Archives: Glossary Terms

How Retail media networks Works

Ad Request from User → Retail Media Network → +---------------------------+
                                          |   Fraud Detection Layer   |
                                          +---------------------------+
                                                       |
                                                       ├─ Legitimate Traffic → Ad Served to User
                                                       |
                                                       └─ Fraudulent Traffic → Blocked & Logged

🧠 Core Detection Logic

Example 1: Cross-Referencing with Purchase History

This logic checks if a user associated with an ad click has a history of making purchases. A consistent record of buying products is a strong signal of a legitimate human shopper, whereas a high volume of ad clicks from users with no purchase history is a significant red flag for bot activity.

FUNCTION verifyClickByPurchase(clickEvent)
  userID = clickEvent.getUserID()
  userPurchaseHistory = queryRetailDB(userID, "purchases")

  IF userPurchaseHistory.hasTransactions() == TRUE
    RETURN "VALID_CLICK"
  ELSE
    // User has never bought anything; apply further scrutiny
    IF isSuspicious(clickEvent.getBehavior())
      RETURN "FRAUDULENT_CLICK"
    END IF
  END IF
  RETURN "UNKNOWN"
END FUNCTION

Example 2: On-Site Behavior Validation

This method validates an ad click by analyzing the user’s broader session activity on the retailer’s site. A click is considered more legitimate if it is preceded by relevant user-initiated actions, like using the search bar, browsing related categories, or adding items to the cart. Clicks without any prior engagement are suspicious.

FUNCTION checkOnsiteEngagement(session)
  adClicks = session.countAdClicks()
  organicActions = session.countOrganicActions() // e.g., search, category view

  // Penalize sessions with ad clicks but no other meaningful interactions
  IF adClicks > 0 AND organicActions == 0
    session.setFraudScore(0.9) // High probability of fraud
    RETURN FALSE
  END IF

  // Reward sessions where browsing precedes ad clicks
  IF session.getTimeToFirstAdClick() > 30 // seconds
    session.setFraudScore(0.1) // Low probability of fraud
    RETURN TRUE
  END IF

  RETURN TRUE
END FUNCTION

Example 3: Loyalty Program Membership Check

This logic prioritizes traffic from users enrolled in the retailer’s loyalty program. Since enrollment requires verifiable personal information, loyalty members are considered high-confidence, pre-vetted customers. This allows the system to fast-track their traffic while focusing resources on analyzing unknown users.

FUNCTION assessTrafficByLoyalty(request)
  userID = request.getUserID()
  isMember = isLoyaltyMember(userID)

  IF isMember == TRUE
    request.setTrafficQuality("PREMIUM_VERIFIED")
    // Minimal fraud checks needed
    RETURN "VERIFIED_USER"
  ELSE
    request.setTrafficQuality("STANDARD_UNVERIFIED")
    // Proceed with full fraud analysis pipeline
    RETURN "UNVERIFIED_USER"
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protect advertising budgets by using first-party purchase data to ensure ads are served only to verified, human shoppers, not automated bots.
• ROAS Optimization – Improve Return on Ad Spend (ROAS) by filtering out fraudulent traffic, which ensures that performance metrics reflect genuine customer engagement and purchases.
• Clean Analytics – Achieve more accurate campaign reporting and analytics by removing the “noise” of invalid clicks and impressions, leading to better strategic decisions.
• Supply Chain-Informed Advertising – Link ad serving to real-time inventory levels to prevent advertising products that are out of stock, which protects user experience and avoids wasted ad spend.

Example 1: IP Filtering Rule for Data Centers

Retailers can dramatically reduce bot traffic by blocking IP addresses known to belong to data centers and cloud computing networks, as legitimate residential shoppers do not use these services. This rule proactively stops a major source of automated fraud before it can impact campaigns.

FUNCTION handleRequest(request)
  ipAddress = request.getIP()
  
  IF isDataCenterIP(ipAddress)
    // Block traffic originating from known server farms, not consumer ISPs
    blockRequest(request, "Reason: Data Center IP")
    RETURN
  END IF

  serveAd(request)
END FUNCTION

Example 2: Session Scoring Based on Engagement

This logic scores a user’s session quality based on the depth of their interaction. A session with activities like searching, filtering, and viewing multiple pages gets a high score, while a session with only a single page view and an ad click gets a low score and is flagged as suspicious.

FUNCTION scoreSession(session)
  score = 0
  IF session.getPagesViewed() > 2
    score += 10
  END IF
  IF session.usedSearch() == TRUE
    score += 15
  END IF
  IF session.getDuration() < 5 // seconds
    score -= 20
  END IF

  IF score < 5
    flagSessionForReview(session.id)
  END IF
  
  RETURN score
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking for abnormal click frequency. It tracks clicks per user ID within a short time window and flags users who exceed a reasonable threshold, a common indicator of automated bot behavior rather than genuine customer interest.

from collections import defaultdict
import time

CLICK_TIMESTAMPS = defaultdict(list)
TIME_WINDOW = 60  # seconds
MAX_CLICKS_PER_WINDOW = 5

def is_click_fraudulent(user_id):
    """Flags a user if they click too frequently in a given time window."""
    current_time = time.time()
    
    # Remove old timestamps outside the window
    CLICK_TIMESTAMPS[user_id] = [t for t in CLICK_TIMESTAMPS[user_id] if current_time - t < TIME_WINDOW]
    
    # Add the new click timestamp
    CLICK_TIMESTAMPS[user_id].append(current_time)
    
    # Check if the number of clicks exceeds the limit
    if len(CLICK_TIMESTAMPS[user_id]) > MAX_CLICKS_PER_WINDOW:
        print(f"Fraud Warning: User {user_id} exceeded click frequency limits.")
        return True
        
    return False

# Simulation
print(is_click_fraudulent("user-123"))  # False
# ... 5 more rapid clicks from user-123
print(is_click_fraudulent("user-123"))  # True

This code provides a simple filter to identify suspicious user agents. Many bots use generic or non-standard user-agent strings, and this function checks an incoming request against a list of common bot identifiers while allowing known, legitimate browser agents.

def is_suspicious_user_agent(user_agent_string):
    """Identifies requests from known bot-like or outdated user agents."""
    suspicious_signatures = ["bot", "spider", "headlesschrome", "dataprovider"]
    legitimate_browsers = ["Mozilla/", "Chrome/", "Safari/", "Edge/"]
    
    ua_lower = user_agent_string.lower()
    
    for signature in suspicious_signatures:
        if signature in ua_lower:
            return True
            
    # Also flag if it doesn't look like a standard browser
    if not any(browser in user_agent_string for browser in legitimate_browsers):
        return True
        
    return False

# Simulation
ua_bot = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
ua_human = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

print(f"Bot check: {is_suspicious_user_agent(ua_bot)}")      # True
print(f"Human check: {is_suspicious_user_agent(ua_human)}")  # False

Types of Retail media networks

• On-Site RMNs

  These networks serve ads exclusively on the retailer's own digital properties, such as its website and app. They offer the strongest fraud protection because they have direct, real-time access to a user's complete on-site behavior and purchase history for verification.

• Off-Site Extension RMNs

  These networks use the retailer's first-party data to target ads to the same shoppers on other platforms across the open internet. Fraud detection is more challenging as they lose direct visibility of the user's behavior, making them more reliant on data matching and the security of their media partners.

• In-Store Digital RMNs

  This type involves digital screens and interactive kiosks within physical retail locations. Fraud here is less about bots and more about ensuring ads are actually displayed correctly and that impression counts are valid, which may be verified using sensors or computer vision analytics.

• Hybrid RMNs

  These networks offer a combination of on-site, off-site, and in-store advertising opportunities. From a fraud perspective, they must manage a complex mix of risks, applying robust on-site verification while also relying on partner controls and audits for their off-site and in-store inventory.

How Retention Rate Works

+---------------------+      +----------------------+      +---------------------+      +-----------------+
|   Incoming Traffic  |----->|   Data Collection    |----->|  Retention Analysis |----->|  Action & Filter  |
| (Clicks, Installs)  |      |  (IP, Device, Time)  |      | (Compare Cohorts)   |      | (Block/Flag IP) |
+---------------------+      +----------------------+      +---------------------+      +-----------------+
           ^                           │                           │                           │
           │                           ▼                           ▼                           ▼
           └───────────────────────────┴───────────┬───────────────┴───────────────────────────┘
                                                   │
                                     +--------------------------+
                                     |   Monitoring & Feedback  |
                                     +--------------------------+

🧠 Core Detection Logic

Example 1: Source-Based Retention Anomaly

This logic compares the retention rate of a specific traffic source against a baseline established from known-good sources (like organic traffic). If a source’s retention falls dramatically below the baseline, its traffic is flagged as suspicious. This is effective for identifying low-quality publishers or affiliate fraud.

// Define baseline and threshold
BASELINE_D7_RETENTION = 0.20  // 20% Day 7 retention for organic users
FRAUD_THRESHOLD = 0.05      // 5% Day 7 retention is suspiciously low

FUNCTION check_source_retention(source_id):
  source_retention_d7 = get_day7_retention(source_id)

  IF source_retention_d7 < FRAUD_THRESHOLD:
    FLAG_AS_FRAUD(source_id)
    LOG "Source ID " + source_id + " has abnormally low retention: " + source_retention_d7
  ELSEIF source_retention_d7 < (BASELINE_D7_RETENTION / 2):
    FLAG_FOR_REVIEW(source_id)
    LOG "Source ID " + source_id + " has suspicious retention: " + source_retention_d7
  END

Example 2: Rapid Retention Drop-Off Rule

This rule identifies cohorts of users that show a near-total drop-off in activity immediately after the first day. Legitimate users may churn, but a 99-100% churn rate after Day 1 is a classic sign of bot traffic that only fakes the initial install or click and never returns.

// Check for immediate churn after Day 1
FUNCTION check_retention_cliff(cohort_data):
  day1_retention = cohort_data.get_retention('day1')
  day3_retention = cohort_data.get_retention('day3')

  // If Day 1 retention is present but Day 3 is nearly zero, flag it.
  IF day1_retention > 0.10 AND day3_retention < 0.01:
    MARK_COHORT_AS_FRAUD(cohort_data.id)
    LOG "Cohort " + cohort_data.id + " shows a severe retention cliff."
  END

Example 3: Geo-Retention Mismatch

This logic flags traffic where the geographic location of clicks does not match the expected user retention behavior for that region. For instance, if a campaign targets the US but the retained users are primarily from a known click farm location, it indicates fraudulent activity.

