Archives: Glossary Terms

How Monthly active users Works

Incoming Traffic (Clicks/Impressions)
           │
           ▼
+---------------------+
│   Data Collection   │
│ (IP, User Agent,   │
│ Timestamp, Action)  │
+---------------------+
           │
           ▼
+--------------------------------+
│      User Identification       │
│  (Device ID, User Cookie,      │
│     or Fingerprinting)         │
+--------------------------------+
           │
           ▼
+--------------------------------+
│     Monthly Active User        │
│          (MAU) Database        │
│      (List of Unique Users     │
│       in the last 30 days)     │
+--------------------------------+
           │
           ├─ Legitimate User ─────> Counted in MAU, Traffic Allowed
           │
           └─ New/Unseen User
                       │
                       ▼
            +---------------------+
            │  Behavioral Analysis  │
            │  (Frequency,          │
            │   Patterns, Heuristics) │
            +---------------------+
                       │
                       ├─ Anomaly Detected (Bot/Fraud) ──> Block & Report
                       │
                       └─ Human-like Behavior ──────────> Add to MAU, Traffic Allowed

🧠 Core Detection Logic

Example 1: High-Frequency Click Analysis

This logic identifies non-human traffic by detecting an abnormally high number of clicks from a single user (identified by a cookie or device fingerprint) within a short timeframe. It’s a core component of real-time bot detection, as automated scripts often generate clicks far faster than a human can.

FUNCTION check_click_frequency(user_id, current_timestamp):
  // Define time window and click threshold
  TIME_WINDOW = 60 // seconds
  MAX_CLICKS_PER_WINDOW = 5

  // Get user's click history
  user_clicks = get_clicks_for_user(user_id)

  // Filter clicks within the last minute
  recent_clicks = filter_clicks_by_time(user_clicks, current_timestamp - TIME_WINDOW)

  // Check if click count exceeds the threshold
  IF count(recent_clicks) > MAX_CLICKS_PER_WINDOW:
    RETURN "FRAUDULENT"
  ELSE:
    RETURN "VALID"
  ENDIF

Example 2: New User IP and User-Agent Mismatch

This logic flags new users whose IP address geolocation does not align with their device’s language or timezone settings. This is often used to catch sophisticated bots that use proxies to mask their origin, as the device-level settings may still reveal the mismatch.

FUNCTION validate_new_user_geo(ip_address, device_language, device_timezone):
  // Get location info from IP
  ip_geo_country = get_country_from_ip(ip_address)

  // Get expected country from device settings
  expected_country_from_lang = get_country_from_language(device_language)
  expected_country_from_zone = get_country_from_timezone(device_timezone)

  // Check for mismatches
  IF ip_geo_country != expected_country_from_lang AND ip_geo_country != expected_country_from_zone:
    RETURN "SUSPICIOUS"
  ELSE:
    RETURN "VALID"
  ENDIF

Example 3: MAU Population Anomaly

This logic monitors the overall growth rate of the Monthly Active Users list. A sudden, massive spike in “new” unique users, especially from a single traffic source or campaign, can indicate a large-scale bot attack rather than genuine organic growth. It helps detect coordinated fraud that might otherwise go unnoticed at the individual user level.

FUNCTION check_mau_growth_rate(new_users_today, traffic_source):
  // Get historical average new users for this source
  historical_avg = get_historical_avg_new_users(traffic_source)
  standard_deviation = get_standard_deviation(traffic_source)

  // Define anomaly threshold (e.g., 3 standard deviations above average)
  anomaly_threshold = historical_avg + (3 * standard_deviation)

  // Check if today's new user count is an outlier
  IF new_users_today > anomaly_threshold:
    // Trigger alert for manual review of the traffic source
    log_alert("Unusual MAU growth from source: " + traffic_source)
    RETURN "ANOMALY_DETECTED"
  ELSE:
    RETURN "NORMAL_GROWTH"
  ENDIF

📈 Practical Use Cases for Businesses

• Campaign Shielding: Actively filters out bot clicks and other forms of invalid traffic from paid campaigns in real time, ensuring that the ad budget is spent on reaching genuine potential customers and not wasted on fraudulent interactions.
• Analytics Purification: By preventing fake users from contaminating traffic data, businesses can ensure their analytics dashboards reflect true user engagement. This leads to more accurate insights into customer behavior, conversion rates, and campaign performance.
• Return on Ad Spend (ROAS) Improvement: Blocking fraudulent clicks directly improves ROAS by lowering the cost per acquisition (CPA). With a cleaner traffic stream, conversion rates increase, and marketing budgets become more efficient, leading to higher overall profitability.
• Competitor Sabotage Prevention: Identifies and blocks malicious clicking activity from competitors who aim to exhaust a business’s advertising budget prematurely. This protects a company’s market presence and ensures its ads remain visible to actual customers.

Example 1: Geolocation Mismatch Rule

This rule is used to block traffic where the user’s IP address location is inconsistent with the campaign’s target geography, a common sign of proxy or VPN usage by bots.

RULE "Geo-Mismatch"
WHEN
  user.ip_geolocation.country IS_NOT "USA"
  AND campaign.target_country IS "USA"
THEN
  ACTION block_traffic
  REASON "Traffic origin outside of campaign target area"
END

Example 2: Session Behavior Scoring

This logic assigns a risk score to a user session based on behavior. A session with zero mouse movement, instant clicks, and no time spent on the landing page would receive a high fraud score and be blocked.

FUNCTION calculate_session_score(session_data):
  score = 0
  IF session_data.mouse_events < 2:
    score += 40
  ENDIF
  IF session_data.time_on_page < 1: // less than 1 second
    score += 50
  ENDIF
  IF session_data.is_from_datacenter_ip:
    score += 60
  ENDIF

  // If score exceeds threshold, block user
  IF score > 90:
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"
  ENDIF

Example 3: Device Signature Match

This rule identifies and blocks traffic from devices with known fraudulent signatures (e.g., outdated browsers, mismatched user agents, or emulator characteristics).

RULE "Suspicious Device Signature"
WHEN
  user.device_signature.is_emulator IS TRUE
  OR user.http_headers['User-Agent'] MATCHES_ANY ["OutdatedBotBrowser/1.0", "FraudulentUserAgentString"]
THEN
  ACTION block_traffic
  REASON "Device characteristics match known fraud patterns"
END

🐍 Python Code Examples

This Python function simulates checking for rapid, successive clicks from the same IP address, a common indicator of a simple bot. It helps block basic automated scripts by tracking click timestamps within a defined interval.

# Dictionary to store click timestamps for each IP
ip_click_log = {}
from collections import deque
import time

def is_rapid_fire_click(ip_address, max_clicks=5, time_window=10):
    """Checks if an IP has too many clicks in a short time window."""
    current_time = time.time()
    
    if ip_address not in ip_click_log:
        ip_click_log[ip_address] = deque()

    # Remove clicks older than the time window
    while ip_click_log[ip_address] and ip_click_log[ip_address] < current_time - time_window:
        ip_click_log[ip_address].popleft()
    
    # Add the new click
    ip_click_log[ip_address].append(current_time)
    
    # Check if the number of clicks exceeds the max
    if len(ip_click_log[ip_address]) > max_clicks:
        print(f"Fraudulent activity detected from IP: {ip_address}")
        return True
        
    return False

# Example Usage
is_rapid_fire_click("123.45.67.89") # Returns False
# Simulate 6 quick clicks
for _ in range(6):
    is_rapid_fire_click("123.45.67.89") # Final call returns True

This script filters incoming traffic by inspecting the User-Agent string. It helps in blocking traffic from known bots or suspicious clients that do not conform to standard browser patterns, thereby filtering out low-quality traffic.

def filter_suspicious_user_agents(user_agent_string):
    """Blocks traffic from known suspicious user agents."""
    suspicious_ua_list = [
        "bot", "spider", "crawler", "headlesschrome"
    ]
    
    ua_lower = user_agent_string.lower()
    
    for suspicious_ua in suspicious_ua_list:
        if suspicious_ua in ua_lower:
            print(f"Blocking suspicious User-Agent: {user_agent_string}")
            return True # Block the request
            
    return False # Allow the request

# Example Usage
filter_suspicious_user_agents("Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)") # Returns True
filter_suspicious_user_agents("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36") # Returns False

Types of Monthly active users

• Segmented MAU Analysis: This approach breaks down monthly active users into segments based on criteria like traffic source, geography, or device type. It helps pinpoint fraud by revealing anomalies within specific segments, such as a disproportionately high number of new users from a single, low-quality publisher.
• Behavioral MAU Cohorts: Users are grouped into cohorts based on their on-site actions (e.g., pages visited, session duration, conversion events). A cohort of “active” users with near-zero session times and no post-click activity is a strong indicator of sophisticated bot traffic that mimics unique user counts.
• Returning vs. New MAU Ratio: This method monitors the ratio of new users to returning users within the monthly active count. A sudden and drastic shift in this ratio, such as an explosion of new users with no history, can signal a large-scale bot attack designed to inflate traffic numbers.
• Cross-Device MAU Identification: This technique uses device fingerprinting and user logins to identify a single unique user across multiple devices (desktop, mobile, tablet). It prevents fraudsters from appearing as multiple “monthly active users” simply by switching devices to generate invalid clicks.

How MultiFactor Authentication Works

Incoming Click/Impression
          │
          ▼
+─────────┴─────────+
│ Initial Analysis  │
│ (IP, User Agent)  │
+─────────┬─────────+
          │
          ▼
+─────────┴─────────+
│  Device & Geo     │
│  Validation       │
│ (Fingerprint, TZ) │
+─────────┬─────────+
          │
          ▼
+─────────┴─────────+
│ Behavioral Check  │
│ (Mouse, Clicks)   │
+─────────┬─────────+
          │
          ▼
+─────────┴─────────+
│  Scoring Engine   │
│ (Combine Factors) │
+─────────┬─────────+
          │
          ├───────────┐
          ▼           ▼
      [Valid]     [Fraudulent]
     (Allow)        (Block)

🧠 Core Detection Logic

Example 1: Geographic and Language Mismatch

This logic checks for inconsistencies between a user’s IP-based location and their browser’s language settings. A high-value click from a US IP address but with a browser language set to Vietnamese or Russian is suspicious. It often indicates the use of a proxy or a botnet operating from a different country, a common tactic in organized click fraud.

FUNCTION checkGeoLanguageMismatch(clickData):
  ipLocation = getLocation(clickData.ipAddress)
  browserLanguage = clickData.browser.language

  IF ipLocation is "United States" AND browserLanguage is NOT "en-US":
    RETURN {isSuspicious: TRUE, reason: "Geo-language mismatch"}
  ELSE:
    RETURN {isSuspicious: FALSE}
  ENDIF
END FUNCTION

Example 2: Session Click Frequency Anomaly

This rule analyzes the timing and frequency of clicks within a single user session. A legitimate user might click an ad once, but a bot might be programmed to click multiple ads in rapid, uniform succession. This logic flags users who exceed a reasonable click threshold within a short timeframe, which is a strong indicator of non-human behavior designed to deplete ad budgets.

