocode demonstrates a rule to block traffic originating from outside a business's target sales regions, a common tactic to filter out irrelevant traffic and low-quality clicks from click farms.

ALLOWED_COUNTRIES = ['US', 'CA', 'GB'];

function applyGeofence(visitor_ip) {
  country = getCountryFromIp(visitor_ip);

  if (NOT ALLOWED_COUNTRIES.includes(country)) {
    blockRequest("Traffic from outside target regions is not permitted.");
    logEvent("Blocked non-geo-targeted IP: " + visitor_ip);
  } else {
    proceed();
  }
}

Example 2: Session Scoring Logic

This logic assigns a risk score based on multiple behavioral and technical factors. Traffic exceeding a certain risk threshold is blocked, allowing for a more nuanced approach than a simple allow/block rule. This helps catch sophisticated bots that might evade simpler checks.

function calculateSessionScore(visitor_data) {
  let score = 0;

  if (visitor_data.ip_is_proxy) score += 40;
  if (visitor_data.is_headless_browser) score += 50;
  if (visitor_data.click_frequency > 10) score += 20; // 10 clicks/min
  if (visitor_data.has_no_mouse_events) score += 30;

  return score;
}

// Usage
let visitor_score = calculateSessionScore(current_visitor);
const FRAUD_THRESHOLD = 75;

if (visitor_score >= FRAUD_THRESHOLD) {
  blockAndLog(current_visitor);
}

🐍 Python Code Examples

This code simulates checking a visitor's IP address against a predefined blocklist. This is a fundamental technique in fraud prevention to quickly filter out traffic from known malicious sources, such as data centers or proxies commonly used by bots.

# A set of known fraudulent IP addresses
IP_BLOCKLIST = {"198.51.100.1", "203.0.113.10", "192.0.2.55"}

def filter_by_ip(visitor_ip):
    """
    Checks if a visitor's IP is in the blocklist.
    """
    if visitor_ip in IP_BLOCKLIST:
        print(f"Blocking fraudulent IP: {visitor_ip}")
        return False
    else:
        print(f"Allowing valid IP: {visitor_ip}")
        return True

# Example usage:
filter_by_ip("203.0.113.10")
filter_by_ip("8.8.8.8")

This example demonstrates a function to analyze click timestamps to identify unnaturally fast interactions. By setting a minimum delay between page load and click, it can effectively flag clicks made by automated scripts rather than human users.

import time

def is_human_click_speed(page_render_time, click_time):
    """
    Analyzes if the time between page render and click is human-like.
    A delay of less than 0.4 seconds is considered suspicious.
    """
    MINIMUM_CLICK_DELAY = 0.4  # seconds
    time_difference = click_time - page_render_time

    if time_difference < MINIMUM_CLICK_DELAY:
        print(f"Fraudulent click detected! Time difference: {time_difference:.2f}s")
        return False
    else:
        print(f"Human-like click detected. Time difference: {time_difference:.2f}s")
        return True

# Example usage:
page_loaded_at = time.time()
time.sleep(0.2) # Simulate a fast bot click
bot_click_at = time.time()
is_human_click_speed(page_loaded_at, bot_click_at)

time.sleep(1.5) # Simulate a slower human click
human_click_at = time.time()
is_human_click_speed(page_loaded_at, human_click_at)

Types of Interstitials

• Silent JavaScript Challenge: An invisible test that runs in the background to verify the visitor is a real browser. It analyzes the browser environment and its ability to execute code without any user interaction, effectively filtering out less sophisticated bots that cannot process JavaScript.
• Interactive Challenge (CAPTCHA): Requires direct user interaction, such as solving a puzzle or checking a box, to prove they are human. This type is used when traffic is highly suspicious, as it provides a strong verification signal but can negatively impact the user experience.
• Cryptographic Puzzle: Forces the visitor's browser to solve a complex mathematical problem that requires CPU resources. This method is designed to slow down and increase the cost for fraudsters attempting to run large-scale automated attacks, as each bot must expend significant processing power to pass the challenge.
• Fingerprinting Interstitial: Gathers detailed information about the user's device and browser configuration (e.g., screen size, fonts, plugins) to create a unique signature. This signature is used to track visitors and identify anomalies, such as multiple devices appearing to be identical, which is a common indicator of a botnet.

How Intrusion Detection Works

Incoming Ad Traffic → [ Data Collection & Analysis Engine ] → Decision Logic → [ Action ]
      │                            │                       │              └─ Block Traffic
      │                            │                       │
      └────────────────────────────┘                       └─ Allow Traffic

🧠 Core Detection Logic

Example 1: IP Filtering and Blacklisting

This logic involves checking the incoming IP address against a known database of fraudulent sources. It’s a foundational layer of traffic protection that blocks traffic from data centers, proxy servers, and botnets that have been previously identified as malicious.