// Check if retained users' geo matches campaign target geo
FUNCTION validate_geo_retention(campaign, retained_users):
  target_geo = campaign.target_country
  retained_geo_distribution = get_geo_distribution(retained_users)

  // Calculate percentage of retained users from outside the target country
  off_target_retention_percent = 0
  FOR country, percentage IN retained_geo_distribution.items():
    IF country != target_geo:
      off_target_retention_percent += percentage
    END
  END

  // If over 50% of retained users are from the wrong country, it's fraud.
  IF off_target_retention_percent > 0.50:
    FLAG_CAMPAIGN_AS_SUSPICIOUS(campaign.id)
    LOG "Campaign " + campaign.id + " has significant geo-retention mismatch."
  END

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically block traffic sources with consistently poor retention rates, preventing ad spend from being wasted on publishers who deliver fake or non-engaging users.
• Budget Optimization – Reallocate advertising funds from low-retention channels to high-retention channels, improving the overall return on ad spend (ROAS) and acquiring more valuable, long-term users.
• Publisher Quality Score – Create an internal scoring system for ad networks and publishers based on their historical retention data. This helps in negotiating better terms and partnering only with high-quality traffic providers.
• Analytics Integrity – By filtering out non-human traffic, businesses ensure their user behavior data (like session duration and conversion rates) is accurate. This leads to better product decisions and more reliable marketing insights.

Example 1: Automated Publisher Blocking Rule

This pseudocode defines a rule that continuously monitors publisher performance. If a publisher's 7-day retention rate drops below a critical threshold for a specified number of days, it is automatically added to a blocklist to protect the ad budget.

// Rule to auto-block consistently underperforming publishers
PUBLISHER_ID = "pub-12345"
MIN_RETENTION_THRESHOLD = 0.03  // 3% Day 7 Retention
DAYS_TO_MONITOR = 5

FUNCTION monitor_publisher_retention(publisher_id):
  underperforming_days = 0
  FOR day FROM 1 TO DAYS_TO_MONITOR:
    retention = get_d7_retention(publisher_id, today() - day)
    IF retention < MIN_RETENTION_THRESHOLD:
      underperforming_days += 1
    END
  END

  IF underperforming_days >= DAYS_TO_MONITOR:
    BLOCK_PUBLISHER(publisher_id)
    NOTIFY_ADMIN("Publisher " + publisher_id + " blocked due to poor retention.")
  END

Example 2: High-Value User Segment Analysis

This logic focuses on the retention of users who perform a high-value action, such as a purchase or subscription. It checks if traffic sources that claim to deliver converting users also show reasonable retention for those specific users. A lack of retention indicates attribution fraud.

// Check retention of users who made a purchase
FUNCTION check_purchaser_retention(source_id):
  // Get users from source_id who made a purchase
  purchasers = get_users_with_event(source_id, 'purchase')

  // Check if these purchasers are retained after 7 days
  retained_purchasers = count_retained_users(purchasers, 7)
  retention_rate = retained_purchasers / count(purchasers)

  // If less than 10% of purchasers from this source return, it's likely attribution fraud
  IF retention_rate < 0.10:
    FLAG_SOURCE_FOR_ATTRIBUTION_FRAUD(source_id)
    LOG "Source " + source_id + " has low retention among claimed purchasers."
  END

🐍 Python Code Examples

This Python function simulates checking the retention rates of different traffic sources from a dictionary. It identifies and returns sources that fall below a specified fraud threshold, demonstrating a basic way to flag low-quality publishers.

def check_source_retention(traffic_data, fraud_threshold=0.05):
    """
    Identifies traffic sources with retention rates below a fraud threshold.
    
    :param traffic_data: dict, where keys are source_ids and values are retention rates.
    :param fraud_threshold: float, the retention rate below which a source is flagged.
    :return: list, of fraudulent source_ids.
    """
    fraudulent_sources = []
    for source_id, retention_rate in traffic_data.items():
        if retention_rate < fraud_threshold:
            fraudulent_sources.append(source_id)
            print(f"FLAG: Source {source_id} has a critically low retention rate: {retention_rate:.2%}")
    return fraudulent_sources

# Example usage:
traffic_sources = {'source-A': 0.25, 'source-B': 0.02, 'source-C': 0.30, 'source-D': 0.01}
flagged = check_source_retention(traffic_sources)

This script analyzes a list of user session records to detect signs of bot activity. It flags users who have an initial session (install/click) but no follow-up activity within a 7-day window, which is a strong indicator of non-human traffic.

from datetime import datetime, timedelta

def identify_non_retained_users(user_sessions):
    """
    Filters for users who have no activity after their first session.
    
    :param user_sessions: list of dicts with 'user_id' and 'timestamp'.
    :return: set, of user_ids with no retention.
    """
    users = {}
    for session in user_sessions:
        uid = session['user_id']
        if uid not in users:
            users[uid] = []
        users[uid].append(session['timestamp'])

    non_retained_users = set()
    for uid, timestamps in users.items():
        if len(timestamps) == 1:
            non_retained_users.add(uid)
        else:
            first_session = min(timestamps)
            if not any(ts > first_session + timedelta(days=1) for ts in timestamps):
                non_retained_users.add(uid)

    print(f"Identified {len(non_retained_users)} users with no follow-up activity.")
    return non_retained_users

# Example usage:
sessions = [
    {'user_id': 'user1', 'timestamp': datetime(2023, 1, 1)},
    {'user_id': 'user1', 'timestamp': datetime(2023, 1, 8)},
    {'user_id': 'bot1', 'timestamp': datetime(2023, 1, 5)}, # No return visit
]
fraud_users = identify_non_retained_users(sessions)

Types of Retention Rate

• Classic Retention – This measures the percentage of users who return on a specific day after their initial interaction (e.g., Day 1, Day 7, Day 30). It is crucial for identifying bot traffic, which typically has a near-zero retention rate after the first day.
• Rolling Retention – This tracks the percentage of users who return on or after a specific day. It is useful for identifying sophisticated fraud where bots may return once or twice, but fail to show the sustained, long-term engagement of a real user.
• Cohort Retention – This groups users by acquisition source, campaign, or date and compares their retention curves. A significant dip in a particular cohort's retention compared to others is a strong indicator of a fraudulent traffic source.
• IP/Device Retention – This method tracks the return rate of specific IP addresses or device IDs. A high volume of new IPs or devices with zero retention is a clear marker of botnets or device farms trying to appear as unique users.

How Return on Ad Spend ROAS Works

Ad Campaign Traffic → [Initial Filter] →┬→ Data Collection (Clicks, Impressions, Cost)
                                        │
                                        └→ Conversion Tracking (Sales, Revenue) → [ROAS Calculation] → [Anomaly Detection] → Flag/Block Source

🧠 Core Detection Logic

Example 1: Conversion Rate Anomaly Detection

This logic identifies traffic sources that generate a statistically significant number of clicks without any corresponding conversions. A complete lack of conversions from a source with high click volume is a strong indicator of non-human bot traffic, as legitimate users are expected to convert at some baseline rate.

// Rule: Flag sources with high clicks and zero conversions

FUNCTION check_conversion_anomaly(traffic_source):
  clicks = traffic_source.clicks
  conversions = traffic_source.conversions
  threshold = 100 // Example click threshold

  IF clicks > threshold AND conversions == 0:
    FLAG source AS "Suspicious: Zero Conversion Anomaly"
    RETURN true
  ELSE:
    RETURN false

Example 2: ROAS Threshold Monitoring

This logic continuously monitors the ROAS for each traffic source or campaign and compares it against a predefined minimum acceptable threshold. If a source’s ROAS falls below this baseline, it is flagged for review or automatically blocked, preventing further budget waste on underperforming or fraudulent traffic.

// Rule: Block sources falling below a minimum ROAS threshold

FUNCTION monitor_roas_threshold(source):
  revenue = source.revenue
  cost = source.cost
  min_roas_threshold = 0.5 // Example: 50 cents revenue per $1 cost

  // Avoid division by zero
  IF cost > 0:
    current_roas = revenue / cost
    IF current_roas < min_roas_threshold:
      BLOCK source.id
      LOG "Source blocked due to low ROAS"
      RETURN true
  RETURN false

Example 3: Geo-Mismatch and ROAS

This logic checks for discrepancies between the geographic location of a click and the location of the resulting conversion. A significant mismatch can indicate sophisticated fraud where bots in one country are used to generate clicks, while a different method is used to fake conversions, leading to a distorted and unreliable ROAS.

// Rule: Flag conversions where click and conversion geos do not match

FUNCTION validate_geo_mismatch(session):
  click_geo = session.click_location
  conversion_geo = session.conversion_location

  IF conversion_geo IS NOT NULL AND click_geo != conversion_geo:
    FLAG session.id AS "Geo-Mismatch Anomaly"
    // This transaction might be excluded from ROAS calculations
    // or trigger a deeper review of the traffic source.
    RETURN true
  RETURN false

📈 Practical Use Cases for Businesses

Return on Ad Spend (ROAS) is a vital metric for businesses to protect their advertising budgets and ensure data integrity. By monitoring ROAS, companies can automatically identify and block traffic sources that do not generate revenue, effectively cutting spending on fraudulent or non-performing channels. This leads to cleaner analytics, more efficient budget allocation, and a higher overall return on marketing investments. Businesses use ROAS-based rules to shield active campaigns from bots, vet new publishers before scaling spend, and maintain accurate performance data for strategic decisions.

• Publisher Vetting – Automatically assess the quality of new publishers by monitoring their initial ROAS. If a publisher fails to meet a minimum ROAS threshold after a test period, they are automatically disqualified, preventing larger-scale budget waste on a fraudulent or low-quality source.
• Campaign Shielding – Protect live ad campaigns by implementing real-time rules that block traffic sources whose ROAS drops below an acceptable level. This acts as a financial shield, ensuring ad spend is dynamically allocated only to channels that deliver a measurable return.
• Analytics Cleansing – Improve the accuracy of marketing data by filtering out traffic from sources with near-zero ROAS. This ensures that strategic decisions are based on the behavior of real, converting users, not on metrics inflated by non-converting bots or fraudulent clicks.
• Budget Optimization – Reallocate advertising funds from low-ROAS channels to high-performing ones in real time. This data-driven approach ensures that every ad dollar is invested where it has the highest probability of generating revenue, maximizing overall campaign profitability.