FUNCTION checkClickFrequency(sessionData, clickTimestamp):
  // sessionData stores timestamps of recent clicks from the same user
  relevantClicks = findClicksInLastMinute(sessionData.clicks, clickTimestamp)

  IF count(relevantClicks) > 3:
    RETURN {isSuspicious: TRUE, reason: "High click frequency"}
  ELSE:
    // Add current click to session data
    addClick(sessionData, clickTimestamp)
    RETURN {isSuspicious: FALSE}
  ENDIF
END FUNCTION

Example 3: Device Fingerprint Consistency

This logic checks if a user’s device fingerprint (a combination of browser, OS, screen resolution, etc.) remains consistent across multiple visits. Fraudsters often use systems that randomize these attributes to appear as different users. If a returning user (identified by a cookie or IP) suddenly presents a completely different device fingerprint, the system flags it as a potential attempt to spoof identity.

FUNCTION checkFingerprintConsistency(userData, currentFingerprint):
  // userData stores historical fingerprints for a user
  previousFingerprint = getLatestFingerprint(userData)

  IF previousFingerprint is NOT NULL AND previousFingerprint != currentFingerprint:
    // Allow for minor changes like browser updates, but flag major changes
    IF calculateSimilarity(previousFingerprint, currentFingerprint) < 0.7:
      RETURN {isSuspicious: TRUE, reason: "Device fingerprint changed"}
    ENDIF
  ENDIF
  RETURN {isSuspicious: FALSE}
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Actively block bots and fraudulent IPs in real-time to prevent them from clicking on PPC ads. This directly protects the advertising budget from being wasted on traffic that has no chance of converting, ensuring spend is allocated to genuine potential customers.
• Analytics Purification – Filter out invalid traffic from analytics platforms. This provides a cleaner, more accurate view of campaign performance, user behavior, and conversion metrics, leading to better-informed marketing decisions and strategy adjustments.
• Return on Ad Spend (ROAS) Improvement – By eliminating wasteful clicks and ensuring ads are shown to real humans, MultiFactor Authentication improves the overall efficiency of ad spend. This leads to a lower cost per acquisition (CPA) and a higher return on every dollar spent on advertising.
• Lead Generation Integrity – Prevent bots from filling out lead or contact forms. This ensures that the sales team receives leads from genuinely interested humans, saving them time and resources by not having to chase down fake or low-quality submissions.

Example 1: Geofencing and Proxy Blocking

This logic is used to enforce geographic targeting rules and block traffic from known anonymous proxies, which are often used to circumvent location-based ad delivery. A business targeting customers only in Canada can use this to reject any clicks originating from other countries or from IPs known to be proxies.

FUNCTION enforceGeoFence(click):
  ip_info = getIpInfo(click.ipAddress)

  IF ip_info.country IS NOT "Canada":
    BLOCK(click, "Outside of Geofence")
    RETURN

  IF ip_info.isProxy IS TRUE:
    BLOCK(click, "Proxy Detected")
    RETURN

  ALLOW(click)
END FUNCTION

Example 2: Session Interaction Scoring

This example scores a user session based on multiple behavioral factors. A session with no mouse movement, unnaturally fast clicks, and immediate bounce would receive a high fraud score and be blocked. This is used to distinguish between engaged human users and low-quality bot traffic that only interacts with the ad itself.

FUNCTION scoreSession(session):
  score = 0
  
  IF session.mouseMovements < 5:
    score = score + 40 // High suspicion for no mouse activity

  IF session.timeOnPage < 2_seconds:
    score = score + 30 // High suspicion for immediate bounce

  IF session.clickInterval < 1_second:
    score = score + 30 // High suspicion for rapid-fire clicks
    
  IF score > 70:
    RETURN {isFraud: TRUE, score: score}
  ELSE:
    RETURN {isFraud: FALSE, score: score}
  ENDIF
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking for abnormally frequent clicks from a single IP address within a given time window. It helps identify bots programmed to repeatedly click ads from the same source to deplete a campaign's budget.

# A simple in-memory store for tracking click timestamps per IP
CLICK_LOGS = {}
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 5

def is_suspicious_ip(ip_address, current_time):
    """Checks if an IP has an unusually high click frequency."""
    if ip_address not in CLICK_LOGS:
        CLICK_LOGS[ip_address] = []

    # Filter out clicks older than the time window
    recent_clicks = [t for t in CLICK_LOGS[ip_address] if current_time - t <= TIME_WINDOW_SECONDS]
    
    # Add current click timestamp
    recent_clicks.append(current_time)
    CLICK_LOGS[ip_address] = recent_clicks
    
    # Check if click count exceeds the threshold
    if len(recent_clicks) > CLICK_THRESHOLD:
        return True
    return False

This code filters traffic based on a user agent string. It checks if the user agent belongs to a known list of bot or crawler signatures, providing a basic but effective first line of defense against non-human traffic.

KNOWN_BOT_AGENTS = [
    "Googlebot",
    "Bingbot",
    "AhrefsBot",
    "SemrushBot",
    "Python/3.9 aiohttp"
]

def is_known_bot(user_agent_string):
    """Identifies traffic from known web crawlers and bots."""
    if not user_agent_string:
        return True # Empty user agent is suspicious
    
    for bot_signature in KNOWN_BOT_AGENTS:
        if bot_signature.lower() in user_agent_string.lower():
            return True
            
    return False

Types of MultiFactor Authentication

• Network-Level Analysis – This type focuses on the origin of the traffic. It analyzes the IP address reputation, ISP, country of origin, and whether the connection comes from a known data center or proxy service. It is a fundamental first step in filtering out easily identifiable non-human traffic.
• Device-Level Fingerprinting – This method involves creating a unique identifier based on a visitor's device and browser attributes, such as operating system, browser version, screen resolution, and installed plugins. It helps detect bots that try to hide their identity by switching IP addresses but fail to alter their device signature.
• Behavioral Analysis – This is a more advanced type that monitors how a user interacts with a webpage, including mouse movements, click patterns, scrolling speed, and typing rhythm. Since bots struggle to perfectly mimic the natural, slightly random behavior of humans, this is highly effective at detecting sophisticated automation.
• Heuristic and Reputation Scoring – This type combines data from all other layers into a cohesive risk score. It uses rules and historical data (reputation) to evaluate the likelihood of fraud. For example, a new device from a low-reputation ISP exhibiting bot-like behavior will receive a very high fraud score.

How MultiTouch Attribution Works

+---------------------+      +----------------------+      +---------------------+      +---------------------+
|   Incoming Click    | →    |   Data Aggregation   | →    |  Journey Analysis   | →    |    Fraud Scoring    |
| (Impression/Event)  |      |  (IP, UA, Timestamp) |      | (Path & Behavior)   |      | (Anomaly Detection) |
+---------------------+      +----------------------+      +----------+----------+      +----------+----------+
                                                                     │                       │
                                                                     │                       ↓
                                                        +------------+------------+      +---------------------+
                                                        |  Attribution Modeling   | ←    |  Threat Intelligence|
                                                        |  (Assigns risk score)   |      | (Known Bot Signatures)|
                                                        +-------------------------+      +---------------------+

🧠 Core Detection Logic

Example 1: Cross-Device & IP Anomaly Detection

This logic identifies when multiple, distinct user profiles (based on device or browser fingerprints) originate from a single IP address within a short timeframe. It’s effective at catching botnets or click farms where one source attempts to simulate many different users. This check fits within the real-time traffic filtering layer.

FUNCTION check_ip_anomaly(click_event):
  ip = click_event.ip_address
  fingerprint = click_event.device_fingerprint
  timestamp = click_event.timestamp

  // Get recent fingerprints from this IP
  recent_fingerprints = get_recent_fingerprints_for_ip(ip, within_last_minutes=5)

  // If the new fingerprint is not in the recent list
  IF fingerprint NOT IN recent_fingerprints:
    // If the number of unique fingerprints from this IP is high
    IF count(recent_fingerprints) > 10:
      FLAG_AS_FRAUD(ip, "High fingerprint diversity from single IP")
      RETURN "FRAUDULENT"
  
  add_fingerprint_to_log(ip, fingerprint, timestamp)
  RETURN "VALID"

Example 2: Behavioral Path Validation

This logic checks if a user’s journey to a conversion page is plausible. For example, a user who clicks a final conversion link must have also interacted with preceding touchpoints in the funnel (like a product page or a category page). It helps prevent attribution hijacking where fraudsters inject a final click to claim credit for an organic conversion.

FUNCTION validate_behavioral_path(session):
  // Define required steps for a valid conversion path
  required_path = ["view_product_page", "add_to_cart_page", "checkout_page"]
  
  user_touchpoints = get_touchpoints_for_session(session.id)
  user_path = extract_event_types(user_touchpoints)

  // Check if the final touchpoint is a conversion
  IF user_path.last_event == "conversion":
    // Check if the required preceding steps exist in the user's path
    is_valid_path = all(step in user_path for step in required_path)
    
    IF NOT is_valid_path:
      FLAG_AS_FRAUD(session.id, "Invalid conversion path, missing required steps")
      RETURN "FRAUDULENT"

  RETURN "VALID"

Example 3: Timestamp Correlation & Velocity Check

This rule analyzes the time elapsed between different touchpoints in a user’s journey. An impossibly fast sequence of clicks across multiple ad campaigns or websites indicates automation. This logic is crucial for detecting programmatic bots that don’t mimic human-like delays.

FUNCTION check_timestamp_velocity(session):
  touchpoints = get_touchpoints_for_session(session.id, sorted_by_time=True)

  IF count(touchpoints) < 2:
    RETURN "VALID" // Not enough data

  FOR i FROM 1 TO count(touchpoints) - 1:
    time_diff = touchpoints[i].timestamp - touchpoints[i-1].timestamp
    
    // If time between consecutive clicks is less than 1 second
    IF time_diff < 1.0: 
      // If clicks are for different campaigns, it's highly suspicious
      IF touchpoints[i].campaign_id != touchpoints[i-1].campaign_id:
        FLAG_AS_FRAUD(session.id, "Click velocity too high between campaigns")
        RETURN "FRAUDULENT"
  
  RETURN "VALID"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Prevents ad budgets from being wasted on automated bots and invalid clicks by analyzing the entire user journey, not just isolated interactions. This ensures that ad spend is directed toward genuine, high-intent users.
• Data Integrity for Analytics – Filters out fraudulent traffic before it pollutes marketing analytics platforms. This provides a clean, reliable dataset, allowing businesses to make accurate, data-driven decisions about strategy and budget allocation.
• ROAS Optimization – Improves Return on Ad Spend (ROAS) by ensuring that attribution credit is given only to legitimate touchpoints that contribute to real conversions. This helps marketers identify and scale the channels that truly drive value.
• Conversion Funnel Security – Protects against funnel-based attacks like attribution hijacking and click injection by validating the logical progression of user touchpoints. This ensures that conversions are legitimate and correctly attributed.