FUNCTION check_ip(request):
  ip = request.get_ip_address()
  
  IF ip IN known_fraud_ip_list:
    RETURN "BLOCK"
  ELSE IF ip.is_datacenter():
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"
  END IF

Example 2: Session Heuristics and Velocity Checks

This logic analyzes the behavior of a user within a single session to identify non-human patterns. It tracks metrics like click frequency, page views per minute, and time between events. An abnormally high velocity of actions is a strong indicator of an automated bot.

FUNCTION analyze_session(session):
  start_time = session.get_start_time()
  click_count = session.get_click_count()
  
  session_duration = current_time() - start_time
  
  // Flag as suspicious if more than 5 clicks in the first 10 seconds
  IF session_duration < 10 AND click_count > 5:
    RETURN "FLAG_FOR_REVIEW"
  ELSE:
    RETURN "PROCEED"
  END IF

Example 3: Behavioral Anomaly Detection

This logic looks for user interactions that deviate from established patterns of normal human behavior. It can include checking for unnatural mouse movements (e.g., perfectly straight lines), consistent time intervals between clicks, or immediate bounces with no page interaction, all of which suggest automation.

FUNCTION check_behavior(events):
  mouse_path = events.get_mouse_path()
  click_intervals = events.get_click_intervals()
  
  // A perfectly linear mouse path is highly indicative of a bot
  IF is_linear(mouse_path):
    RETURN "BLOCK"
  END IF
  
  // Consistent timing between clicks suggests a script
  IF standard_deviation(click_intervals) < 0.1:
    RETURN "BLOCK"
  END IF
  
  RETURN "ALLOW"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Prevents ad budgets from being wasted on fake clicks generated by bots and click farms, ensuring that ad spend reaches real potential customers.
• Analytics Integrity – Ensures that website and campaign analytics are based on real human traffic, leading to more accurate business intelligence and better strategic decisions.
• Lead Generation Quality – Filters out fake form submissions and sign-ups generated by bots, ensuring that sales and marketing teams focus their efforts on genuine leads.
• Return on Ad Spend (ROAS) Improvement – By eliminating fraudulent traffic that never converts, intrusion detection directly improves the overall return on ad spend and campaign profitability.
• E-commerce Fraud Prevention – Protects online stores from inventory-holding bots and other malicious activities that can disrupt sales and skew product availability.

Example 1: Geofencing Rule

This pseudocode demonstrates a rule to block traffic originating from locations outside of a campaign's target geography, a common technique used by fraudsters to mask their true origin.

FUNCTION apply_geofencing(request):
  user_ip = request.get_ip_address()
  campaign_target_countries = ["US", "CA", "GB"]
  
  user_country = geo_lookup(user_ip)
  
  IF user_country NOT IN campaign_target_countries:
    // Block traffic that is outside the target marketing area
    block_request(request, reason="Geographic Mismatch")
  ELSE:
    allow_request(request)
  END IF

Example 2: Session Scoring Logic

This pseudocode shows a simplified scoring system that evaluates multiple risk factors within a user session. Traffic is blocked if its cumulative risk score exceeds a certain threshold, allowing for more nuanced detection than a single rule.

FUNCTION calculate_risk_score(session):
  score = 0
  
  IF session.ip_is_proxy():
    score = score + 40
  END IF
  
  IF session.user_agent_is_suspicious():
    score = score + 30
  END IF
  
  IF session.click_frequency > 10: // 10 clicks per minute
    score = score + 20
  END IF
  
  IF session.time_on_page < 3: // Less than 3 seconds
    score = score + 10
  END IF
  
  RETURN score
  
// Main execution logic
traffic_session = get_current_session()
risk_score = calculate_risk_score(traffic_session)

IF risk_score >= 70:
  block_traffic(traffic_session, reason="High Risk Score")
END IF

🐍 Python Code Examples

This Python function simulates checking for an abnormal click frequency from a single IP address. If an IP makes more than a set number of clicks in a short time, it is flagged as potentially fraudulent, a common sign of a click bot.