Example 1: Publisher Trust Scoring

// Logic to score and tier publishers based on their ROAS performance over time.

FUNCTION score_publisher(publisher_id):
    // Calculate ROAS over the last 30 days
    data = get_publisher_data(publisher_id, last_30_days)
    roas = data.revenue / data.cost

    IF roas > 4.0:
        publisher_id.trust_score = "Tier 1: High Performer"
    ELSE IF roas > 1.5:
        publisher_id.trust_score = "Tier 2: Acceptable"
    ELSE:
        publisher_id.trust_score = "Tier 3: Under Review/Low ROAS"
        // Action: Reduce budget allocation or pause campaigns for this publisher

Example 2: Dynamic Geofencing Rule

// Logic to block geographic regions that consistently deliver low ROAS.

FUNCTION check_geo_performance(geo_data):
    FOR EACH country in geo_data:
        roas = country.revenue / country.cost
        spend = country.cost
        
        // Block geos with significant spend but poor returns
        IF spend > 1000 AND roas < 0.2:
            ADD country.code TO geo_blocklist
            LOG "Blocked " + country.code + " due to consistently low ROAS."

🐍 Python Code Examples

This Python function simulates checking traffic sources for suspicious behavior. It identifies sources with a high number of clicks but no conversions, which is a common indicator of bot activity that drains ad budgets without generating any revenue.

def find_suspicious_sources(traffic_data, click_threshold=200):
    """Identifies traffic sources with high clicks and zero conversions."""
    suspicious_sources = []
    for source, metrics in traffic_data.items():
        if metrics.get("clicks", 0) > click_threshold and metrics.get("conversions", 0) == 0:
            suspicious_sources.append(source)
            print(f"Alert: Source '{source}' has {metrics['clicks']} clicks but no conversions.")
    return suspicious_sources

# Example data: {source_id: {clicks: count, conversions: count}}
traffic_data = {
    "publisher_123": {"clicks": 350, "conversions": 0},
    "publisher_abc": {"clicks": 500, "conversions": 12},
    "publisher_xyz": {"clicks": 150, "conversions": 2}
}
find_suspicious_sources(traffic_data)

This code analyzes the time difference between a click and a conversion (or sign-up). Conversions that occur suspiciously fast (e.g., less than 3 seconds after the click) are often indicative of automated scripts or bots, as a real human typically requires more time to interact with a landing page.

import datetime

def detect_conversion_speed_anomaly(sessions, min_time_sec=3):
    """Flags conversions that happen too quickly after a click."""
    anomalies = []
    for session_id, times in sessions.items():
        click_time = times["click_time"]
        conversion_time = times["conversion_time"]
        time_delta = (conversion_time - click_time).total_seconds()
        
        if time_delta < min_time_sec:
            anomalies.append(session_id)
            print(f"Anomaly: Session {session_id} converted in {time_delta:.2f} seconds.")
    return anomalies

# Example session data
sessions = {
    "session_A": {
        "click_time": datetime.datetime(2023, 10, 26, 10, 0, 0),
        "conversion_time": datetime.datetime(2023, 10, 26, 10, 0, 2) # Too fast
    },
    "session_B": {
        "click_time": datetime.datetime(2023, 10, 26, 10, 5, 0),
        "conversion_time": datetime.datetime(2023, 10, 26, 10, 6, 15) # Normal
    }
}
detect_conversion_speed_anomaly(sessions)

Types of Return on Ad Spend ROAS

• Granular ROAS Analysis

  This approach involves calculating ROAS for highly specific segments of traffic, such as individual publisher IDs, ad creatives, keywords, or geographic locations. It is crucial for pinpointing the exact sources of fraud by isolating the specific, small-scale elements that are underperforming, rather than looking at blended channel-wide data.

• Predictive ROAS

  Utilizing machine learning models, this method forecasts the likely ROAS of a traffic source early in its lifecycle. By analyzing initial user engagement signals post-click, it predicts whether a source will ultimately prove fraudulent or unprofitable, allowing for preemptive blocking before significant budget is wasted.

• ROAS by Attribution Model

  This involves analyzing ROAS through different attribution lenses (e.g., first-click vs. last-click). Fraudsters can manipulate certain models, so comparing ROAS across models for the same source can reveal suspicious discrepancies. For instance, a source with high last-click ROAS but zero first-click ROAS may indicate click hijacking.

• Incremental ROAS

  This measures the additional revenue generated by advertising that would not have occurred otherwise. In fraud detection, it helps identify sources that claim credit for organic conversions. A source with high ROAS but low incrementality is likely fraudulent, as it's not generating new value, just stealing attribution.

How ROI Optimization Works

Incoming Traffic → [Data Collection] → [Behavioral Analysis] → [ROI Scoring] → [Mitigation] → Clean Traffic
      │                    │                     │                  │               │
      └────────────────────┼─────────────────────┼──────────────────┼───────────────┘
                           ↓                     ↓                  ↓
                      +-----------+         +------------+       +-------------+
                      │ IP/UA Data│         │ Click Speed│       │ Block/Allow │
                      │ Timestamps│         │ Mouse Moves│       │  Decisions  │
                      +-----------+         +------------+       +-------------+

🧠 Core Detection Logic

Example 1: IP & User-Agent Blacklisting

This is a foundational logic gate in traffic protection. It works by checking every visitor’s IP address and user-agent string against constantly updated databases of known fraudulent sources. This includes data center IPs, proxy services, and user agents associated with bots and scrapers. It is a fast, efficient first line of defense.

FUNCTION handle_visitor(request):
  ip = request.get_ip()
  user_agent = request.get_user_agent()

  IF ip IN ip_blacklist OR user_agent IN ua_blacklist:
    RETURN BLOCK_TRAFFIC
  ELSE:
    RETURN ALLOW_TRAFFIC

Example 2: Session Behavior Analysis

This logic analyzes events within a single user session to detect anomalies that suggest automation. For instance, a human user takes a few seconds to read a page before clicking, whereas a bot might click a link milliseconds after the page loads. This rule flags traffic that behaves outside of normal human timeframes.

FUNCTION analyze_session(session):
  time_on_page = session.end_time - session.start_time
  clicks = session.get_click_count()

  IF time_on_page < 2_SECONDS AND clicks > 0:
    session.set_score('suspicious')
    RETURN FLAG_FOR_REVIEW

  IF clicks / time_on_page > 3: // More than 3 clicks per second
    session.set_score('fraudulent')
    RETURN BLOCK_TRAFFIC

Example 3: Geographic Consistency Check

This logic helps detect users trying to hide their origin using proxies or VPNs. It compares the geographical location derived from a visitor’s IP address with other signals, such as their browser’s timezone or language settings. A significant mismatch is a strong indicator of potentially fraudulent activity.

FUNCTION check_geo_consistency(visitor):
  ip_location = get_country_from_ip(visitor.ip)
  browser_timezone = visitor.get_timezone()
  expected_timezone = get_timezone_for_country(ip_location)

  IF browser_timezone != expected_timezone:
    visitor.add_risk_factor('geo_mismatch')
    RETURN LOW_CONFIDENCE
  ELSE:
    RETURN HIGH_CONFIDENCE

📈 Practical Use Cases for Businesses

• Lead Generation Filtering – Ensures that budget spent on lead generation campaigns yields contacts from real, interested humans, not bots filling out forms. This improves lead quality, protects sales team resources, and increases the ultimate ROI of marketing efforts.
• PPC Campaign Shielding – Actively blocks invalid clicks from competitors, bots, and click farms on pay-per-click ads. This directly prevents budget drain on platforms like Google Ads and ensures that ad spend is dedicated to reaching genuine customers.
• E-commerce Cart Protection – Prevents bots from adding items to carts, which can hoard inventory and disrupt sales for legitimate shoppers. It also stops fraudulent checkout attempts, protecting payment gateways and ensuring accurate sales data.
• Affiliate Marketing Integrity – Filters out low-quality and fraudulent traffic sent from affiliate partners. This ensures that commissions are paid only for real conversions and sales, maintaining the profitability and integrity of the affiliate program.

Example 1: Geofencing for Local Campaigns

A local business running a campaign targeted to a specific country can use geofencing to automatically block traffic from other regions. This ensures that the ad budget is only spent on users within the target market, immediately improving ROI.

FUNCTION apply_geofence(request):
  user_ip = request.get_ip()
  user_country = get_country_from_ip(user_ip)
  
  allowed_countries = ["US", "CA"]

  IF user_country NOT IN allowed_countries:
    RETURN BLOCK_REQUEST
  ELSE:
    RETURN PROCESS_REQUEST

Example 2: Conversion Rate Anomaly Detection

This logic monitors the conversion rates of different traffic sources. If a source sends a high volume of clicks but results in zero or extremely few conversions, it is flagged as low-quality or potentially fraudulent and can be automatically blocked.

PROCEDURE monitor_traffic_source(source_id):
  clicks = get_clicks_for_source(source_id, last_24h)
  conversions = get_conversions_for_source(source_id, last_24h)

  // Avoid division by zero
  IF clicks > 100:
    conversion_rate = conversions / clicks
    
    // Flag if conversion rate is suspiciously low
    IF conversion_rate < 0.001:
      add_to_blocklist(source_id)
      log_action("Blocked source " + source_id + " for low conversion rate.")

🐍 Python Code Examples

This Python function demonstrates a simple way to detect click fraud by measuring the frequency of clicks from a single IP address. If an IP sends multiple requests within a very short time frame (e.g., less than a second), it is flagged as suspicious, as this behavior is more typical of a bot than a human.

import time

click_timestamps = {}
FRAUD_TIMEFRAME = 1.0  # 1 second

def is_click_fraudulent(ip_address):
    current_time = time.time()
    
    if ip_address in click_timestamps:
        last_click_time = click_timestamps[ip_address]
        if current_time - last_click_time < FRAUD_TIMEFRAME:
            return True # Fraudulent click detected
            
    click_timestamps[ip_address] = current_time
    return False # Legitimate click

This example shows how to filter traffic based on the User-Agent string. The function checks if a visitor's user agent contains substrings commonly associated with automated bots or scraping tools, allowing the system to block non-human traffic.