Example 1: Geofencing Mismatch Rule

This logic prevents fraud by ensuring a user's IP-based location is consistent across multiple touchpoints. If a session shows clicks originating from different countries in an impossible timeframe, it's flagged as fraudulent.

FUNCTION check_geo_consistency(session_touchpoints):
  locations = []
  FOR touch IN session_touchpoints:
    locations.append(get_country_from_ip(touch.ip_address))
  
  unique_locations = unique(locations)
  
  // If there are multiple distinct countries in a single session
  IF count(unique_locations) > 1:
    FLAG_AS_FRAUD(session.id, "Geographic location mismatch in session")
    RETURN "FRAUDULENT"
  
  RETURN "VALID"

Example 2: Session Authenticity Scoring

This logic assigns a trust score to a session based on a combination of factors. A session with human-like mouse movements, reasonable time-on-page, and no known bot signatures gets a high score, while a session with programmatic behavior gets a low score and is blocked.

FUNCTION calculate_session_score(session):
  score = 100
  
  // Penalize for known bot user agent
  IF is_known_bot(session.user_agent):
    score = score - 50
  
  // Penalize for data center IP
  IF is_datacenter_ip(session.ip_address):
    score = score - 30
    
  // Reward for human-like behavior (e.g., mouse movement)
  IF has_mouse_events(session.behavior_data):
    score = score + 20

  // Block if score is below threshold
  IF score < 50:
    RETURN "BLOCK"
  
  RETURN "ALLOW"

🐍 Python Code Examples

This code simulates the detection of abnormally frequent clicks from a single IP address. It maintains a simple in-memory log of clicks and flags an IP if it exceeds a certain number of clicks within a defined time window, a common pattern for simple bot attacks.

from collections import defaultdict
import time

CLICK_LOG = defaultdict(list)
TIME_WINDOW_SECONDS = 60  # 1 minute window
MAX_CLICKS_IN_WINDOW = 10 # Max allowed clicks

def is_click_fraudulent(ip_address):
    current_time = time.time()
    
    # Remove clicks older than the time window
    CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add the current click timestamp
    CLICK_LOG[ip_address].append(current_time)
    
    # Check if click count exceeds the maximum
    if len(CLICK_LOG[ip_address]) > MAX_CLICKS_IN_WINDOW:
        print(f"FRAUD DETECTED: IP {ip_address} exceeded {MAX_CLICKS_IN_WINDOW} clicks in {TIME_WINDOW_SECONDS} seconds.")
        return True
        
    print(f"OK: IP {ip_address} has {len(CLICK_LOG[ip_address])} clicks.")
    return False

# Simulation
is_click_fraudulent("91.120.34.55") # OK
# Rapidly simulate 10 more clicks from the same IP
for _ in range(10):
    is_click_fraudulent("91.120.34.55") # Will be flagged as fraud

This example demonstrates filtering traffic based on suspicious user agents. It checks an incoming user agent string against a predefined set of known bot or non-standard browser signatures. This is a simple but effective first line of defense in a traffic filtering system.

SUSPICIOUS_USER_AGENTS = {
    "headless-chrome",
    "phantomjs",
    "python-requests",
    "dataprovider",
    "scrapy"
}

def filter_by_user_agent(user_agent_string):
    ua_lower = user_agent_string.lower()
    
    for suspicious_ua in SUSPICIOUS_USER_AGENTS:
        if suspicious_ua in ua_lower:
            print(f"BLOCK: Suspicious User Agent detected: {user_agent_string}")
            return "BLOCKED"
            
    print(f"ALLOW: User Agent appears valid: {user_agent_string}")
    return "ALLOWED"

# Simulation
filter_by_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36")
filter_by_user_agent("python-requests/2.25.1") # Will be blocked

Types of MultiTouch Attribution

• Linear Risk Model – Assigns equal risk weight to every suspicious touchpoint in a user's journey. This model is useful when there is no clear indicator of which specific interaction is most fraudulent, treating all anomalies as equally important signals for potential bot activity.
• Time-Decay Threat Model – Gives more weight to suspicious touchpoints that occur closer to the conversion or final action. This is effective for identifying last-minute click injection fraud, where a fraudulent click is fired just before a conversion to steal attribution.
• Position-Based (U-Shaped) Anomaly Model – Emphasizes the first and last touchpoints as the most critical for fraud analysis. A fraudulent first touch could indicate an illegitimate user source, while a fraudulent last touch might signal click hijacking. Other intermediate touchpoints are given less weight.
• Weighted-Risk Model – A custom model where different fraudulent signals are assigned unique risk scores. For example, a click from a known data center IP might be weighted more heavily than a simple user-agent anomaly. This provides a more nuanced and accurate fraud detection capability.

How Multichannel Video Programming Distributor MVPD Works

  User Request      +----------------+      Ad Request       +-----------------+      Verified Ad
----------------> │   Publisher    │ -----------------> │  Ad-Tech System │ ----------------> User
 (View Content)   │ (with MVPD     │   (with enriched   │  (Fraud Filter) │   (Legitimate)
                  │  Integration)  │      data)       │                 │
                  └----------------┘                   └-------+---------┘
                                                             │
                                                             │
                                                      +------▼------+
                                                      │ MVPD Data   │
                                                      │ (Subscriber │
                                                      │  Status,    │
                                                      │  Geo-Info)  │
                                                      └-------------┘
                                                             │
                                                             ▼
                                                      ┌─────────────┐
                                                      │ Fraud Alert │
                                                      │ (Blocked)   │
                                                      └─────────────┘

🧠 Core Detection Logic

Example 1: Residential IP Matching

This logic verifies if an ad request originates from an IP address associated with a residential broadband network known to the MVPD. It helps filter out traffic from data centers or VPNs, which are commonly used for bot-driven fraud.

FUNCTION checkResidentialIp(request):
  ip = request.getIpAddress()
  mvpdData = getMvpdDataForIp(ip)

  IF mvpdData.isFound() AND mvpdData.isResidential():
    RETURN "VALID"
  ELSE:
    RETURN "INVALID_IP_SOURCE"
END FUNCTION

Example 2: Geo-Fencing Verification

This logic compares the geographic location of the ad request with the subscriber’s registered service area. A significant mismatch can indicate account sharing violations or more sophisticated fraud, like GPS spoofing, and the request is flagged.

FUNCTION verifyGeoFence(request):
  requestGeo = request.getGeolocation()
  subscriberGeo = getMvpdSubscriberLocation(request.getUserId())

  distance = calculateDistance(requestGeo, subscriberGeo)

  IF distance > MAX_ALLOWED_DISTANCE:
    FLAG "GEO_MISMATCH_FRAUD"
  ELSE:
    PASS
END FUNCTION

Example 3: Concurrent Session Limiting

This heuristic detects fraudulent activity by tracking the number of simultaneous streams tied to a single subscriber account. An unusually high number of concurrent sessions from different locations suggests credential sharing or a compromised account used for generating fake views.

FUNCTION checkConcurrentSessions(request):
  userId = request.getUserId()
  activeSessions = getActiveSessionsForUser(userId)

  IF activeSessions.count() > MAX_CONCURRENT_STREAMS:
    FOR session IN activeSessions:
      logSuspiciousActivity(session, "EXCESSIVE_CONCURRENT_STREAMS")
    RETURN "BLOCK"
  ELSE:
    RETURN "PASS"
END FUNCTION

📈 Practical Use Cases for Businesses

Businesses use Multichannel Video Programming Distributor (MVPD) data primarily to enhance the accuracy of their ad targeting and protect their campaigns from fraud in the CTV and streaming video space. By verifying that ad impressions are served to legitimate subscribers, companies can ensure their advertising budget is spent on real audiences, leading to more reliable campaign analytics and a higher return on ad spend.

• Campaign Shielding – Protects ad campaigns by using MVPD subscriber data to validate that viewers are real people in specific households, blocking bots and other non-human traffic that lack legitimate subscriber credentials.
• Improved Audience Targeting – Enhances targeting precision by leveraging verified demographic and geographic data from MVPDs, ensuring that ads are delivered to the intended audience segments with high accuracy.
• Ensuring Premium Placement – Guarantees that ads are run within brand-safe, premium content environments offered by trusted broadcasters, reducing the risk of association with low-quality or fraudulent inventory.
• Accurate Performance Measurement – Improves the reliability of campaign metrics by filtering out invalid traffic. This provides a clearer understanding of true engagement and conversion rates from real viewers.

Example 1: Geofencing Rule for Local Campaigns

A local auto dealership wants to run a video ad campaign targeting viewers within its designated market area. By using MVPD data, it can ensure ads are only served to subscribers within that specific geographic footprint, blocking views from outside the region.

# Pseudocode for a geofencing rule
IF user.location.zip_code NOT IN target_zip_codes:
  REJECT_AD_REQUEST
ELSE:
  SERVE_AD

Example 2: Session Anomaly Detection

An e-commerce brand notices a high volume of clicks but low conversions from a certain publisher. It implements a rule based on MVPD data to flag accounts with an abnormally high number of viewing sessions across many different devices in a short period, a sign of potential bot activity.

# Pseudocode for session scoring
IF user.session_count > 100 AND user.unique_devices > 20 WITHIN 24_HOURS:
  SCORE_TRAFFIC as "SUSPICIOUS"
  BLOCK_USER_ID
ELSE:
  SCORE_TRAFFIC as "VALID"

🐍 Python Code Examples

This Python code simulates checking an incoming IP address against a known list of MVPD residential IP ranges. This helps in filtering out traffic that originates from data centers, which is a common source of ad fraud.

# Simulated list of residential IP ranges for a specific MVPD
MVPD_IP_RANGES = {
    'comcast': ['73.0.0.0/8', '68.0.0.0/8'],
    'verizon': ['96.224.0.0/11', '100.0.0.0/8']
}

def is_residential_ip(ip_address, mvpd_name):
    """Checks if an IP belongs to an MVPD's residential network."""
    import ipaddress
    if mvpd_name not in MVPD_IP_RANGES:
        return False
    
    for cidr in MVPD_IP_RANGES[mvpd_name]:
        if ipaddress.ip_address(ip_address) in ipaddress.ip_network(cidr):
            return True
    return False

# Example usage
click_ip = "73.120.50.10"
if is_residential_ip(click_ip, 'comcast'):
    print(f"{click_ip} is a valid residential IP.")
else:
    print(f"Flagging {click_ip} as potentially fraudulent.")