# A dictionary to track click timestamps for each IP
ip_click_log = {}
from collections import deque
import time

def is_rapid_fire_click(ip_address, max_clicks=5, time_window=10):
    """Checks if an IP is clicking too frequently."""
    current_time = time.time()
    
    if ip_address not in ip_click_log:
        ip_click_log[ip_address] = deque()

    # Remove clicks older than the time window
    while (ip_click_log[ip_address] and 
           current_time - ip_click_log[ip_address] > time_window):
        ip_click_log[ip_address].popleft()
        
    ip_click_log[ip_address].append(current_time)
    
    if len(ip_click_log[ip_address]) > max_clicks:
        print(f"Fraud Alert: IP {ip_address} exceeded click limit.")
        return True
        
    return False

# Example usage
is_rapid_fire_click("192.168.1.101") # Returns False
# Simulate 5 more rapid clicks from the same IP
for _ in range(5):
    is_rapid_fire_click("192.168.1.101") # Now returns True

This example demonstrates how to filter traffic based on suspicious user-agent strings. Bots often use outdated, generic, or non-standard user agents that can be identified and blocked to prevent automated traffic from accessing your ads.

def is_suspicious_user_agent(user_agent):
    """Identifies user agents known to be associated with bots."""
    suspicious_ua_list = [
        "bot", "crawler", "spider", 
        "headlesschrome", "phantomjs"
    ]
    
    ua_lower = user_agent.lower()
    
    for keyword in suspicious_ua_list:
        if keyword in ua_lower:
            print(f"Blocking suspicious user agent: {user_agent}")
            return True
            
    return False

# Example usage
ua_human = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
ua_bot = "Mozilla/5.0 (compatible; MyCustomBot/1.0; +http://www.example.com/bot.html)"

is_suspicious_user_agent(ua_human) # Returns False
is_suspicious_user_agent(ua_bot)   # Returns True

Types of Intrusion Detection

• Signature-Based Detection: This method identifies threats by comparing incoming traffic against a database of known fraud signatures or patterns. It is very effective at blocking recognized bots and attack methods but is less effective against new, unseen threats.
• Anomaly-Based Detection: This type establishes a baseline of normal user behavior and then monitors traffic for any deviations. It excels at identifying novel attack methods because it flags any activity that seems unusual, even if it doesn't match a known signature.
• Heuristic-Based Detection: This approach uses rule-based logic and algorithms to identify suspicious behavior. It examines various attributes of the traffic, such as click velocity and session duration, to make an educated guess about whether an interaction is fraudulent.
• Stateful Protocol Analysis: This method focuses on analyzing the sequence and state of network communications. It can detect fraud by identifying when a user or bot uses a protocol in an unexpected or illegitimate way, which often points to malicious intent.

How Invalid Traffic Works

Incoming Traffic (Click/Impression)
           │
           ▼
+---------------------+
│   Data Collection   │
│ (IP, UA, Timestamp) │
+---------------------+
           │
           ▼
+---------------------+
│   Analysis Engine   │
│ (Rules & Heuristics)│
+----------+----------+
           │
           ├─ Legitimate ───> Allow Traffic
           │
           └─ Invalid ──────> Block & Report

🧠 Core Detection Logic

Example 1: IP Blacklisting

This logic checks an incoming click’s IP address against a pre-compiled list of known fraudulent sources, such as data centers, proxies, and botnets. It is a fundamental, first-line defense in a traffic protection system.

FUNCTION onAdClick(click_data):
  ip_address = click_data.ip
  blacklist = get_ip_blacklist()

  IF ip_address IN blacklist THEN
    RETURN "invalid"
  ELSE
    RETURN "valid"
  END IF
END FUNCTION

Example 2: Session Click Frequency

This heuristic analyzes user behavior by tracking the number of clicks from a single session within a specific timeframe. An abnormally high frequency suggests automated, non-human activity and is flagged as invalid.

FUNCTION checkSessionFrequency(session_id, click_timestamp):
  session_clicks = get_clicks_for_session(session_id)
  
  // Define a time window (e.g., 60 seconds) and a threshold (e.g., 5 clicks)
  time_window = 60
  max_clicks = 5
  
  recent_clicks = 0
  FOR each_click IN session_clicks:
    IF (click_timestamp - each_click.timestamp) < time_window THEN
      recent_clicks += 1
    END IF
  END FOR

  IF recent_clicks > max_clicks THEN
    RETURN "invalid_frequency"
  ELSE
    RETURN "valid"
  END IF
END FUNCTION

Example 3: Geo Mismatch Detection

This logic verifies that the geographic location derived from the user’s IP address aligns with the campaign’s targeting parameters. A mismatch can indicate the use of a VPN or proxy to circumvent targeting, a common tactic in ad fraud.