SUSPICIOUS_USER_AGENTS = [
    "bot",
    "crawler",
    "spider",
    "headlesschrome", # Often used by automation scripts
]

def is_user_agent_suspicious(user_agent_string):
    ua_lower = user_agent_string.lower()
    for agent in SUSPICIOUS_USER_AGENTS:
        if agent in ua_lower:
            return True
    return False

# Example usage:
# visitor_ua = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
# if is_user_agent_suspicious(visitor_ua):
#     print("Suspicious traffic blocked.")

Types of ROI Optimization

• Rule-Based Filtering – This method uses predefined rules to identify and block fraudulent traffic. These rules can be simple (e.g., blocking IPs from a specific country) or complex (e.g., flagging users who click an ad faster than a human possibly could). It is effective against known threats but less adaptable to new ones.
• Heuristic Analysis – This approach uses "rules of thumb" and behavioral patterns to score traffic. It doesn't rely on exact signatures but on indicators of non-human behavior, like abnormal click frequencies, lack of mouse movement, or suspiciously linear navigation paths through a website.
• Behavioral & Biometric Analysis – This advanced type models unique human interaction patterns. It analyzes subtle signals like mouse dynamics, typing speed, and touchscreen gestures to create a "biometric signature" of a user, making it very effective at distinguishing humans from sophisticated bots that mimic human behavior.

* Reputation-Based Blocking – This method involves scoring traffic sources, such as IP addresses or domains, based on their historical behavior across a network. Sources that are consistently associated with fraud, spam, or low-quality traffic are given a poor reputation score and are automatically blocked or limited.

How Safeframe Works

[User Request] → [Web Server] → [Publisher Page]
                       │
                       └─ [Ad Slot] → [Ad Server]
                                          │
      ┌───────────────────────────────────┘
      ▼
[SafeFrame Container] ⇔ [Ad Creative]
      │      └─ (API Communication)
      │
      └─ [Traffic Protection System]
                   │
                   ├─ Analyzes Clicks/Impressions
                   ├─ Applies Heuristics & Rules
                   └─ Blocks or Flags Fraud

🧠 Core Detection Logic

Example 1: Behavioral Anomaly Detection

This logic identifies non-human or bot-like behavior by analyzing user interaction patterns within the SafeFrame. It tracks metrics like mouse movements, click cadence, and time-on-page to distinguish between genuine user engagement and automated scripts, which often exhibit predictable or unnatural patterns.

FUNCTION analyze_behavior(session_data):
  // Rule 1: Check for impossibly fast clicks
  IF session_data.time_since_page_load < 2 SECONDS THEN
    RETURN "FLAG_AS_FRAUD"

  // Rule 2: Analyze mouse movement patterns
  IF session_data.mouse_movement_events < 5 OR session_data.mouse_path_is_linear THEN
    RETURN "FLAG_AS_FRAUD"
  
  // Rule 3: Check for repetitive, non-random clicks
  IF session_data.clicks_on_same_pixel_cluster > 3 THEN
    RETURN "FLAG_AS_FRAUD"

  RETURN "LEGITIMATE"
END FUNCTION

Example 2: Session and IP Threat Scoring

This approach scores traffic based on the reputation of the IP address and the characteristics of the user session. It cross-references the user’s IP against known blocklists (e.g., data center IPs, known proxies) and evaluates session parameters to identify high-risk traffic before a click is even registered.

FUNCTION score_session_risk(ip_address, user_agent, timestamp):
  risk_score = 0

  // Score based on IP reputation
  IF ip_address IS IN known_bot_network_list THEN
    risk_score += 50
  
  // Score based on User-Agent anomalies
  IF user_agent IS generic_or_outdated THEN
    risk_score += 20

  // Score based on rapid session start time
  IF timestamp - last_session_timestamp < 500ms THEN
    risk_score += 30

  // Determine if score exceeds fraud threshold
  IF risk_score > 60 THEN
    RETURN "HIGH_RISK_BLOCK"
  ELSE
    RETURN "LOW_RISK_ALLOW"
END FUNCTION

Example 3: Geo-Mismatch and Proxy Detection

This logic identifies fraud by detecting inconsistencies between a user’s purported location and their actual network location. It is particularly effective against fraudsters who use proxies or VPNs to mask their true origin and mimic users from high-value geographic regions.

FUNCTION detect_geo_mismatch(user_timezone, ip_geo_country, language_header):
  // Compare timezone with IP-based geolocation
  IF user_timezone_country != ip_geo_country THEN
    RETURN "SUSPICIOUS_GEO_MISMATCH"

  // Check for inconsistencies with browser language settings
  IF language_header_country NOT IN [ip_geo_country, "en-US"] THEN
    RETURN "SUSPICIOUS_LANGUAGE_MISMATCH"
  
  // Check if IP is from a known VPN or proxy service
  IF is_proxy_ip(ip_geo_country) THEN
    RETURN "PROXY_DETECTED_BLOCK"

  RETURN "CONSISTENT_GEO_PASS"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding: Prevents ad budgets from being wasted on fraudulent clicks generated by bots or click farms, ensuring that spend is allocated toward genuine human interactions.
• Data Integrity: Protects marketing analytics from being skewed by invalid traffic. This leads to more accurate performance metrics like CTR and conversion rates, enabling better strategic decisions.
• Conversion Funnel Protection: Ensures that only legitimate users enter the conversion funnel, which improves lead quality and prevents resources from being wasted on processing fraudulent sign-ups or form submissions.
• Return on Ad Spend (ROAS) Improvement: By filtering out fraudulent and low-quality traffic, SafeFrame helps ensure that ads are shown to real potential customers, directly improving the return on advertising spend.

Example 1: High-Frequency Click Blocking Rule

This pseudocode demonstrates a rule to block IPs that exhibit rapid, repeated clicking behavior, a common sign of bot activity. This is applied at the campaign level to protect all ads from automated attacks.

// Rule: Block IPs with more than 3 clicks in 10 minutes
DEFINE RULE block_frequent_clicks:
  SESSION_WINDOW: 10 minutes
  CLICK_THRESHOLD: 3
  
  FOR EACH click_event:
    ip = click_event.ip_address
    timestamp = click_event.timestamp
    
    // Count clicks from this IP in the session window
    click_count = COUNT(clicks WHERE ip = ip AND timestamp > NOW() - SESSION_WINDOW)
    
    IF click_count > CLICK_THRESHOLD THEN
      ADD_TO_BLOCKLIST(ip)
      REJECT_CLICK(click_event)
    ELSE
      ACCEPT_CLICK(click_event)
    END IF

Example 2: Data Center Traffic Exclusion

This logic prevents ads from being served to traffic originating from known data centers, which are almost never legitimate users. This is a proactive measure to filter out a major source of non-human traffic.

// Rule: Exclude traffic from known data center IP ranges
DEFINE RULE exclude_datacenter_traffic:
  // Load list of known data center IP blocks
  DATACENTER_IPS = load_datacenter_ip_list()
  
  FOR EACH ad_request:
    ip = ad_request.ip_address
    
    // Check if the request IP falls within a data center range
    IF is_in_range(ip, DATACENTER_IPS) THEN
      REJECT_AD_REQUEST(ad_request, reason="Data Center IP")
    ELSE
      PROCEED_WITH_AD_REQUEST(ad_request)
    END IF

🐍 Python Code Examples

This Python function simulates checking a click’s timestamp against a threshold to detect abnormally fast clicks, which often indicate automated bot behavior rather than human interaction.

import time

# Store the time of the last click from an IP
last_click_times = {}

def is_click_too_fast(ip_address, time_threshold_seconds=2):
    """Checks if a click from an IP is faster than the threshold."""
    current_time = time.time()
    if ip_address in last_click_times:
        if current_time - last_click_times[ip_address] < time_threshold_seconds:
            return True  # Fraudulent click detected
    last_click_times[ip_address] = current_time
    return False

# --- Simulation ---
ip = "192.168.1.10"
print(f"First click from {ip}: {'Fraud' if is_click_too_fast(ip) else 'Legit'}")
time.sleep(1)
print(f"Second click (1s later) from {ip}: {'Fraud' if is_click_too_fast(ip) else 'Legit'}")

This example demonstrates how to filter incoming ad traffic by checking the User-Agent string. It blocks requests from known bot signatures or from clients that do not provide a User-Agent, a common characteristic of simple bots.

def filter_suspicious_user_agents(user_agent):
    """Blocks requests from known bad or missing user agents."""
    if not user_agent:
        return "BLOCKED - No User-Agent"
    
    known_bots = ["BadBot/1.0", "ScraperBot/2.1"]
    
    if user_agent in known_bots:
        return f"BLOCKED - Known Bot Signature: {user_agent}"
        
    return "ALLOWED"

# --- Simulation ---
print(f"Request 1: {filter_suspicious_user_agents('Mozilla/5.0 ...')}")
print(f"Request 2: {filter_suspicious_user_agents('BadBot/1.0')}")
print(f"Request 3: {filter_suspicious_user_agents(None)}")

Types of Safeframe

• Cross-Domain (Unfriendly) SafeFrame: This is the most secure type. The ad content is hosted on a different domain than the publisher's page, strictly isolating it. The SafeFrame API provides a controlled bridge for essential communication, like viewability measurement, without compromising the page's security.
• Same-Domain (Friendly) SafeFrame: In this configuration, the ad and the page share the same domain. This setup is less secure as it relaxes the browser's same-origin policy, potentially allowing the ad to access page content. It is typically only used when there is a high degree of trust between the publisher and the advertiser.
• API-Enabled Sandboxing: This refers to the core technology of SafeFrame, where an iframe is enhanced with a specific API to act as a "sandbox". It contains the ad's behavior, preventing malicious activities like unauthorized redirects or data theft, while still allowing for rich, interactive ad experiences through the controlled API.