This code provides a simple function to detect click fraud based on abnormally high click frequency from a single user ID within a short time frame. Such patterns often indicate automated bot activity rather than genuine user interest.

from collections import defaultdict
import time

CLICK_LOGS = defaultdict(list)
TIME_WINDOW = 60  # seconds
MAX_CLICKS_IN_WINDOW = 5

def detect_click_fraud(user_id):
    """Detects click fraud based on click frequency."""
    current_time = time.time()
    
    # Filter out clicks older than the time window
    CLICK_LOGS[user_id] = [t for t in CLICK_LOGS[user_id] if current_time - t < TIME_WINDOW]
    
    CLICK_LOGS[user_id].append(current_time)
    
    if len(CLICK_LOGS[user_id]) > MAX_CLICKS_IN_WINDOW:
        print(f"Fraud alert: User {user_id} exceeded click limit.")
        return True
    return False

# Example usage
for _ in range(6):
    detect_click_fraud("user-123")

Types of Multichannel Video Programming Distributor MVPD

• Traditional MVPD – This refers to conventional cable and satellite providers that deliver bundled TV channels through physical infrastructure like coaxial cables or satellite dishes. In fraud detection, their subscriber data is highly reliable for verifying household-level viewership.
• Virtual MVPD (vMVPD) – These services stream live and on-demand TV channels over the internet, such as Sling TV or YouTube TV. While more flexible for consumers, vMVPD data can be more complex to use for fraud verification due to the variety of devices and networks used.
• MVPD with TV Everywhere – This model allows subscribers of traditional MVPDs to access content on various digital devices through “TV Everywhere” apps. For fraud detection, this links a traditional, verifiable subscription to digital viewing habits, helping to confirm legitimate users on mobile or web platforms.
• Programmatic MVPD Partnerships – This involves direct integrations between ad-tech platforms and MVPDs to automate the use of subscriber data for real-time ad decisions. This type is critical for scaling fraud detection across large volumes of ad inventory by enriching ad requests with verification data instantly.

How Network Anomaly Detection Works

Incoming Traffic (Clicks, Impressions)
          │
          ▼
+-------------------------+
│ Data Collection & Aggregation │
│ (IP, UA, Timestamps, etc.)  │
+-------------------------+
          │
          ▼
+-------------------------+
│ Baseline Establishment  │
│ (Learning "Normal")     │
+-------------------------+
          │
          ▼
+-------------------------+
│ Real-Time Analysis      │
│ (Comparing vs. Baseline)│
+-------------------------+
          │
          ▼
   ┌──────┴──────┐
Is it an Anomaly?
   └──────┬──────┘
       │
     (Yes)
       │
       ▼
+-------------------------+
│  Mitigation & Action    │
│  (Block, Flag, Alert)   │
+-------------------------+

🧠 Core Detection Logic

Example 1: High-Frequency Click Anomaly

This logic detects when a single user or IP address generates an unusually high number of clicks in a short period. It helps prevent budget drain from automated bots or hyperactive manual fraud by identifying click velocity that deviates from normal human behavior.

// Define thresholds
max_clicks_per_minute = 15
max_clicks_per_hour = 100

// Track clicks per IP
FUNCTION check_ip_frequency(ip_address):
  clicks_minute = get_clicks(ip_address, last_minute)
  clicks_hour = get_clicks(ip_address, last_hour)

  IF clicks_minute > max_clicks_per_minute OR clicks_hour > max_clicks_per_hour THEN
    FLAG_AS_FRAUD(ip_address)
    RETURN true
  END IF

  RETURN false
END FUNCTION

Example 2: Session Behavior Heuristics

This logic analyzes the duration and activity of a user’s session after clicking an ad. Bots often exhibit unnaturally short sessions (click and exit immediately) or have no on-page interaction. This helps filter out non-human traffic that provides no value.

// Define session thresholds
min_session_duration_seconds = 2
max_session_duration_seconds = 3600 // 1 hour
min_mouse_movements = 1

FUNCTION analyze_session(session_data):
  duration = session_data.end_time - session_data.start_time
  mouse_events = session_data.mouse_move_count

  IF duration < min_session_duration_seconds OR mouse_events < min_mouse_movements THEN
    SCORE_AS_SUSPICIOUS(session_data.ip)
  END IF
END FUNCTION

Example 3: Geographic Mismatch Detection

This logic identifies fraud by detecting inconsistencies between a user's IP address location and other signals, such as their browser's timezone or language settings. A mismatch suggests the user may be using a proxy or VPN to disguise their true location, a common tactic in ad fraud.

FUNCTION check_geo_mismatch(click_data):
  ip_location = get_geolocation(click_data.ip) // e.g., "Germany"
  browser_timezone = click_data.timezone // e.g., "America/New_York"

  // Check if timezone is consistent with IP country
  IF is_consistent(ip_location, browser_timezone) == false THEN
    FLAG_AS_ANOMALY(click_data.ip, "Geo Mismatch")
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Network Anomaly Detection automatically blocks invalid traffic from bots and click farms, ensuring that advertising budgets are spent on reaching genuine potential customers, not on fraudulent clicks. This directly protects marketing investments and improves campaign efficiency.
• Data Integrity for Analytics – By filtering out non-human traffic, it ensures that analytics platforms report accurate user engagement metrics. This leads to more reliable data on click-through rates, conversion rates, and user behavior, enabling better strategic decision-making.
• Return on Ad Spend (ROAS) Optimization – It prevents budget leakage on fraudulent activities that will never convert. By ensuring ads are shown to real users, it increases the likelihood of genuine conversions, thereby maximizing the return on ad spend and overall profitability.

- Lead Generation Cleansing - For businesses running lead generation campaigns, it filters out fake form submissions generated by bots. This saves sales teams time and resources by ensuring they only follow up on leads from genuinely interested individuals.

Example 1: Geofencing Rule

This logic prevents clicks from regions outside a campaign's target geography, which can indicate widespread bot or click farm activity. It is a practical way to enforce targeting and reduce exposure to common fraud hotspots.

// Campaign targets USA and Canada
allowed_countries = ["US", "CA"]

FUNCTION enforce_geofence(click):
  click_country = get_country_from_ip(click.ip_address)

  IF click_country NOT IN allowed_countries THEN
    BLOCK_TRAFFIC(click.ip_address)
    LOG_EVENT("Blocked out-of-geo click from " + click_country)
  END IF
END FUNCTION

Example 2: Session Scoring Logic

This pseudocode demonstrates a scoring system that evaluates the quality of a session based on multiple behavioral heuristics. A session with a very low score is flagged as likely fraudulent, allowing for more nuanced detection than a single rule.

FUNCTION score_session_quality(session):
  score = 100 // Start with a perfect score

  // Penalize for short duration
  IF session.duration < 3 seconds THEN
    score = score - 40

  // Penalize for no interaction
  IF session.scroll_events == 0 AND session.mouse_clicks == 0 THEN
    score = score - 50

  // Penalize for data center IP
  IF is_datacenter_ip(session.ip_address) THEN
    score = score - 60

  IF score < 30 THEN
    FLAG_AS_FRAUD(session.ip_address)
  END IF

  RETURN score
END FUNCTION

🐍 Python Code Examples

This Python function demonstrates how to detect abnormal click frequency from a single IP address. It tracks timestamps of clicks and flags an IP if it exceeds a certain number of clicks within a short time window, a common sign of bot activity.

from collections import defaultdict
import time

CLICK_LOGS = defaultdict(list)
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 20

def is_click_frequency_anomaly(ip_address):
    """Checks if an IP has an abnormally high click frequency."""
    current_time = time.time()
    
    # Add current click timestamp
    CLICK_LOGS[ip_address].append(current_time)
    
    # Filter out old timestamps
    valid_clicks = [t for t in CLICK_LOGS[ip_address] if current_time - t <= TIME_WINDOW_SECONDS]
    CLICK_LOGS[ip_address] = valid_clicks
    
    # Check if click count exceeds threshold
    if len(valid_clicks) > CLICK_THRESHOLD:
        print(f"Anomaly detected for IP: {ip_address} - {len(valid_clicks)} clicks in the last minute.")
        return True
        
    return False

# Simulation
is_click_frequency_anomaly("192.168.1.100") # Returns False
# Simulate 25 rapid clicks
for _ in range(25):
    is_click_frequency_anomaly("192.168.1.101") # Will return True after 21st click

This script filters traffic by analyzing the User-Agent string. It blocks requests from common bot or script identifiers, providing a simple yet effective layer of protection against unsophisticated automated traffic.

import re

SUSPICIOUS_USER_AGENTS = [
    "bot", "crawler", "spider", "headlesschrome", "puppeteer"
]

def is_suspicious_user_agent(user_agent_string):
    """Identifies if a User-Agent string is likely from a bot."""
    ua_lower = user_agent_string.lower()
    for pattern in SUSPICIOUS_USER_AGENTS:
        if re.search(pattern, ua_lower):
            print(f"Suspicious User-Agent detected: {user_agent_string}")
            return True
    return False

# Example Usage
ua_human = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
ua_bot = "Mozilla/5.0 (compatible; MyBot/1.0; +http://www.example.com/bot.html)"

is_suspicious_user_agent(ua_human) # Returns False
is_suspicious_user_agent(ua_bot)   # Returns True

Types of Network Anomaly Detection

• Statistical Anomaly Detection - This type uses statistical models to identify outliers. It establishes a baseline of normal traffic behavior using metrics like mean, median, and standard deviation, and then flags data points that fall too far outside this range. It is effective for detecting sudden spikes in traffic or clicks.
• Heuristic-Based Anomaly Detection - This method uses predefined rules and logic based on known fraud characteristics to identify suspicious activity. These rules can target specific patterns, such as user-agent mismatches, clicks from data center IPs, or impossibly fast session times, making it effective against common bot techniques.
• Machine Learning-Based Anomaly Detection - This is the most advanced type, using algorithms like clustering and neural networks to learn complex patterns of normal behavior from vast datasets. It can detect subtle, previously unseen anomalies and adapt to new fraud tactics, offering a more dynamic defense than static rules.
• Signature-Based Detection - This approach looks for specific, known patterns (signatures) associated with malicious activity, such as a known bot's user-agent string or IP address. While very fast and accurate for identified threats, it is ineffective against new, unknown (zero-day) attacks that lack a predefined signature.

How Network Monitoring Systems Works

Incoming Ad Click → [+ INTERCEPTION POINT] → [PACKET-LEVEL ANALYSIS] → [DETECTION LOGIC] → [DECISION ENGINE] → [ACTION]
                             │                     │                    │                   │                │
                             │                     │                    │                   │                └─ ALLOW: Legitimate User
                             │                     │                    │                   │
                             │                     │                    │                   └─ BLOCK/FLAG: Fraudulent User
                             │                     │                    │
                             │                     │                    └─ Apply Rules (IP Blacklists, Signatures, Heuristics)
                             │                     │
                             │                     └─ Extract Features (IP, User Agent, Headers, Timestamp)
                             │
                             └─ Capture raw click/impression request data

🧠 Core Detection Logic

Example 1: Datacenter IP Filtering

This logic identifies traffic originating from servers in datacenters rather than residential or mobile networks. Since legitimate users rarely browse from a server, a datacenter IP is a strong indicator of a bot or proxy server used to mask fraudulent activity. This check is a foundational filter in many traffic protection systems.