FUNCTION verifyGeoLocation(click_data, campaign_data):
  click_ip = click_data.ip
  click_country = get_country_from_ip(click_ip)
  
  target_countries = campaign_data.target_geos
  
  IF click_country NOT IN target_countries THEN
    // Log the mismatch for review
    log_geo_mismatch(click_ip, click_country)
    RETURN "invalid_geo"
  ELSE
    RETURN "valid"
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically blocks clicks from known bots and fraudulent publishers in real-time, preventing immediate budget waste and ensuring ad spend is directed toward genuine potential customers.
• Data Integrity – Filters out non-human interactions from analytics platforms. This provides a clean and accurate view of campaign performance, leading to better-informed marketing decisions and strategy adjustments.
• Conversion Funnel Protection – Prevents bots from submitting fake leads or creating bogus user accounts. This keeps customer relationship management (CRM) systems clean and ensures sales teams focus on legitimate prospects.
• Return on Ad Spend (ROAS) Improvement – By eliminating wasteful spending on fraudulent clicks that never convert, businesses ensure their budget reaches real users, directly improving the efficiency and profitability of their advertising campaigns.

Example 1: Data Center IP Blocking

This pseudocode demonstrates a common rule to block traffic originating from data centers, which is a strong indicator of non-human, automated traffic.

FUNCTION handle_request(request):
  ip = request.get_ip()
  ip_type = lookup_ip_type(ip) // Queries a database to classify the IP

  IF ip_type == "DATA_CENTER" THEN
    block_request("Traffic from data center blocked")
    log_event("Blocked data center IP:", ip)
  ELSE
    process_request(request)
  END IF
END FUNCTION

Example 2: Session Interaction Scoring

This logic scores a user session based on behavior. A session with no mouse movement or scrolling and an extremely short duration is likely a bot and is given a high fraud score.

FUNCTION score_session(session_data):
  score = 0
  
  // Rule 1: Dwell time
  IF session_data.duration_seconds < 2 THEN
    score += 40
  END IF
  
  // Rule 2: Mouse movement
  IF session_data.mouse_movements == 0 THEN
    score += 30
  END IF

  // Rule 3: Page scrolls
  IF session_data.scroll_events == 0 THEN
    score += 30
  END IF
  
  // Threshold for invalidity
  IF score >= 80 THEN
    RETURN "invalid_session"
  ELSE
    RETURN "valid_session"
  END IF
END FUNCTION

🐍 Python Code Examples

Example 1: Filter Suspicious User Agents

This code defines a function to check a user agent string against a list of known bot identifiers. This helps filter out simple automated traffic from web crawlers and malicious scripts.

def is_suspicious_user_agent(user_agent):
    """Checks if a user agent string belongs to a known bot."""
    bot_signatures = [
        "bot", "crawler", "spider", "headlesschrome", "phantomjs"
    ]
    
    # Normalize to lowercase for case-insensitive matching
    user_agent_lower = user_agent.lower()
    
    for signature in bot_signatures:
        if signature in user_agent_lower:
            return True
    return False

# --- Usage ---
ua_string = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
if is_suspicious_user_agent(ua_string):
    print("Invalid Traffic: Detected bot user agent.")

Example 2: Detect Abnormal Click Frequency

This script simulates tracking clicks from IP addresses to identify sources that click too frequently in a short time. This is a common heuristic to detect click spam bots.

import time

# In a real application, this would be a database or cache like Redis
click_logs = {}
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 10

def record_and_check_click(ip_address):
    """Records a click and checks if the frequency from an IP is too high."""
    current_time = time.time()
    
    # Get timestamps for this IP, or initialize if new
    if ip_address not in click_logs:
        click_logs[ip_address] = []
        
    # Remove old timestamps that are outside the time window
    click_logs[ip_address] = [
        ts for ts in click_logs[ip_address] if current_time - ts < TIME_WINDOW_SECONDS
    ]
    
    # Add the new click timestamp
    click_logs[ip_address].append(current_time)
    
    # Check if the click count exceeds the threshold
    if len(click_logs[ip_address]) > CLICK_THRESHOLD:
        print(f"Invalid Traffic: High click frequency from {ip_address}.")
        return False
        
    return True

# --- Usage ---
for _ in range(12):
    record_and_check_click("198.51.100.10")

Types of Invalid Traffic

• General Invalid Traffic (GIVT)

  This includes known, identifiable non-human traffic like search engine crawlers and spiders. It is generally not malicious and can be easily filtered using standard lists and parameter checks because it does not attempt to disguise its automated nature.

• Sophisticated Invalid Traffic (SIVT)

  This is deliberately deceptive traffic designed to mimic human behavior and evade detection. It includes advanced bots, hijacked devices, ad stacking, and traffic from malware or proxies. Identifying SIVT requires advanced analytics and multi-point analysis.

• Datacenter Traffic

  This refers to any ad interactions originating from servers in a data center. Because real users do not typically browse the web from data centers, this traffic is almost always classified as non-human and invalid for advertising purposes.

• Incentivized Clicks

  This traffic comes from humans who are paid or offered a reward to click on ads or watch videos. Although human-generated, it is invalid because the user has no genuine interest in the advertised product or service, leading to worthless engagement.