How Second price auction Works

[Bid Request] -> [Advertiser Bids] -> +------------------+ -> [Impression Awarded]
   (User Visit)      (A:$2, B:$3, C:$2.5) | Auction Exchange |       (Winner: B)
                                        +------------------+
                                                 |
                                                 v
                                    [Price Calculation] -> [Payment]
                                     (2nd Highest: C,$2.5)   (B pays $2.51)
                                                 |
                                                 v
                                     [Post-Auction Analysis] --> [Fraud Signal]
                                      (e.g., Bid Ratios,
                                       Participant History)

🧠 Core Detection Logic

Example 1: Bid-to-Win Ratio Anomaly

This logic identifies bidders who win an abnormally high percentage of auctions they participate in. A consistently high win rate, especially with bids that are only marginally higher than the second price, can suggest a bot is probing for the minimum price to win, or that there’s a lack of genuine competition on the inventory.

FUNCTION check_bid_win_ratio(bidder_id):
  total_auctions = GET_auctions_for_bidder(bidder_id)
  won_auctions = GET_won_auctions_for_bidder(bidder_id)
  
  IF total_auctions > 100:  // Set a minimum threshold
    win_ratio = won_auctions / total_auctions
    
    IF win_ratio > 0.9:
      FLAG_AS_SUSPICIOUS(bidder_id, "Abnormally High Win Ratio")
  RETURN

Example 2: Winning Price vs. Bid Floor Gap

This logic flags auctions where the winning price (the second-highest bid) is consistently at or just above the publisher’s minimum price (bid floor). This pattern can indicate that fraudulent sellers are using bots to place just enough bids to meet the floor and create the appearance of a legitimate auction, while genuine bidders are absent.

FUNCTION check_price_floor_gap(auction_log):
  winning_price = auction_log.clearing_price
  bid_floor = auction_log.floor_price
  
  IF bid_floor > 0:
    gap = winning_price - bid_floor
    
    IF gap < 0.05: // If price is consistently within 5 cents of the floor
      INCREMENT_SUSPICIOUS_SCORE(auction_log.publisher_id)
  RETURN

Example 3: Bid Density Analysis

This technique analyzes the number of unique bidders in an auction. Impressions that consistently have a very low number of bidders (e.g., only two) may be part of a scheme where a fraudster is the only real participant besides a single colluding or fake bidder. This logic helps detect non-competitive environments where fraud can thrive.

FUNCTION analyze_bid_density(auction_stream):
  FOR auction IN auction_stream:
    bidder_count = COUNT_UNIQUE(auction.bids.bidder_id)
    
    IF bidder_count <= 2:
      auction.is_low_density = TRUE
      INCREMENT_LOW_DENSITY_COUNT(auction.publisher_id)
      
    IF GET_LOW_DENSITY_COUNT(auction.publisher_id) > 1000:
      FLAG_PUBLISHER_FOR_REVIEW(auction.publisher_id, "Low Bid Density")
  RETURN

📈 Practical Use Cases for Businesses

• Campaign Shielding: Businesses use second-price auction data to identify publishers or traffic sources with suspicious bidding patterns, such as extremely high bid-win ratios or low bid density. These sources are then added to blocklists to protect campaign budgets from being spent on fraudulent inventory.
• Budget Optimization: By understanding the typical clearing prices for desired inventory, advertisers can adjust their maximum bids to avoid participating in overpriced, potentially manipulated auctions. This ensures the return on ad spend (ROAS) is not diluted by paying artificially inflated prices set by fake bids.
• Analytics and Reporting Integrity: Analyzing auction mechanics helps businesses clean their performance data. By filtering out clicks and conversions from auctions deemed fraudulent, marketers get a more accurate picture of campaign performance and can make better strategic decisions based on genuine user engagement.
• Supply Path Optimization (SPO): Advertisers can analyze auction data from different ad exchanges to identify the most efficient and transparent paths to inventory. If certain exchanges show a higher rate of suspicious auction dynamics, they can be deprioritized, channeling spend through more trustworthy partners.

Example 1: Publisher-Level Anomaly Detection Rule

This pseudocode aggregates data at the publisher level to flag sites where the gap between the winning bid and the clearing price is consistently and unusually large, suggesting bidders are forced to place excessively high bids to win, a potential sign of shill bidding.

FUNCTION evaluate_publisher_bids(publisher_id, time_window):
  auctions = GET_auctions(publisher_id, time_window)
  total_reduction = 0
  
  FOR auction IN auctions:
    winning_bid = auction.highest_bid
    clearing_price = auction.clearing_price
    reduction = winning_bid - clearing_price
    total_reduction += reduction
  
  avg_reduction = total_reduction / COUNT(auctions)
  
  IF avg_reduction > THRESHOLD:
    BLOCK_PUBLISHER(publisher_id, "Anomalous Bid Reduction")

Example 2: Dynamic Bidding Based on Auction Competitiveness

This logic adjusts an advertiser's bid based on the historical competitiveness of the ad inventory. If a specific ad slot consistently clears with a low number of bidders, the system can automatically lower the bid, refusing to overpay for non-competitive placements that carry a higher risk of fraud.

FUNCTION get_adjusted_bid(impression_details, base_bid):
  publisher_id = impression_details.publisher
  historical_data = GET_COMPETITIVENESS(publisher_id)
  
  avg_bidders = historical_data.average_bidder_count
  
  IF avg_bidders < 3:
    // Reduce bid for non-competitive, higher-risk inventory
    return base_bid * 0.7 
  ELSE:
    return base_bid

🐍 Python Code Examples

This Python function simulates a second-price auction. It takes a dictionary of bidders and their bids, identifies the winner, and determines the price they pay. This is foundational for building more complex fraud detection models that analyze auction outcomes.

def run_second_price_auction(bids_dict):
    """
    Simulates a second-price auction to find the winner and clearing price.
    - bids_dict: A dictionary of {'bidder_name': bid_amount}
    Returns a tuple (winner, price_paid) or (None, 0) if not enough bids.
    """
    if len(bids_dict) < 2:
        return (None, 0)

    # Sort bidders by bid amount in descending order
    sorted_bidders = sorted(bids_dict.items(), key=lambda item: item, reverse=True)
    
    winner = sorted_bidders
    second_highest_bid = sorted_bidders
    
    price_paid = second_highest_bid + 0.01
    
    return (winner, price_paid)

# Example:
bids = {'Advertiser_A': 1.50, 'Advertiser_B': 2.25, 'Advertiser_C': 2.05}
winner, price = run_second_price_auction(bids)
print(f"Winner: {winner}, Price Paid: ${price:.2f}")

This script analyzes a list of auction logs to detect bid shielding, a type of fraud where a user places a very high bid to deter others and then a lower bid from another account, retracting the high one at the last second. This example identifies auctions with a suspicious gap between the highest and second-highest bids.

def detect_suspicious_bid_gaps(auction_logs, threshold_ratio=5.0):
    """
    Analyzes auction logs for large gaps between the top two bids.
    - auction_logs: A list of dictionaries, each with a 'bids' list.
    - threshold_ratio: How many times larger the top bid must be than the second.
    Returns a list of suspicious auction logs.
    """
    suspicious_auctions = []
    for log in auction_logs:
        bids = sorted(log.get('bids', []), reverse=True)
        
        if len(bids) >= 2:
            highest_bid = bids
            second_highest_bid = bids
            
            if second_highest_bid > 0 and (highest_bid / second_highest_bid) >= threshold_ratio:
                suspicious_auctions.append(log)
                
    return suspicious_auctions

# Example:
logs = [
    {'id': 1, 'bids': [2.10, 2.05, 1.50]},
    {'id': 2, 'bids': [10.00, 1.50, 1.45]}, # Suspicious gap
    {'id': 3, 'bids': [3.00, 2.90, 2.80]}
]
flagged = detect_suspicious_bid_gaps(logs)
print(f"Flagged auctions: {[f['id'] for f in flagged]}")

Types of Second price auction

• Winner's Curse Analysis: This method focuses on identifying auctions where the winning bid is drastically higher than the second-highest bid. This pattern can indicate automated bots that are programmed to win an impression at any cost, lacking the rational logic of a human bidder who wants to acquire inventory efficiently.
• Bid Distribution Analysis: This approach examines the statistical spread of all bids submitted within a single auction. A healthy auction typically has a competitive range of bids. Fraudulent auctions may show a skewed distribution, such as many very low, fake bids clustered together with one high outlier.
• Clearing Price Analysis: This focuses on the final price paid for the impression. If a publisher's premium inventory consistently sells at or near the bid floor despite receiving high bids, it may suggest that legitimate bidders are actively avoiding the inventory, leaving it to be won by bots at the lowest possible price.
• Participant History Analysis: This type involves tracking the behavior of bidders across multiple auctions over time. A bidder who only ever participates in auctions with very few competitors, or who frequently bids on inventory that is later flagged for invalid traffic, can be identified as a high-risk participant.

How Self serve DSP Works

Incoming Ad Traffic ─▶ [Self-Serve DSP] ─▶ Fraud Detection Engine ─┬─▶ Allow (Valid Traffic)
                    │                    ├─▶ IP Reputation Check │
                    │                    ├─▶ Behavioral Analysis │ └─▶ Block (Fraudulent Traffic)
                    │                    └─▶ Rule Enforcement    │
                    └────────────────────────────────────────────┘

🧠 Core Detection Logic

Example 1: IP Reputation Filtering

This logic checks the IP address of an incoming ad request against known blocklists of fraudulent sources, such as data centers, VPNs, or TOR exit nodes. It is a fundamental, first-line defense that filters out a significant portion of non-human traffic before it can interact with an ad.

FUNCTION checkIP(request):
  ip = request.getIPAddress()
  
  IF ip IN data_center_blocklist:
    RETURN "BLOCK"
  
  IF ip IN known_vpn_proxies:
    RETURN "BLOCK"

  RETURN "ALLOW"

Example 2: User-Agent Validation

This logic inspects the user-agent string sent by the browser or device. It flags requests from outdated browsers, known bot signatures, or user agents that are malformed or inconsistent with the device type. This helps identify automated scripts trying to mimic legitimate user traffic.

FUNCTION validateUserAgent(request):
  ua_string = request.getUserAgent()
  
  IF ua_string IS EMPTY or ua_string IS NULL:
    RETURN "BLOCK"
    
  IF "bot" IN ua_string.lower() or "spider" IN ua_string.lower():
    RETURN "BLOCK"

  IF ua_string IN known_fraudulent_user_agents:
    RETURN "BLOCK"
    
  RETURN "ALLOW"

Example 3: Click Timestamp Anomaly

This heuristic logic analyzes the time elapsed between when an ad is rendered (impression) and when it is clicked. Clicks that occur inhumanly fast (e.g., less than one second after load) are often indicative of automated scripts. This rule helps filter out fraudulent clicks that bypass simpler checks.