FUNCTION is_datacenter_ip(ip_address):
  // Load a database of known datacenter IP ranges
  datacenter_ranges = load_datacenter_database()

  FOR range IN datacenter_ranges:
    IF ip_address is within range:
      RETURN TRUE // Flag as fraudulent
  
  RETURN FALSE // Likely a legitimate user

Example 2: Click Frequency Heuristics

This logic detects non-human behavior by analyzing the timing and frequency of clicks from a single user or IP address. A human user is unlikely to click on the same ad multiple times within a few seconds. This rule flags such rapid, rhythmic patterns as clear signs of an automated script or bot.

// Initialize a data store for click timestamps
CLICK_LOGS = {}

FUNCTION check_click_frequency(user_id, current_time):
  // Set a threshold (e.g., no more than 1 click every 5 seconds)
  TIME_THRESHOLD = 5 // seconds
  
  IF user_id in CLICK_LOGS:
    last_click_time = CLICK_LOGS[user_id]
    time_difference = current_time - last_click_time
    
    IF time_difference < TIME_THRESHOLD:
      RETURN "FRAUDULENT" // Too frequent
  
  // Log the current click time and allow the click
  CLICK_LOGS[user_id] = current_time
  RETURN "LEGITIMATE"

Example 3: Geo Mismatch Detection

This logic flags inconsistencies between a user's stated location and their network-level location. For instance, if a user's browser settings indicate they are in one country, but their IP address originates from another, it could signify the use of a proxy or a deliberate attempt to deceive geo-targeted ad campaigns.

FUNCTION analyze_geo_mismatch(ip_geolocation, browser_timezone):
  // Get expected timezones for the IP's country
  expected_timezones = get_timezones_for_country(ip_geolocation.country)
  
  // Check if browser timezone is consistent with IP location
  IF browser_timezone NOT IN expected_timezones:
    // Mismatch found, increase fraud score
    RETURN "SUSPICIOUS_HIGH_RISK"
  ELSE:
    RETURN "LEGITIMATE"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Prevents ad budgets from being wasted on fake clicks and impressions generated by bots, ensuring that spend is directed toward reaching genuine potential customers.
• Data Integrity – Filters out invalid traffic to provide clean, accurate data for analytics platforms. This allows businesses to make reliable decisions based on true user engagement metrics like click-through and conversion rates.
• Lead Generation Quality – Protects lead-generation forms from being filled out by automated scripts, ensuring that the sales team receives contact information from genuinely interested humans, not bots.
• Return on Ad Spend (ROAS) Optimization – By eliminating wasteful clicks and ensuring ads are served to real people, businesses can significantly improve their ROAS and the overall efficiency of their advertising campaigns.

Example 1: IP Filtering Rule

This pseudocode demonstrates a basic IP blacklist rule. A business can use this to block traffic from IP addresses that have been previously identified in fraudulent activity, protecting campaigns from repeat offenders.

// Define a set of known fraudulent IP addresses
IP_BLACKLIST = {"198.51.100.1", "203.0.113.10", "192.0.2.55"}

FUNCTION process_ad_request(request):
  user_ip = request.get_ip()
  
  IF user_ip IN IP_BLACKLIST:
    block_request("Known fraudulent IP")
  ELSE:
    allow_request()

Example 2: Session Scoring Logic

This logic shows a more sophisticated approach where multiple risk factors are combined to create a session score. A business uses this to make more nuanced decisions, blocking only high-risk traffic while flagging moderate-risk traffic for review, reducing false positives.

FUNCTION calculate_risk_score(session_data):
  score = 0
  
  IF is_datacenter_ip(session_data.ip):
    score += 50
  
  IF has_invalid_user_agent(session_data.user_agent):
    score += 30
    
  IF click_frequency_is_high(session_data.user_id):
    score += 40
    
  RETURN score

FUNCTION handle_traffic(request):
  session_data = extract_data(request)
  risk_score = calculate_risk_score(session_data)
  
  IF risk_score > 80:
    block_traffic()
  ELSE:
    serve_ad()

🐍 Python Code Examples

This Python function simulates checking an incoming IP address against a list of known fraudulent IPs. This is a fundamental technique in click fraud prevention to block traffic from previously identified bad actors or suspicious sources like data centers.

# A predefined set of suspicious IP addresses
SUSPICIOUS_IPS = {
    "198.51.100.15",  # Known data center
    "203.0.113.22",   # Previously flagged for fraud
    "192.0.2.140"     # Proxy server
}

def filter_suspicious_ip(ip_address):
    """Checks if an IP address is in the suspicious list."""
    if ip_address in SUSPICIOUS_IPS:
        print(f"Blocking fraudulent traffic from: {ip_address}")
        return False
    else:
        print(f"Allowing legitimate traffic from: {ip_address}")
        return True

# Simulate incoming traffic
filter_suspicious_ip("8.8.8.8")
filter_suspicious_ip("198.51.100.15")

This code snippet analyzes click timestamps to identify unnaturally high click frequencies from a single user, a strong indicator of bot activity. By tracking the time between clicks, the system can flag and block automated scripts designed to generate fake engagement.

import time

# Dictionary to store the last click time for each user ID
user_click_times = {}
# Set the minimum time allowed between clicks (in seconds)
CLICK_INTERVAL_THRESHOLD = 2 

def is_click_too_frequent(user_id):
    """Detects if clicks from a user are too frequent."""
    current_time = time.time()
    
    if user_id in user_click_times:
        time_since_last_click = current_time - user_click_times[user_id]
        if time_since_last_click < CLICK_INTERVAL_THRESHOLD:
            print(f"Fraudulent click frequency detected for user: {user_id}")
            return True
            
    # Update the last click time for the user
    user_click_times[user_id] = current_time
    print(f"Legitimate click recorded for user: {user_id}")
    return False

# Simulate clicks from a user
is_click_too_frequent("user-123")
time.sleep(1)
is_click_too_frequent("user-123") # This will be flagged as fraudulent

Types of Network Monitoring Systems

• Signature-Based Monitoring – This type identifies fraud by matching incoming traffic against a database of known fraudulent signatures, such as blacklisted IP addresses or specific user-agent strings from bots. It is fast and effective against known threats but struggles with new or evolving fraud tactics.
• Heuristic and Behavioral Analysis – This system uses rules and models of typical human behavior to detect anomalies. It looks for patterns inconsistent with human interaction, like impossibly fast click rates, lack of mouse movement, or unusual traffic patterns, to identify sophisticated bots.
• Anomaly-Based Monitoring – This approach first establishes a baseline of what normal, healthy traffic looks like for a specific campaign or website. It then monitors for any significant deviations from this baseline, allowing it to detect new, previously unseen fraud attacks that don't match any known signatures.
• Hybrid Monitoring – This is the most common and effective type, combining signature-based, heuristic, and anomaly-based methods. By layering these techniques, it provides comprehensive protection that can block known threats instantly while also adapting to identify and stop new and sophisticated forms of ad fraud.

How Network Traffic Analysis Works

Incoming Traffic (User Clicks) → [Data Collection Gateway] → [Real-Time Analysis Engine] ┐
                                                                                   │
                                                   ┌───────────────────────────────┘
                                                   ▼
                                     +-------------------------+
                                     │   Rule-Based Filters    │
                                     │  (IP, UA, Geo-Rules)    │
                                     +-------------------------+
                                                   │
                                                   ▼
                                     +-------------------------+
                                     │  Behavioral Analysis    │
                                     │   (Heuristics, Timing)  │
                                     +-------------------------+
                                                   │
                                                   ▼
                                     +-------------------------+
                                     │     Scoring & Flagging  │
                                     +-------------------------+
                                                   │
                                                   ├─→ [Legitimate Traffic] → Ad Server
                                                   │
                                                   └─→ [Fraudulent Traffic] → Blocked/Logged

🧠 Core Detection Logic

Example 1: IP-Based Anomaly Detection

This logic identifies suspicious activity by tracking click frequency from individual IP addresses. It helps prevent a single source (likely a bot or a click farm) from generating a large volume of fraudulent clicks on a campaign within a short timeframe. It’s a fundamental part of real-time traffic filtering.

// Define tracking variables
IP_CLICK_COUNT = {}
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 10

FUNCTION onAdClick(request):
  ip = request.get_ip()
  timestamp = now()

  // Initialize IP if not seen before
  IF ip NOT IN IP_CLICK_COUNT:
    IP_CLICK_COUNT[ip] = []

  // Add current click timestamp
  IP_CLICK_COUNT[ip].append(timestamp)

  // Remove clicks outside the time window
  IP_CLICK_COUNT[ip] = [t FOR t IN IP_CLICK_COUNT[ip] IF timestamp - t <= TIME_WINDOW_SECONDS]

  // Check if click count exceeds threshold
  IF length(IP_CLICK_COUNT[ip]) > CLICK_THRESHOLD:
    FLAG_AS_FRAUD(ip, "High Click Frequency")
    BLOCK_REQUEST()
  ELSE:
    ALLOW_REQUEST()

Example 2: User Agent and Header Validation

This logic inspects the user agent (UA) string and other HTTP headers to catch non-standard or mismatched browser information. Bots often use generic, outdated, or inconsistent UA strings. This check helps filter out automated traffic trying to mimic legitimate browsers but failing to replicate a valid device profile.

// Known suspicious or incomplete user agent strings
BLACKLISTED_USER_AGENTS = ["curl/", "python-requests", "Java/1.8", "bot", "spider"]

FUNCTION onAdClick(request):
  ua_string = request.get_header("User-Agent")
  x_forwarded_for = request.get_header("X-Forwarded-For")

  // Rule 1: Block known bad user agents
  FOR blacklisted_ua IN BLACKLISTED_USER_AGENTS:
    IF blacklisted_ua IN ua_string:
      FLAG_AS_FRAUD(request.ip, "Blacklisted User Agent")
      BLOCK_REQUEST()
      RETURN

  // Rule 2: Check for presence of proxy headers
  IF x_forwarded_for IS NOT NULL:
    FLAG_AS_FRAUD(request.ip, "Proxy Detected")
    BLOCK_REQUEST()
    RETURN

  // Rule 3: Check for empty user agent
  IF ua_string IS NULL OR ua_string == "":
    FLAG_AS_FRAUD(request.ip, "Empty User Agent")
    BLOCK_REQUEST()
    RETURN

  ALLOW_REQUEST()

Example 3: Session-Based Timestamp Analysis (Honeypot)

This logic measures the time between when an ad is rendered (page load) and when it is clicked. Humans require a few seconds to process information before clicking, whereas bots can click almost instantaneously. This method acts as a simple “honeypot” to catch automated scripts that interact with ads too quickly.