FUNCTION checkClickTimestamp(impression_time, click_time):
  time_diff_seconds = click_time - impression_time
  
  IF time_diff_seconds < 1.0:
    RETURN "FLAG_AS_SUSPICIOUS"
    
  RETURN "VALID"

📈 Practical Use Cases for Businesses

FUNCTION enforceGeoTargeting(request, campaign):
  user_country = geo_lookup(request.getIPAddress())
  target_countries = campaign.getTargetCountries()
  
  IF user_country NOT IN target_countries:
    RETURN "BLOCK_GEO_MISMATCH"
  
  RETURN "ALLOW"

FUNCTION blockDataCenterTraffic(request):
  ip = request.getIPAddress()
  
  // isDataCenterIP() checks the IP against a list of known data center IP ranges.
  IF isDataCenterIP(ip):
    RETURN "BLOCK_DATA_CENTER"
    
  RETURN "ALLOW"

🐍 Python Code Examples

This code demonstrates a simple way to identify high-frequency click activity from a single IP address within a short time window, a common indicator of bot activity.

# Stores click timestamps for each IP
ip_click_log = {}
TIME_WINDOW_SECONDS = 60
MAX_CLICKS_IN_WINDOW = 5

def is_high_frequency_click(ip_address, current_time):
    if ip_address not in ip_click_log:
        ip_click_log[ip_address] = []

    # Remove clicks older than the time window
    ip_click_log[ip_address] = [t for t in ip_click_log[ip_address] if current_time - t < TIME_WINDOW_SECONDS]

    # Add the current click
    ip_click_log[ip_address].append(current_time)

    # Check if click count exceeds the maximum
    if len(ip_click_log[ip_address]) > MAX_CLICKS_IN_WINDOW:
        return True # High frequency detected
    
    return False # Normal frequency

This example provides a function to filter incoming requests based on a blocklist of suspicious user-agent strings often associated with bots or automated scripts.

SUSPICIOUS_USER_AGENTS = {
    "HeadlessChrome",
    "PhantomJS",
    "AhrefsBot",
    "SemrushBot"
}

def filter_suspicious_user_agents(request_headers):
    user_agent = request_headers.get("User-Agent", "")
    
    if not user_agent:
        return True # Block requests with no user agent

    for agent in SUSPICIOUS_USER_AGENTS:
        if agent in user_agent:
            return True # Block suspicious user agent
            
    return False # User agent is acceptable

Types of Self serve DSP

• Rule-Based Filtering DSPs – These platforms allow advertisers to create and manage a specific set of static rules, such as blocklisting IP addresses or filtering by geographic location. They offer direct control but require manual updates to stay effective against new threats.
• AI/ML-Powered DSPs – These DSPs use machine learning algorithms to analyze traffic patterns and detect anomalies in real-time. They can identify sophisticated bots and evolving fraud tactics automatically, requiring less manual intervention but sometimes offering less transparency into blocking decisions.
• Hybrid Model DSPs – This type combines both rule-based filtering and AI-powered detection. Advertisers can set foundational rules while benefiting from an adaptive AI layer that catches suspicious behavior the rules might miss, offering a balance of control and automated protection.
• Transparency-Focused DSPs – These platforms prioritize providing detailed logs and analytics about why traffic was blocked. They are designed for advertisers who need to deeply understand traffic quality, justify blocked impressions, and fine-tune their fraud prevention strategies with granular data.

How Session app Works

[User Interaction] → [Data Collection] → [Session Reconstruction] → [Behavioral Analysis Engine] → [Risk Scoring] → [Action]
       │                    │                       │                         │                          │              └─ (Allow / Block)
       │                    │                       │                         │                          │
       └────────────────────┴───────────────────────┴─────────────────────────┴──────────────────────────┘
                                      (Real-Time Data Flow)

🧠 Core Detection Logic

Example 1: Session Velocity Analysis

This logic detects bots by analyzing the frequency and timing of actions within a single session. Bots often perform actions much faster and more uniformly than humans. This check is crucial for catching automated scripts designed to generate a high volume of fake clicks or impressions quickly.

FUNCTION check_session_velocity(session_events):
  click_timestamps = session_events.get_timestamps("click")
  
  IF count(click_timestamps) > 5 THEN
    time_diffs = calculate_time_differences(click_timestamps)
    average_diff = average(time_diffs)
    std_dev_diff = standard_deviation(time_diffs)
    
    // Flag if clicks are too fast and too regular (low deviation)
    IF average_diff < 2.0 AND std_dev_diff < 0.5 THEN
      RETURN "High Risk: Unnatural click velocity"
    END IF
  END IF
  
  RETURN "Low Risk"
END FUNCTION

Example 2: Geo-Behavioral Mismatch

This logic flags sessions where a user's technical footprint contradicts their claimed behavior or location. For example, a click originating from an IP address in one country while the browser's language setting is for another can be a red flag. This helps detect users trying to bypass geo-targeted campaigns using proxies or VPNs.

FUNCTION check_geo_mismatch(session_data):
  ip_location = get_location_from_ip(session_data.ip_address)
  browser_timezone = session_data.device.timezone
  browser_language = session_data.device.language
  
  expected_timezone = get_timezone_for_location(ip_location)
  
  // Mismatch between IP location and device timezone is suspicious
  IF ip_location.country != "USA" AND browser_language == "en-US" THEN
    RETURN "Medium Risk: Language/Geo mismatch"
  END IF
  
  IF browser_timezone != expected_timezone THEN
    RETURN "Medium Risk: Timezone does not match IP location"
  END IF
  
  RETURN "Low Risk"
END FUNCTION

Example 3: Engagement Anomaly Detection

This logic identifies sessions with no meaningful interaction, which is characteristic of non-human traffic. Bots may click an ad but often fail to mimic human engagement on the landing page, such as scrolling, moving the mouse, or spending a reasonable amount of time on the page. Lack of engagement is a strong indicator of a fraudulent click.

FUNCTION check_engagement_anomaly(session_events):
  time_on_page = session_events.get_duration()
  mouse_movements = session_events.count("mouse_move")
  scroll_events = session_events.count("scroll")
  
  // Bots often have zero engagement after landing
  IF time_on_page < 3 AND mouse_movements == 0 AND scroll_events == 0 THEN
    RETURN "High Risk: Zero post-click engagement"
  END IF
  
  IF time_on_page > 120 AND mouse_movements == 0 THEN
    RETURN "Medium Risk: Long duration with no interaction"
  END IF
  
  RETURN "Low Risk"
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Actively filters out bot clicks from PPC campaigns in real-time, ensuring that advertising budgets are spent on reaching genuine potential customers, not on fraudulent interactions that provide no value.
• Lead Generation Integrity – Protects web forms from spam and fake submissions by analyzing the session behavior leading up to a form fill. This ensures that the sales team receives leads from genuinely interested humans, not bots.
• Analytics Purification – By preventing invalid traffic from reaching a website, session analysis ensures that analytics data (like user counts, bounce rates, and session durations) is accurate. This allows businesses to make better, data-driven decisions.
• E-commerce Protection – Safeguards online stores from fraudulent activities like carding attacks or inventory hoarding bots. It analyzes session data to identify and block automated threats before they can complete a transaction or disrupt business.

Example 1: Geofencing and Proxy Detection Rule

This pseudocode demonstrates a common business rule to protect a campaign targeted at a specific country. It checks if the click originates from the target country and whether the IP address is a known data center or proxy, which is often used to mask a user's true location.

FUNCTION enforce_geo_targeting(session):
  // Business rule: Campaign is for USA and Canada only
  allowed_countries = ["USA", "CAN"]
  
  ip_info = get_ip_data(session.ip_address)
  
  IF ip_info.country NOT IN allowed_countries THEN
    block_and_log(session, "Blocked: Out of Geo-Target")
    RETURN FALSE
  END IF
  
  // Block traffic from data centers, which are not real users
  IF ip_info.is_datacenter OR ip_info.is_proxy THEN
    block_and_log(session, "Blocked: Proxy/Datacenter IP")
    RETURN FALSE
  END IF
  
  RETURN TRUE
END FUNCTION

Example 2: Session Authenticity Scoring

This example shows a simplified scoring model. Suspicious indicators add points to a fraud score. If the total score crosses a threshold, the session is flagged as fraudulent. This allows for a more nuanced approach than a single hard rule, catching a wider range of suspicious behaviors.

FUNCTION calculate_session_authenticity(session):
  fraud_score = 0
  
  // Check for known bot user-agent
  IF is_known_bot_signature(session.user_agent) THEN
    fraud_score += 50
  END IF
  
  // Check for lack of mouse movement in a reasonable timeframe
  IF session.duration > 5 AND session.mouse_events == 0 THEN
    fraud_score += 20
  END IF
  
  // Check for headless browser indicators (common with bots)
  IF session.device.has_headless_indicators() THEN
    fraud_score += 30
  END IF
  
  // Decision based on threshold
  IF fraud_score > 40 THEN
    RETURN {status: "fraudulent", score: fraud_score}
  ELSE
    RETURN {status: "legitimate", score: fraud_score}
  END IF
END FUNCTION

🐍 Python Code Examples

This code analyzes a list of click timestamps within a session to detect "click flooding," a common bot behavior where multiple clicks occur in an unnaturally short period. It helps identify non-human, automated clicking patterns.

import datetime

def is_rapid_fire_session(timestamps, max_clicks=5, time_window_seconds=10):
    """Checks if a session has an unusually high number of clicks in a short window."""
    if len(timestamps) < max_clicks:
        return False
    
    # Sort timestamps to be safe
    timestamps.sort()
    
    for i in range(len(timestamps) - max_clicks + 1):
        # Create a sliding window of `max_clicks`
        window = timestamps[i : i + max_clicks]
        time_diff = (window[-1] - window).total_seconds()
        
        if time_diff < time_window_seconds:
            print(f"Fraud Alert: {max_clicks} clicks in {time_diff:.2f} seconds.")
            return True
            
    return False

# Example usage
session_clicks_human = [datetime.datetime.now() + datetime.timedelta(seconds=i*5) for i in range(4)]
session_clicks_bot = [datetime.datetime.now() + datetime.timedelta(milliseconds=i*200) for i in range(10)]

print(f"Human session check: {is_rapid_fire_session(session_clicks_human)}")
print(f"Bot session check: {is_rapid_fire_session(session_clicks_bot)}")

This example filters incoming traffic based on its User-Agent string. By maintaining a blacklist of signatures associated with known bots and crawlers, this function can quickly block low-sophistication automated traffic before it consumes resources.

def filter_suspicious_user_agents(session_user_agent):
    """Blocks sessions from known bot or non-standard user agents."""
    