// Define minimum time required for a legitimate click
MINIMUM_TIME_TO_CLICK_SECONDS = 2.0

FUNCTION onPageLoad():
  // Store the page render time in the user's session
  session.set("page_load_timestamp", now())

FUNCTION onAdClick(request):
  click_timestamp = now()
  load_timestamp = session.get("page_load_timestamp")

  IF load_timestamp IS NULL:
    // This could happen if cookies/session are disabled, handle as needed
    FLAG_AS_SUSPICIOUS(request.ip, "No Load Timestamp")
    ALLOW_REQUEST() // Or block, depending on policy
    RETURN

  time_diff = click_timestamp - load_timestamp

  // Check if the click happened too fast
  IF time_diff < MINIMUM_TIME_TO_CLICK_SECONDS:
    FLAG_AS_FRAUD(request.ip, "Implausible Click Latency (Honeypot)")
    BLOCK_REQUEST()
  ELSE:
    ALLOW_REQUEST()

📈 Practical Use Cases for Businesses

• Campaign Shielding – Real-time analysis of incoming click traffic allows businesses to automatically block known bots and fraudulent IPs before they click on ads. This preserves ad budgets by preventing payment for invalid interactions and ensures that marketing spend is directed toward genuine potential customers.
• Data Integrity for Analytics – By filtering out bot traffic and other forms of ad fraud, network traffic analysis ensures that marketing analytics platforms receive clean data. This leads to more accurate reporting on key metrics like click-through rates, conversion rates, and user engagement, enabling better strategic decisions.
• ROI Optimization – NTA helps improve return on ad spend (ROAS) by reducing wasted expenditure on fraudulent clicks. Advertisers can reallocate the saved budget to more effective channels or target audiences, maximizing the impact of their campaigns and achieving better overall financial performance.
• Geographic Targeting Enforcement – Businesses can use traffic analysis to enforce strict geofencing rules on their ad campaigns. By validating the true location of every click via IP analysis, it prevents budget waste from clicks originating outside the targeted regions, a common issue with VPN or proxy-based fraud.

Example 1: Geofencing and Proxy Detection Rule

This logic ensures that ad clicks only come from the intended target country and are not routed through anonymous proxies, which are often used to disguise a user's true location.

FUNCTION processClick(click_data):
    // List of countries the campaign is targeting
    ALLOWED_COUNTRIES = ["US", "CA", "GB"]

    // Get IP metadata from a geo-IP service
    ip_info = get_ip_details(click_data.ip)

    // Rule 1: Check if IP country is in the allowed list
    IF ip_info.country NOT IN ALLOWED_COUNTRIES:
        BLOCK(click_data, "Geo-Mismatch")
        RETURN

    // Rule 2: Check if the IP is a known proxy or VPN
    IF ip_info.is_proxy == TRUE:
        BLOCK(click_data, "Proxy/VPN Detected")
        RETURN

    // If all checks pass, allow the click
    ACCEPT(click_data)

Example 2: Session Authenticity Scoring

This logic calculates a trust score for each user session based on multiple behavioral and technical signals. Clicks with a low score are flagged as suspicious, helping to filter out sophisticated bots that might evade simpler checks.

FUNCTION calculateSessionScore(session_data):
    score = 100 // Start with a perfect score

    // Penalize for short session duration
    IF session_data.duration < 5: // less than 5 seconds
        score = score - 30

    // Penalize for missing browser fingerprints (e.g., canvas)
    IF session_data.has_canvas_fingerprint == FALSE:
        score = score - 25

    // Penalize for using a known data center IP range
    IF is_datacenter_ip(session_data.ip):
        score = score - 50

    // If score is below a threshold, flag as fraudulent
    IF score < 50:
        FLAG_AS_FRAUD(session_data)
    ELSE:
        FLAG_AS_LEGITIMATE(session_data)

    RETURN score

🐍 Python Code Examples

This Python function simulates checking a batch of incoming click IP addresses against a predefined blocklist. This is a fundamental technique for filtering out traffic from sources that have already been identified as malicious or fraudulent.

# A pre-defined set of fraudulent IP addresses for quick lookups
FRAUDULENT_IPS = {"198.51.100.15", "203.0.113.22", "192.0.2.88"}

def filter_ips(incoming_ips):
    """
    Filters a list of IP addresses, separating them into clean and fraudulent lists.
    """
    clean_traffic = []
    blocked_traffic = []
    for ip in incoming_ips:
        if ip in FRAUDULENT_IPS:
            blocked_traffic.append(ip)
            print(f"Blocking known fraudulent IP: {ip}")
        else:
            clean_traffic.append(ip)
    return clean_traffic, blocked_traffic

# Example usage:
clicks = ["8.8.8.8", "203.0.113.22", "1.1.1.1", "198.51.100.15"]
clean, blocked = filter_ips(clicks)
# clean will be ['8.8.8.8', '1.1.1.1']
# blocked will be ['203.0.113.22', '198.51.100.15']

This code analyzes click timestamps from a single user session to detect abnormally rapid clicking behavior. Bots can often trigger multiple events in milliseconds, a pattern this function identifies to flag the session as automated.

import time

def detect_rapid_clicks(session_clicks, time_threshold_ms=50):
    """
    Analyzes timestamps of clicks in a session to find rapid-fire patterns.
    `session_clicks` is a list of timestamps (e.g., from time.time()).
    """
    if len(session_clicks) < 2:
        return False # Not enough clicks to analyze

    # Sort timestamps to ensure correct order
    session_clicks.sort()

    for i in range(1, len(session_clicks)):
        time_diff_ms = (session_clicks[i] - session_clicks[i-1]) * 1000
        if time_diff_ms < time_threshold_ms:
            print(f"Rapid click detected! Time difference: {time_diff_ms:.2f}ms")
            return True # Fraudulent pattern found
    return False # No rapid clicks found

# Example usage:
human_clicks = [time.time(), time.time() + 2.5, time.time() + 5.1]
bot_clicks = [time.time(), time.time() + 0.03, time.time() + 0.08]

is_human_fraud = detect_rapid_clicks(human_clicks) # Returns False
is_bot_fraud = detect_rapid_clicks(bot_clicks)   # Returns True

Types of Network Traffic Analysis

• Real-Time Packet Inspection – This type involves analyzing data packets as they are transmitted. In ad security, it inspects click data (like IP headers and request payloads) the moment it arrives, allowing for immediate blocking of suspicious requests based on predefined rules before they consume resources or trigger a paid event.
• Session-Based Analysis – Instead of looking at individual packets, this method groups traffic from a single user into a session. It analyzes the behavior over time, such as click velocity, navigation path, and interaction consistency. This is effective at catching sophisticated bots that mimic human-like individual clicks but fail to replicate a coherent session.
• Heuristic and Behavioral Analysis – This approach uses algorithms to identify patterns and anomalies that suggest non-human behavior. It doesn't rely on known signatures but on detecting deviations from a baseline of normal user activity, such as impossibly fast form fills or robotic mouse movements, making it effective against new and evolving threats.
• Signature-Based Detection – This is a more traditional method that compares incoming traffic against a database of known fraud signatures. These signatures can be specific IP addresses, user-agent strings, or device fingerprints associated with past fraudulent activity. It is fast and efficient for blocking known threats but less effective against new attacks.

How Offerwall Works

[User Click] → +-------------------------+ → [Ad Offer]
              |      Offerwall System     |    (Valid)
              +-------------------------+
              | 1. Data Collection      |
              |    (IP, User Agent,     |
              |     Behavior, etc.)     |
              |           ↓             |
              | 2. Analysis Engine      |
              |    (Rules, Heuristics,  |
              |     AI/ML Models)       |
              |           ↓             |
              | 3. Decision Logic       |
              |    (Allow / Block)      |
              └───────────+─────────────┘
                          ↓
                      [Blocked]
                      (Fraud)

🧠 Core Detection Logic

Example 1: IP Reputation and Geolocation Mismatch

This logic checks the incoming click’s IP address against databases of known fraudulent sources, such as data centers, VPNs, or proxy servers, which are often used to mask a bot’s true origin. It also verifies that the user’s reported geographical location matches their IP address location, flagging inconsistencies that suggest cloaking attempts.

FUNCTION check_ip(request):
  ip = request.get_ip()
  location = request.get_geo()

  IF ip.is_in_datacenter_database() THEN
    RETURN "BLOCK"

  IF ip.is_known_proxy_or_vpn() THEN
    RETURN "BLOCK"

  ip_location = get_location_from_ip(ip)
  IF location != ip_location THEN
    RETURN "BLOCK"

  RETURN "ALLOW"

Example 2: Session and Click Frequency Analysis

This heuristic logic analyzes the timing and frequency of clicks to identify non-human patterns. A legitimate user typically has natural delays between actions. In contrast, bots can execute clicks with machine-like speed and regularity. This rule sets thresholds for acceptable click behavior within a given time frame.

FUNCTION check_session_frequency(user_id, timestamp):
  session = get_user_session(user_id)
  clicks = session.get_clicks()

  // Rule: More than 5 clicks in 10 seconds is suspicious
  time_limit = 10_seconds_ago
  recent_clicks = count_clicks_since(clicks, time_limit)

  IF recent_clicks > 5 THEN
    RETURN "BLOCK"

  // Rule: Less than 1 second between consecutive clicks
  last_click_time = session.get_last_click_time()
  IF (timestamp - last_click_time) < 1_second THEN
    RETURN "BLOCK"

  RETURN "ALLOW"

Example 3: Device and User-Agent Fingerprinting

This logic inspects the user agent string and other device parameters (like screen resolution or browser plugins) to create a unique fingerprint. It flags traffic from known bot user agents or detects anomalies, such as a mobile user agent coming from a desktop IP address, which indicates device spoofing.

FUNCTION check_fingerprint(request):
  user_agent = request.get_user_agent()
  platform = request.get_platform() // e.g., Windows, iOS

  IF user_agent.is_in_bot_blocklist() THEN
    RETURN "BLOCK"

  // Contextual Rule: Apple browser on a Windows device is impossible
  IF user_agent.contains("Safari") AND platform == "Windows" THEN
    RETURN "BLOCK"
  
  // Anomaly: Headless browser signature detected
  IF user_agent.contains("HeadlessChrome") THEN
    RETURN "BLOCK"

  RETURN "ALLOW"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects PPC campaign budgets by filtering out fake clicks from bots and competitors in real-time, ensuring ad spend is only used for genuine potential customers and maximizing return on ad spend (ROAS).
• Lead Generation Integrity – Ensures that forms and lead-generation funnels are filled by real people, not automated scripts. This improves the quality of sales leads and prevents the waste of sales team resources on fraudulent submissions.
• Analytics Accuracy – By blocking invalid traffic before it hits the website, an Offerwall keeps analytics data clean. This allows businesses to make accurate, data-driven decisions based on real user behavior, not skewed metrics from bot activity.
• Affiliate Fraud Prevention – Monitors traffic from affiliate channels to detect and block fraudulent activity, such as click spamming or injection. This protects advertisers from paying commissions for fake conversions and maintains a fair affiliate program.

Example 1: Geofencing Rule for Local Campaigns

A local business running a geo-targeted campaign can use this logic to automatically block any clicks originating from outside its service area, preventing budget waste on irrelevant traffic from click farms in other countries.

// USE CASE: A New York-based dental clinic advertises locally.
DEFINE RULE geo_fence_nyc:
  WHEN click.geo_country != "USA" 
    OR click.geo_region != "New York"
  THEN ACTION = BLOCK
  LOG "Blocked out-of-region click"

Example 2: Session Scoring for High-Value Keywords

For expensive keywords, this logic assigns a risk score to each click based on multiple factors. Only clicks that score below a certain risk threshold are allowed through, providing stricter protection for the most costly campaign segments.

// USE CASE: Protecting high-cost keywords like "personal injury lawyer"
FUNCTION score_click(click_data):
  risk_score = 0
  
  IF click_data.ip_type == "Data Center" THEN risk_score += 50
  IF click_data.is_vpn == TRUE THEN risk_score += 20
  IF click_data.time_on_page < 2_seconds THEN risk_score += 15
  IF click_data.has_no_mouse_movement == TRUE THEN risk_score += 15

  // Threshold: Any score 50 or higher is blocked
  IF risk_score >= 50 THEN
    RETURN "BLOCK"
  ELSE
    RETURN "ALLOW"
  END

🐍 Python Code Examples

This function simulates checking a click's IP address against a predefined blocklist of known fraudulent IPs. This is a fundamental technique for filtering out traffic from recognized bad actors or data centers.

# A simple set of blocked IP addresses for demonstration
IP_BLOCKLIST = {"203.0.113.1", "198.51.100.45", "203.0.113.2"}

def filter_by_ip(click_ip):
    """
    Checks if an incoming IP address is on the blocklist.
    """
    if click_ip in IP_BLOCKLIST:
        print(f"Blocking fraudulent IP: {click_ip}")
        return False
    else:
        print(f"Allowing valid IP: {click_ip}")
        return True

# --- Simulation ---
filter_by_ip("91.200.12.42")  # Example of a valid IP
filter_by_ip("203.0.113.1") # Example of a blocked IP

This code demonstrates a basic click frequency check to identify suspicious, rapid-fire clicks from a single user ID. Real-world systems use more sophisticated time windows and thresholds to detect automated behavior.

import time

# Store the last click timestamp for each user
user_last_click = {}
# A click is invalid if it's within 2 seconds of the previous one
CLICK_THRESHOLD_SECONDS = 2 

def is_click_too_frequent(user_id):
    """
    Detects abnormally fast clicks from the same user.
    """
    current_time = time.time()
    
    if user_id in user_last_click:
        time_since_last_click = current_time - user_last_click[user_id]
        if time_since_last_click < CLICK_THRESHOLD_SECONDS:
            print(f"User {user_id}: Fraudulent rapid click detected.")
            return True
            
    user_last_click[user_id] = current_time
    print(f"User {user_id}: Valid click timing.")
    return False

# --- Simulation ---
is_click_too_frequent("user-123")
time.sleep(1)
is_click_too_frequent("user-123") # This one will be flagged as too frequent

Types of Offerwall

• Pre-Bid Offerwall – This type operates within programmatic advertising auctions. It analyzes traffic signals before a bid is even placed, filtering out fraudulent impressions and ensuring that ad spend is only used on viewable, human-verified placements.
• Post-Click (or Pre-Redirect) Offerwall – This is the most common type for PPC campaigns. It analyzes a click after it has occurred but before the user is redirected to the advertiser's landing page, blocking invalid traffic in real-time.
• Behavioral Offerwall – This variation focuses heavily on user behavior analysis, such as mouse movements, scroll patterns, and keystroke dynamics. It aims to differentiate between legitimate human interactions and the sophisticated mimicry of modern bots.
• Contextual Offerwall – This type uses rules based on the context of the click. For example, it might block traffic from locations that do not match the campaign's target audience or flag clicks from incompatible device-browser combinations.
• Hybrid Offerwall – A hybrid system combines multiple detection methods, such as rule-based filtering, behavioral analysis, and machine learning models. This layered approach provides more robust and adaptive protection against evolving fraud tactics.

How Open Real Time Bidding OpenRTB Works

USER VISIT
    │
    ▼
PUBLISHER'S SITE/APP
    │
    └─ Ad Slot Available
    │
    ▼
AD EXCHANGE / SSP
    │
    ├─ Creates Bid Request (User, Device, Ad Info)
    │
    ▼
MULTIPLE DSPs (ADVERTISERS)
    │
    ├─ +--[FRAUD DETECTION FILTER]--+
    │  │  - IP/User Agent Analysis   │
    │  │  - Geo/Behavioral Checks    │
    │  │  - ads.txt/sellers.json     │
    │  +----------------------------+
    │
    ├─ Filtered Traffic -> Bids Placed
    │
    ▼
AD EXCHANGE (AUCTION)
    │
    └─ Highest Bid Wins
    │
    ▼
WINNING AD IS SERVED
    │
    ▼
USER

🧠 Core Detection Logic

Example 1: Invalid Seller Verification via ads.txt

This logic checks if the seller of the ad inventory is authorized by the publisher. It parses the OpenRTB bid request to find the publisher’s domain and the seller’s ID, then compares it against the publisher’s public ads.txt file. It prevents domain spoofing and unauthorized inventory reselling.

FUNCTION is_seller_authorized(bid_request):
  publisher_domain = bid_request.site.domain
  seller_id = bid_request.source.seller_id
  
  adstxt_file = fetch_adstxt(publisher_domain)
  
  IF adstxt_file IS NOT found:
    RETURN REJECT // Fail-safe
  
  FOR each line IN adstxt_file:
    IF line.seller_id == seller_id:
      RETURN ALLOW
      
  RETURN REJECT // Seller not found in ads.txt

Example 2: Bot Detection via User Agent Analysis

This logic inspects the User-Agent (UA) string provided in the bid request. It flags UAs that are known to be used by data center servers, headless browsers, or outdated clients, which are common indicators of non-human traffic. This helps filter out simple bots before bidding.

FUNCTION check_user_agent(bid_request):
  user_agent = bid_request.device.ua
  
  known_bot_signatures = ["HeadlessChrome", "PhantomJS", "dataprovider", "Googlebot-Image"]
  
  IF user_agent IS NULL or user_agent IS EMPTY:
    RETURN "suspicious"
    
  FOR signature IN known_bot_signatures:
    IF signature IN user_agent:
      RETURN "bot"
      
  // Additional checks for outdated browser versions can be added here
  
  RETURN "human"

Example 3: Geo Mismatch Detection

This rule checks for inconsistencies between the user’s IP address location and the location data provided in the device object of the bid request. A significant mismatch can indicate that the location data is being spoofed to inflate the value of the impression for advertisers targeting specific regions.

FUNCTION verify_geo_data(bid_request):
  ip_address = bid_request.device.ip
  device_country = bid_request.device.geo.country
  
  ip_country = lookup_ip_location(ip_address)
  
  IF ip_country != device_country:
    // Log discrepancy for further analysis
    // Can add tolerance for proxy usage or minor inaccuracies
    RETURN REJECT
    
  RETURN ALLOW

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protect advertising budgets by using OpenRTB data to pre-emptively block bids on traffic from known botnets, data centers, or fraudulent publishers. This ensures ad spend is focused on reaching real human users.
• Data Integrity – Improve the accuracy of marketing analytics and conversion tracking. By filtering out non-human traffic at the source, businesses ensure that metrics like CTR and conversion rates reflect genuine user engagement, leading to better optimization decisions.
• Return on Ad Spend (ROAS) Improvement – Increase ROAS by avoiding wasted impressions on fraudulent inventory. OpenRTB allows advertisers to verify sellers via ads.txt and sellers.json, ensuring they only bid on legitimate, authorized ad placements that have a higher chance of converting.
• Brand Safety Enforcement – Use data within the bid request, such as page URL and content categories, to prevent ads from appearing on undesirable or inappropriate websites. This protects brand reputation and ensures ads are shown in a contextually relevant environment.

Example 1: Geofencing Rule

A retail business wants to ensure its local ad campaign only targets users within a specific country. This pseudocode rejects any bid request where the device’s IP address is not from the target country, preventing budget waste on irrelevant impressions.

FUNCTION apply_geofencing(bid_request, target_country):
  ip_address = bid_request.device.ip
  
  // Use a geo-IP service to find the country
  request_country = get_country_from_ip(ip_address)
  
  IF request_country == target_country:
    RETURN "ALLOW_BID"
  ELSE:
    RETURN "REJECT_BID"

Example 2: Session Scoring Rule

An e-commerce platform wants to identify and block users generating an unnaturally high number of ad requests in a short time, a sign of bot activity. This logic scores sessions based on request frequency and blocks bids to high-scoring (suspicious) device IDs.

FUNCTION score_session_activity(device_id, timestamp):
  // Assumes a cache 'session_data' stores recent activity
  
  current_time = timestamp
  
  IF device_id NOT IN session_data:
    session_data[device_id] = {"requests": 1, "first_seen": current_time}
    RETURN "LOW_SCORE"
  
  session_data[device_id].requests += 1
  time_diff = current_time - session_data[device_id].first_seen
  
  // Example: more than 10 requests in 60 seconds is suspicious
  IF session_data[device_id].requests > 10 AND time_diff < 60:
    RETURN "HIGH_SCORE_BLOCK"
    
  RETURN "NORMAL_SCORE"

🐍 Python Code Examples

This function checks an IP address from a bid request against a blocklist of known fraudulent IPs. Maintaining such a list is a fundamental step in filtering out traffic from data centers and known bad actors.