    # List of substrings found in common bot/crawler user agents
    BOT_SIGNATURES = [
        "bot", "crawler", "spider", "headlesschrome", "phantomjs"
    ]
    
    # Normalize to lowercase for case-insensitive matching
    agent_lower = session_user_agent.lower()
    
    for signature in BOT_SIGNATURES:
        if signature in agent_lower:
            print(f"Blocking suspicious user agent: {session_user_agent}")
            return False # Block
            
    return True # Allow

# Example usage
bot_ua = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/88.0.4324.150 Safari/537.36"
human_ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

print(f"Bot UA allowed: {filter_suspicious_user_agents(bot_ua)}")
print(f"Human UA allowed: {filter_suspicious_user_agents(human_ua)}")

This code provides a simple scoring mechanism to evaluate the authenticity of a user session. By combining multiple risk factors into a single score, it offers a more nuanced way to identify suspicious activity than a simple allow/block rule.

def score_session_authenticity(ip_address, time_on_page_sec, has_mouse_moved):
    """Calculates a fraud score based on several session attributes."""
    
    score = 0
    # A simplified check for a known suspicious IP range (e.g., a data center)
    if ip_address.startswith("198.51.100."):
        score += 50
        
    # Very short time on page is a strong indicator of a bot
    if time_on_page_sec < 2:
        score += 30
        
    # Lack of mouse movement is suspicious for sessions longer than a few seconds
    if not has_mouse_moved and time_on_page_sec > 4:
        score += 20
        
    return score

# Example usage
# Bot-like session
bot_score = score_session_authenticity("198.51.100.10", 1, False)
print(f"Bot-like session fraud score: {bot_score}")

# Human-like session
human_score = score_session_authenticity("203.0.113.25", 35, True)
print(f"Human-like session fraud score: {human_score}")

Types of Session app

• Rule-Based Session Filtering

  This type uses a predefined set of static rules to identify and block fraud. For example, a rule might automatically block any session that generates more than five clicks in ten seconds. It is effective against simple, repetitive bots but can be evaded by more sophisticated automated threats.

• Heuristic and Behavioral Analysis

  This approach goes beyond static rules to analyze patterns of behavior. It looks at the sequence of actions, mouse movement, and time spent on a page to determine if the behavior is human-like. For instance, it can flag a session where a user instantly solves a complex CAPTCHA.

• Time-Series Session Analysis

  This method focuses on the timing and sequence of events within a session. It is particularly effective at detecting anomalies in user browsing behavior, such as navigating through a website in an impossible order or spending the exact same amount of time on every page visited, which are strong indicators of automation.

• Predictive AI and Machine Learning Models

  This is the most advanced type, utilizing AI to predict the likelihood of fraud. The model is trained on vast datasets of both legitimate and fraudulent sessions to identify subtle, complex patterns that rules or heuristics would miss. It continuously learns and adapts to new fraud techniques.

• Device and Fingerprint-Based Analysis

  This method focuses on identifying the user's device and browser to create a unique "fingerprint." It analyzes attributes like operating system, browser plugins, and screen resolution. If the same fingerprint is associated with thousands of clicks from different IPs, it's a clear sign of a botnet.

How Session Hijacking Prevention Works

+---------------------+      +------------------------+      +------------------+      +-----------------+
|   User Ad Click     | →    | Session Data Capture   | →    | Heuristic Engine | →    |   Fraud Score   |
+---------------------+      +------------------------+      +------------------+      +-----------------+
           │                           │                             │                         │
           │                      (IP, User-Agent,                 │                     (Block/Allow)
           │                        Timestamp)                     │
           └───────────────────────────|----------------------------┘
                                       ↓
                           +------------------------+
                           |  Anomaly Detection     |
                           |  (e.g., Geo-mismatch,  |
                           |   Timestamp anomaly)   |
                           +------------------------+

🧠 Core Detection Logic

Example 1: IP and User-Agent Matching

This fundamental logic checks if the IP address and browser user-agent of the user clicking the ad match the ones recorded when the session began. A mismatch is a strong signal of a hijacked session, where a bot from a different location or device is generating the click.

FUNCTION checkSessionIntegrity(session, click):
  IF session.ipAddress != click.ipAddress:
    RETURN "Fraud: IP Mismatch"

  IF session.userAgent != click.userAgent:
    RETURN "Fraud: User-Agent Mismatch"

  RETURN "Valid"

Example 2: Session Timestamp Analysis

This logic analyzes the time elapsed between when a user lands on a page and when they click an ad. Unusually short durations (e.g., less than a second) are characteristic of automated bots, not genuine human behavior, and are flagged as fraudulent.

FUNCTION analyzeClickTimestamp(sessionStartTime, clickTime):
  timeDifference = clickTime - sessionStartTime

  IF timeDifference < 1.5 seconds:
    FLAG "Potential Bot: Click too fast"

  IF timeDifference > 3600 seconds:
    FLAG "Suspicious: Session too long"

Example 3: Geographic Consistency Check

This rule verifies that the geographic location derived from the click’s IP address is consistent with the location recorded at the start of the session. A sudden jump in location (e.g., from the US to Vietnam) within a single session indicates a likely hijack.

FUNCTION checkGeoConsistency(sessionGeo, clickGeo):
  IF sessionGeo.country != clickGeo.country:
    BLOCK_CLICK(reason="Geographic Mismatch")
    RETURN false

  IF calculateDistance(sessionGeo.coords, clickGeo.coords) > 50 miles:
    FLAG_FOR_REVIEW(reason="Unusual location shift")
    RETURN false

  RETURN true

📈 Practical Use Cases for Businesses

• Campaign Shielding – Prevents invalid clicks from draining PPC budgets by ensuring that only clicks from legitimate, non-hijacked sessions are charged, thereby protecting ad spend from bot-driven fraud.
• Lead Generation Integrity – Ensures that leads generated from web forms are from genuine users, by validating that the session data remains consistent from the initial visit through to the form submission.
• Affiliate Fraud Prevention – Stops malicious affiliates from using bots to hijack user sessions and stuff cookies to illegitimately claim credit for conversions, ensuring fair attribution and payment.
• Analytics Accuracy – Keeps marketing analytics clean by filtering out fraudulent traffic from hijacked sessions. This provides businesses with reliable data on user engagement and campaign performance.

Example 1: Geofencing Rule for Ad Campaigns

This pseudocode demonstrates how a business can apply a geofencing rule to block clicks from hijacked sessions originating outside the targeted campaign region.

PROCEDURE applyGeoFence(clickData, campaignSettings):
  sessionLocation = getSessionLocation(clickData.sessionID)
  clickLocation = getClickLocation(clickData.ip)

  IF clickLocation NOT IN campaignSettings.targetRegions:
    BLOCK(clickData, reason="Out of Region")
  ELSE IF sessionLocation != clickLocation:
    BLOCK(clickData, reason="Session Hijack Geo Mismatch")
  ELSE:
    ALLOW(clickData)

Example 2: Session Authenticity Scoring

This logic calculates a trust score for each session based on multiple heuristics. Clicks from sessions falling below a certain threshold are invalidated, protecting against sophisticated fraud.

FUNCTION getSessionAuthenticityScore(session):
  score = 100
  IF isFromDataCenter(session.ip):
    score = score - 40
  IF hasInconsistentHeaders(session.headers):
    score = score - 30
  IF session.timeToClick < 2.0:
    score = score - 20
  IF browserFingerprintChanged(session):
    score = score - 50

  RETURN score

// Usage
sessionScore = getSessionAuthenticityScore(currentSession)
IF sessionScore < 50:
  MARK_AS_FRAUD()

🐍 Python Code Examples

This code simulates checking for a mismatch between the IP address that started a session and the IP address that performed a click, a common sign of session hijacking.

def check_ip_mismatch(session_ip, click_ip):
    """
    Checks if the click IP differs from the session IP.
    Returns True if a mismatch is found (suspicious), False otherwise.
    """
    if session_ip != click_ip:
        print(f"FRAUD DETECTED: IP mismatch. Session: {session_ip}, Click: {click_ip}")
        return True
    print("IPs match. Activity appears legitimate.")
    return False

# Example
check_ip_mismatch("198.51.100.5", "203.0.113.10")

This example demonstrates how to filter out clicks based on abnormal timing. Clicks happening too quickly after a page load are often from bots, not humans.

import datetime

def analyze_click_timing(page_load_time, click_time, min_threshold_seconds=1.5):
    """
    Analyzes the time delta between page load and click events.
    Flags clicks that happen faster than the minimum threshold.
    """
    time_difference = (click_time - page_load_time).total_seconds()
    if time_difference < min_threshold_seconds:
        print(f"SUSPICIOUS: Click occurred in {time_difference:.2f}s. Likely bot.")
        return False
    print(f"OK: Click occurred after {time_difference:.2f}s.")
    return True

# Example
load_time = datetime.datetime.now()
click_time = load_time + datetime.timedelta(seconds=0.8)
analyze_click_timing(load_time, click_time)

This code provides a simple traffic authenticity score. It evaluates multiple risk factors associated with a session to determine if the traffic is likely fraudulent, which is useful for filtering invalid clicks.

def score_traffic_authenticity(session_data):
    """
    Scores traffic based on risk factors like datacenter IPs and user agent anomalies.
    A lower score indicates a higher risk of fraud.
    """
    score = 100
    # Penalize known datacenter IP ranges (common for bots)
    if session_data.get("is_datacenter_ip"):
        score -= 50
    # Penalize missing or suspicious user agents
    if not session_data.get("user_agent") or "bot" in session_data.get("user_agent").lower():
        score -= 40
    # Penalize if device fingerprint seems inconsistent
    if session_data.get("fingerprint_mismatch"):
        score -= 30

    print(f"Traffic Authenticity Score: {score}")
    return score

# Example
suspicious_session = {"is_datacenter_ip": True, "user_agent": "suspicious-bot-1.0"}
score_traffic_authenticity(suspicious_session)

Types of Session Hijacking Prevention

• IP & Geolocation Matching – This method validates that the IP address and derived geographical location of a click match those from the beginning of the user's session. A mismatch indicates the session was likely taken over by a bot or a user in a different location to commit click fraud.
• Device Fingerprinting Consistency – This technique creates a unique identifier based on a user's device and browser attributes. It then ensures this fingerprint remains identical from the initial page visit to the ad click, preventing bots that use different device profiles from hijacking sessions.
• Behavioral Anomaly Detection – This approach analyzes user behavior patterns within a session, such as mouse movements, scrolling speed, and time-on-page. It flags activity that deviates from human norms, identifying automated bots that have hijacked a session to perform fraudulent clicks.
• Timestamp and Referrer Analysis – This method checks the timing and origin of clicks. It invalidates clicks that occur too quickly after a page loads or that come from an unexpected or blank referrer, as these are common indicators of a hijacked session being manipulated by a script.