# A set of known fraudulent IP addresses
FRAUDULENT_IPS = {"192.168.1.101", "10.0.0.54", "203.0.113.12"}

def filter_by_ip_blocklist(bid_request):
    """
    Checks if the device IP in a bid request is in a known fraud blocklist.
    """
    device_ip = bid_request.get("device", {}).get("ip")
    if device_ip in FRAUDULENT_IPS:
        print(f"Blocking bid from fraudulent IP: {device_ip}")
        return False
    return True

# Example bid request snippet
bid_req = {"device": {"ip": "203.0.113.12"}}
is_traffic_clean = filter_by_ip_blocklist(bid_req)

This code analyzes bid requests to detect abnormal click frequency from a single device, which is a strong indicator of bot activity or click farms. It tracks the number of requests per device ID within a time window to identify suspicious patterns.

from collections import defaultdict
import time

# In a real system, this would be a distributed cache like Redis
request_counts = defaultdict(list)
TIME_WINDOW = 60  # seconds
REQUEST_THRESHOLD = 20 # max requests per window

def detect_high_frequency_requests(device_id):
    """
    Flags a device ID if it exceeds a request threshold within a time window.
    """
    current_time = time.time()
    
    # Remove timestamps outside the window
    request_counts[device_id] = [t for t in request_counts[device_id] if current_time - t < TIME_WINDOW]
    
    # Add current request timestamp
    request_counts[device_id].append(current_time)
    
    if len(request_counts[device_id]) > REQUEST_THRESHOLD:
        print(f"High frequency detected for device: {device_id}")
        return True # Indicates fraud
    return False

# Simulate requests
device_a = "aa11-bb22-cc33"
for _ in range(25):
    detect_high_frequency_requests(device_a)

Types of Open Real Time Bidding OpenRTB

• `ads.txt` and `app-ads.txt` Integration - These are not types of OpenRTB, but critical supporting standards. Publishers list authorized sellers in a public text file. Bidders use OpenRTB to get the seller's information and cross-verify it with the ads.txt file, preventing unauthorized inventory sales and domain spoofing.
• `sellers.json` and SupplyChain Object - Sellers.json is a file where SSPs and exchanges list the sellers they represent. The SupplyChain Object is passed within the OpenRTB bid request and provides a full view of all intermediaries involved in the ad transaction. Together, they provide end-to-end transparency, helping buyers identify and block fraudulent paths.
• `user.ext` and `device.ext` for Custom Signals - The OpenRTB protocol allows for extension objects (`ext`). Ad tech vendors can use these to pass proprietary anti-fraud signals, such as traffic quality scores or bot likelihood percentages, directly within the bid request. This enables more sophisticated, custom filtering logic.
• Encrypted Signals (`ads.cert`) - Part of newer OpenRTB specifications, `ads.cert` introduced a method for cryptographically signing bid requests. This authenticates the inventory and ensures that data within the bid request, like the domain or user ID, has not been tampered with by intermediaries in the supply chain.

How Organic install Works

User Action Flow:
[User] → App Store → [App Download] → [First Open]
   │
   │
   └─ No preceding ad click within attribution window

Verification & Attribution Pipeline:
[Install Event] → Attribution System → +----------------------+
                                      │  Check for Ad        │
                                      │  Interaction History │
                                      +----------------------+
                                                │
                                       ┌────────┴────────┐
                                 [Interaction Found]  [No Interaction]
                                       │                   │
                                 Non-Organic        Organic Install

🧠 Core Detection Logic

Example 1: Click-to-Install Time (CTIT) Analysis

This logic analyzes the time duration between an ad click and the app’s first launch. Unusually short or long CTIT values are strong indicators of fraud. For instance, a CTIT of less than 10 seconds might signal click injection, where a fake click is fired just as an organic install completes. This helps differentiate legitimate paid traffic from hijacked organic installs.

FUNCTION analyze_ctit(click_timestamp, install_timestamp):
  ctit_duration = install_timestamp - click_timestamp

  IF ctit_duration < 10 SECONDS:
    RETURN "Potential Click Injection"
  ELSE IF ctit_duration > 24 HOURS:
    RETURN "Potential Click Spamming"
  ELSE:
    RETURN "Normal CTIT"

Example 2: New Device Rate Monitoring

This logic tracks the percentage of installs coming from new devices that have never been seen before. Fraudsters often use device farms or emulators that constantly reset device IDs to appear as new users. A sudden, unexplained spike in the new device rate, especially when correlated with a specific traffic source, suggests fraudulent activity like bot-driven installs intended to mimic organic traffic.

FUNCTION check_new_device_rate(traffic_source, daily_installs):
  new_devices = COUNT(install for install in daily_installs if install.is_new_device)
  total_devices = COUNT(daily_installs)
  new_device_rate = (new_devices / total_devices) * 100

  IF new_device_rate > HISTORICAL_AVERAGE * 1.5:
    ALERT("Suspiciously high new device rate from " + traffic_source)
    RETURN "High Risk"
  ELSE:
    RETURN "Low Risk"

Example 3: Geographic Mismatch Detection

This logic cross-references the geographic location of the ad click with the location of the app install. While minor discrepancies are normal (e.g., due to VPN use), significant or patterned mismatches are red flags. For example, if a click originates from one country and the install consistently occurs in another moments later, it may indicate a proxy server or botnet attempting to disguise its origin.

FUNCTION verify_geo_mismatch(click_geo, install_geo):
  IF click_geo != install_geo:
    // Log the mismatch for pattern analysis
    LOG_EVENT("Geo Mismatch Detected", click_geo, install_geo)

    // Check against known fraud patterns or large distance disparities
    IF IS_HIGH_RISK_GEO_PAIR(click_geo, install_geo):
      RETURN "Fraudulent Geo Mismatch"
    ELSE:
      RETURN "Potential Geo Mismatch"
  ELSE:
    RETURN "Geo Match"

📈 Practical Use Cases for Businesses

• Campaign Budget Shielding – By identifying and filtering out fraudulent non-organic traffic that mimics organic behavior, businesses protect their ad spend from being wasted on fake installs and ensure budgets are allocated to channels that deliver real, incremental users.
• Data Integrity for Analytics – A clear distinction between true organic and paid installs ensures that marketing analytics are accurate. This allows businesses to make reliable, data-driven decisions about product development, user experience, and future marketing strategies based on genuine user behavior.
• Improved Return on Ad Spend (ROAS) – Eliminating organic poaching and attribution fraud prevents paid channels from taking credit for free organic installs. This leads to a more accurate calculation of ROAS, helping marketers identify and invest in truly effective advertising partners.
• Optimizing User Acquisition (UA) Funnels – Understanding the baseline organic install rate helps businesses measure the true “uplift” from their paid campaigns. This insight enables them to optimize UA strategies and balance paid and organic efforts for sustainable growth.

Example 1: IP Address Blacklisting Rule

This logic is used to block traffic from IP addresses known to be associated with data centers, VPNs, or botnets, which are often used to generate fake installs. By maintaining a dynamic blacklist, businesses can preemptively block a significant source of invalid traffic from contaminating their attribution data.

PROCEDURE block_suspicious_ips(request):
  ip_address = request.get_ip()
  
  // KNOWN_FRAUDULENT_IPS is a constantly updated list
  IF ip_address IN KNOWN_FRAUDULENT_IPS:
    // Reject the click or install attribution
    REJECT_REQUEST("IP address is blacklisted")
  ELSE:
    // Process the request normally
    PROCEED_WITH_ATTRIBUTION(request)

Example 2: Session Heuristics Scoring

This logic assesses the authenticity of an install by scoring user behavior immediately post-install. It checks for human-like patterns, such as normal time intervals between actions and expected screen navigation. A session with unnaturally fast, repetitive, or non-existent interactions receives a high fraud score and is flagged for review, helping to weed out automated bots.

FUNCTION score_session_behavior(session_events):
  fraud_score = 0
  
  IF session_events.count < 2 OR session_events.duration < 5 SECONDS:
    fraud_score += 30 // Too short, likely a bot
    
  IF has_unnatural_event_timing(session_events):
    fraud_score += 40 // Events fired too quickly
    
  IF has_no_user_interaction(session_events):
    fraud_score += 30 // No touches or scrolls
    
  RETURN fraud_score

🐍 Python Code Examples

This Python function simulates the detection of click spamming by checking for an unusually high frequency of clicks from a single IP address within a short time frame. This helps identify non-human, automated behavior designed to steal credit for organic installs.

# In-memory store for tracking click counts per IP
CLICK_RECORDS = {}
from collections import defaultdict
import time

# Use defaultdict to simplify initialization
CLICK_RECORDS = defaultdict(lambda: {"timestamps": []})
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 15

def is_click_spam(ip_address):
    """Checks if an IP address is generating an abnormally high number of clicks."""
    current_time = time.time()
    
    # Get timestamps for the given IP
    ip_data = CLICK_RECORDS[ip_address]
    
    # Filter out timestamps older than the time window
    recent_timestamps = [t for t in ip_data["timestamps"] if current_time - t <= TIME_WINDOW_SECONDS]
    
    # Add the current click's timestamp
    recent_timestamps.append(current_time)
    
    # Update the record for the IP
    CLICK_RECORDS[ip_address]["timestamps"] = recent_timestamps
    
    # Check if the number of recent clicks exceeds the threshold
    if len(recent_timestamps) > CLICK_THRESHOLD:
        print(f"ALERT: High frequency of clicks from IP {ip_address}")
        return True
        
    return False

# Example usage:
# is_click_spam("192.168.1.100") -> False
# ... many more calls from the same IP in a minute ...
# is_click_spam("192.168.1.100") -> True

This code filters incoming traffic by examining the User-Agent string. It blocks requests from known bot signatures or from headless browsers that are commonly used in fraudulent activities, ensuring that only traffic from legitimate user devices is processed.

# List of known bot signatures found in User-Agent strings
BOT_SIGNATURES = ["bot", "spider", "headless", "puppeteer"]

def filter_suspicious_user_agents(user_agent_string):
    """Filters out requests with suspicious User-Agent strings."""
    ua_lower = user_agent_string.lower()
    
    for signature in BOT_SIGNATURES:
        if signature in ua_lower:
            print(f"BLOCK: Suspicious User-Agent detected: {user_agent_string}")
            return True # Indicates a suspicious agent
            
    return False # Indicates a legitimate agent

# Example usage:
# filter_suspicious_user_agents("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36") -> False
# filter_suspicious_user_agents("My-Awesome-Bot/1.0") -> True
# filter_suspicious_user_agents("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36") -> True

Types of Organic install

• True Organic Install
  This is a baseline install where a user finds and downloads an app without any influence from paid ads. They act on genuine interest, typically discovering the app via app store browsing, search, or word-of-mouth. This type is the most valuable for user quality and is what fraudsters try to imitate or claim credit for.
• Organic Reattribution
  This occurs when a fraudulent non-organic install is identified and corrected by a fraud detection system. The system rejects the fraudulent attribution and reassigns the install as organic, ensuring clean data and preventing payment for a stolen user. This is a corrective classification that restores data integrity.
• Organic Poaching/Hijacking
  This is not a true organic install but a form of fraud where a malicious actor takes credit for one. Through methods like click spamming or click injection, they create a fake ad interaction just before or during an organic installation, effectively "poaching" it to receive a payout for a user they didn't acquire.
• Attribution Window Mismatch
  An install is classified as organic if a user interacts with an ad but installs the app after the attribution window has closed. For example, if the window is 7 days and the install happens on day 8, it is considered organic because it falls outside the timeframe where the ad is credited with influencing the action.