How Skadnetwork Works

User Clicks Ad → App Store → App Install & Launch → 24-48hr Timer Starts → [User Activity] → Conversion Value Updated → Timer Resets → (Timer Ends) → Anonymized Postback Sent → Ad Network Receives Data

🧠 Core Detection Logic

Example 1: Analyzing Conversion Value Patterns

This logic helps detect fraud by identifying non-human or anomalous patterns in post-install engagement. Since SKAdNetwork allows advertisers to receive a “conversion value” representing early user actions, sudden spikes in high-value conversions from a specific source app ID without corresponding lower-value events can indicate manipulation.

FUNCTION analyze_conversion_values(postbacks):
  LET source_app_patterns = {}

  FOR postback IN postbacks:
    source_app_id = postback.source_app_id
    conversion_value = postback.conversion_value

    IF source_app_id NOT IN source_app_patterns:
      source_app_patterns[source_app_id] = empty_list

    APPEND conversion_value to source_app_patterns[source_app_id]

  FOR app_id, values IN source_app_patterns:
    LET value_distribution = calculate_distribution(values)
    IF is_anomalous(value_distribution):
      FLAG app_id AS "Suspicious Conversion Pattern"
    
  RETURN flagged_apps

Example 2: Validating Postback Timestamps

While SKAdNetwork postbacks are intentionally delayed, analyzing the distribution of when they are received by the ad network can still be useful. A fraudulent actor attempting to replay or spoof postbacks might send them in unnatural batches. This logic detects unusual clustering of postback arrivals.

FUNCTION check_postback_timing(postbacks, time_window):
  LET postback_counts = initialize_time_buckets(time_window)

  FOR postback IN postbacks:
    reception_time = postback.received_timestamp
    bucket = get_time_bucket(reception_time)
    postback_counts[bucket] += 1

  LET average_count = calculate_average(postback_counts)
  LET standard_deviation = calculate_std_dev(postback_counts)

  FOR bucket_count IN postback_counts:
    IF bucket_count > (average_count + 3 * standard_deviation):
      TRIGGER_ALERT("Anomalous Postback Volume Detected")

  RETURN

Example 3: Hierarchical Source ID Anomaly Detection

SKAdNetwork 4.0 introduced hierarchical source identifiers (up to 4 digits), which advertisers use to encode data like campaign, ad placement, and creative. This logic checks if the reported source IDs from a publisher make sense. For example, receiving installs for a high-numbered creative ID without any corresponding installs for lower-numbered ones in the same campaign could indicate a problem.

FUNCTION validate_source_id_hierarchy(postbacks):
  LET campaigns = {}

  FOR postback IN postbacks:
    source_id = postback.hierarchical_source_id
    campaign_id = extract_campaign_from_source(source_id)
    creative_id = extract_creative_from_source(source_id)
    
    IF campaign_id NOT IN campaigns:
      campaigns[campaign_id] = empty_set

    ADD creative_id to campaigns[campaign_id]

  FOR campaign_id, creatives IN campaigns:
    IF has_missing_hierarchy(creatives): // e.g., creative '10' exists but '1-9' do not
      FLAG campaign_id AS "Source ID Hierarchy Anomaly"

  RETURN flagged_campaigns

📈 Practical Use Cases for Businesses

• Campaign Measurement: Businesses use SKAdNetwork to measure the effectiveness of their iOS ad campaigns in a privacy-compliant way, understanding which ad networks and campaigns are driving installs.
• Fraud Mitigation: The framework’s cryptographic signatures and Apple-validated postbacks inherently protect against common fraud types like install hijacking and replay attacks, ensuring advertising budgets are spent on real installs.
• Early ROI Estimation: By mapping conversion values to key user actions (like registrations or first purchases), businesses can get an early, aggregated signal of user quality and estimate return on ad spend (ROAS) to optimize campaigns.
• Publisher Quality Analysis: Advertisers can analyze the volume and quality (via conversion values) of installs coming from different publisher apps (source apps) to identify high-performing and potentially fraudulent partners.

Example 1: Source App ID Filtering Rule

A business can create rules to automatically flag or block publishers (source apps) that send a high volume of installs but consistently have null or low conversion values, which may indicate low-quality or fraudulent traffic.

// Logic to score and flag suspicious source applications
FUNCTION evaluate_source_app_quality(postbacks):
  LET sources = {} // Stores stats for each source_app_id

  FOR postback IN postbacks:
    source_id = postback.source_app_id
    conversion = postback.conversion_value

    IF source_id NOT IN sources:
      sources[source_id] = {installs: 0, non_null_conversions: 0}
    
    sources[source_id].installs += 1
    IF conversion IS NOT NULL AND conversion > 0:
      sources[source_id].non_null_conversions += 1

  FOR source_id, data IN sources:
    quality_ratio = data.non_null_conversions / data.installs
    IF data.installs > 100 AND quality_ratio < 0.05:
      FLAG source_id AS "Low Quality Source"

  RETURN flagged_sources

Example 2: Conversion Value Sequence Validation

For a gaming app, a legitimate user journey might be: Tutorial Complete (CV=1) -> Level 5 Reached (CV=2) -> First Purchase (CV=5). A rule can be set to identify postbacks with high conversion values (e.g., 5) that are not preceded by a corresponding volume of lower, introductory values from that same campaign, indicating bots that skip early steps.

// Logic to check for logical conversion funnels per campaign
FUNCTION validate_conversion_funnel(postbacks_by_campaign):
  LET flagged_campaigns = []

  FOR campaign_id, postbacks IN postbacks_by_campaign:
    LET cv_counts = count_conversion_values(postbacks)
    
    // Example: Expect at least 3 tutorial completions for every 1 purchase
    tutorial_completes = cv_counts.get(1, 0)
    first_purchases = cv_counts.get(5, 0)

    IF first_purchases > 0 AND (tutorial_completes / first_purchases) < 3:
      FLAG campaign_id AS "Unnatural Funnel Progression"
      APPEND campaign_id to flagged_campaigns
      
  RETURN flagged_campaigns

🐍 Python Code Examples

This Python code simulates validating SKAdNetwork postbacks. It checks if a postback has already been processed by looking up its unique transaction ID, which is a core technique to prevent duplicate attributions or replay fraud.

processed_transactions = set()

def is_postback_valid(postback):
  """
  Checks if the transaction ID is unique to prevent replay attacks.
  """
  transaction_id = postback.get("transaction-id")
  if transaction_id in processed_transactions:
    print(f"Fraud Warning: Duplicate transaction ID {transaction_id} detected.")
    return False
  
  processed_transactions.add(transaction_id)
  return True

# Example Postback
postback_1 = {"transaction-id": "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6", "conversion-value": 10}
print(f"Postback 1 Valid: {is_postback_valid(postback_1)}")
print(f"Postback 1 Valid (Re-run): {is_postback_valid(postback_1)}")

This script analyzes a list of postbacks to detect abnormal click-to-install time patterns. While SKAN delays postbacks, significant deviations from expected, albeit anonymized, timing distributions for a given campaign could signal manipulation by a fraudulent publisher.

import statistics

def detect_timing_anomalies(postbacks, campaign_id):
  """
  Analyzes install-to-postback timestamps for a campaign to find outliers.
  """
  timestamps = [p.get("timestamp") for p in postbacks if p.get("campaign-id") == campaign_id]
  
  if len(timestamps) < 20: # Need enough data
    return

  mean_time = statistics.mean(timestamps)
  stdev_time = statistics.stdev(timestamps)

  for ts in timestamps:
    if abs(ts - mean_time) > 2 * stdev_time:
      print(f"Alert: Anomalous timestamp {ts} detected for campaign {campaign_id}.")

# Example Postbacks
campaign_postbacks = [
  {"campaign-id": 101, "timestamp": 86400},
  {"campaign-id": 101, "timestamp": 90000},
  {"campaign-id": 101, "timestamp": 150000} # Outlier
]
detect_timing_anomalies(campaign_postbacks, 101)

Types of Skadnetwork

• SKAdNetwork 2.0: Introduced the core privacy-centric attribution model. It supported view-through attribution and provided a 6-bit conversion value (0-63) to measure post-install activity within a 24-hour window. This version established the foundation of delayed, anonymous postbacks.
• SKAdNetwork 3.0: A minor but important update that added support for "loser" postbacks. Besides the winning postback sent to the ad network that won the attribution, up to five other networks that showed an impression could receive a notification that they did not win, providing more signals to the ecosystem.
• SKAdNetwork 4.0: A major evolution that introduced several key features. It replaced the campaign ID with a four-digit "hierarchical source identifier" for more campaign granularity and introduced "coarse-grained" conversion values (low, medium, high) for when privacy thresholds aren't met.
• Multiple Postbacks (SKAN 4.0): This version allows for up to three separate postbacks over different time windows (0-2 days, 3-7 days, and 8-35 days). This gives advertisers a longer, albeit still limited, view into user lifecycle value and engagement beyond the initial install activity.
• Web-to-App Attribution (SKAN 4.0): Extended SKAdNetwork support to attribute app installs that originate from ads clicked on websites in Safari. This closed a significant gap, allowing for privacy-safe attribution from web-based mobile advertising campaigns.