What is Time decay attribution?
Time decay attribution is a model used in fraud prevention that assigns diminishing credit to security signals over time. More recent events, like a suspicious IP or rapid clicks, receive higher weight in a fraud score. This method prioritizes immediate threats over historical data, enabling faster, more accurate identification of automated bots and click fraud in real time.
How Time decay attribution Works
[Click Event] β [Data Collector] β [Session Analyzer] β [Time-Decay Scorer] β [Risk Assessment] β [Action]
β β β β β β
β β β β β ββ (Block/Flag)
β β β β ββ (Score > Threshold?)
β β β ββ (Apply Decay Formula)
β β ββ (Group by User/IP)
β ββ (IP, User Agent, Timestamp)
ββ (From Ad)
Data Ingestion and Sessionization
The process begins when a user clicks on an ad. The traffic security system instantly captures critical data points associated with the click, including the user’s IP address, user agent string, device type, geographic location, and a precise timestamp. These individual click events are then grouped into sessions based on a unique identifier, such as the IP address or a device fingerprint. This sessionization is crucial for analyzing the sequence and timing of actions from a single source.
Temporal Weighting Algorithm
Once a session is established, the time decay algorithm comes into play. It analyzes the sequence of events within the session. Each event is assigned an initial risk score based on known fraud indicators (e.g., a datacenter IP, a known bot signature). The core of the model is applying a decay functionβoften an exponential half-life formula. This means an event’s risk score decreases over time, making recent suspicious activities far more impactful on the overall fraud score than older ones.
Fraud Score Calculation and Mitigation
The system aggregates the time-weighted scores of all events within a session to compute a final, cumulative fraud score. For example, multiple clicks from the same IP in a short period will result in a high score, as each new click resets the clock before the previous scores can decay. If this cumulative score exceeds a predefined risk threshold, the system triggers a mitigation action, such as blocking the IP, flagging the click as invalid, or presenting a CAPTCHA challenge.
ASCII Diagram Breakdown
[Click Event] β [Data Collector]
This represents the initial data flow where a click on a digital ad generates a record. The data collector gathers essential information like the IP address and timestamp, which are fundamental inputs for the detection model.
[Session Analyzer] β [Time-Decay Scorer]
The analyzer groups related clicks into a single session to build context. The time-decay scorer then evaluates these events, applying a formula where the relevance of a suspicious signal (e.g., a click from a proxy) diminishes over time. This ensures the system focuses on current, active threats.
[Risk Assessment] β [Action]
The system calculates a cumulative risk score based on the weighted signals. If the score surpasses a set threshold, it indicates a high probability of fraud, leading to an automated action like blocking the source to prevent further damage to the ad campaign.
π§ Core Detection Logic
Example 1: IP Click Velocity Scoring
This logic tracks the frequency of clicks from a single IP address. A fraud score is assigned to an IP, and this score decays over time. If clicks occur in rapid succession, the score escalates quickly. If the clicks stop, the score gradually decreases, preventing the system from permanently blocking a potentially legitimate, shared IP.
FUNCTION on_click(ip_address, timestamp):
// Retrieve the IP's current data or create a new record
ip_data = get_ip_record(ip_address)
// Calculate time since last click
time_delta = timestamp - ip_data.last_seen_timestamp
// Apply time decay to the existing score
decay_factor = calculate_decay(time_delta) // e.g., exponential decay
ip_data.score = ip_data.score * decay_factor
// Add a base score for the new click
ip_data.score += 10
// Update timestamp and save
ip_data.last_seen_timestamp = timestamp
save_ip_record(ip_address, ip_data)
IF ip_data.score > 50:
RETURN "BLOCK"
ELSE:
RETURN "ALLOW"
Example 2: Session Heuristics with Decay
This logic analyzes a sequence of user actions within a single session. Early, exploratory actions might be given a low initial suspicion score that decays quickly. However, a sudden burst of non-human behavior (e.g., extremely fast form filling) receives a high score that decays slowly, making the entire session appear fraudulent.
FUNCTION analyze_session(session_events):
session_score = 0
last_event_time = session_events.timestamp
FOR event IN session_events:
// Apply decay based on time since last event
time_delta = event.timestamp - last_event_time
session_score *= calculate_decay(time_delta)
// Add score based on event type
IF event.type == "FAST_SUBMIT":
session_score += 50
ELSE IF event.type == "UNUSUAL_NAVIGATION":
session_score += 20
last_event_time = event.timestamp
RETURN session_score
Example 3: Geographic Mismatch Anomaly
This logic detects when a user’s purported location changes impossibly fast between clicks, a common sign of proxy or VPN abuse. The fraud score from a location mismatch is high but decays over a longer period (e.g., hours), as this is a strong indicator of intentional obfuscation rather than a brief behavioral anomaly.
FUNCTION check_geo_mismatch(ip_address, click_geo, timestamp):
ip_data = get_ip_record(ip_address)
IF ip_data.last_known_geo IS NOT NULL:
distance = calculate_distance(click_geo, ip_data.last_known_geo)
time_delta = timestamp - ip_data.last_seen_timestamp
speed = distance / time_delta
// If speed is faster than possible (e.g., > 1000 km/h)
IF speed > IMPOSSIBLE_TRAVEL_SPEED:
// Apply a high score with slow decay
ip_data.geo_fraud_score = 100
ELSE:
// Apply normal decay if no new anomaly
ip_data.geo_fraud_score *= calculate_long_decay(time_delta)
// Update geo and timestamp
ip_data.last_known_geo = click_geo
ip_data.last_seen_timestamp = timestamp
save_ip_record(ip_address, ip_data)
π Practical Use Cases for Businesses
- Campaign Shielding β Protects ad budgets by applying a higher fraud score to recent, repetitive clicks from the same source, allowing the system to block bots before they exhaust campaign funds.
- Analytics Purification β Ensures marketing data is clean by devaluing or filtering out traffic from sources that show time-based anomalies, leading to more accurate ROI and CPA calculations.
- ROAS Optimization β Improves Return on Ad Spend by focusing budget on traffic sources that are consistently legitimate over time, rather than those with sporadic, suspicious activity.
- User Quality Scoring β Differentiates between high-quality users and low-quality or fraudulent traffic by analyzing the timing of engagement signals throughout the user journey.
Example 1: Dynamic IP Blacklisting Rule
This rule automatically adds an IP to a temporary blacklist if its fraud score, calculated with time decay, exceeds a certain threshold. The IP is removed after a set period if no new suspicious activity is detected, preventing permanent blocks on dynamic or shared IPs.
// Rule: Block IPs with a rapidly escalating score
// The score decays with a 30-minute half-life.
IP_SCORE_THRESHOLD = 100
DECAY_HALF_LIFE_SECONDS = 1800
FUNCTION process_click(ip, timestamp):
score = get_cached_score(ip)
last_click_time = get_last_click_time(ip)
// Apply exponential decay based on time since last click
time_elapsed = timestamp - last_click_time
decayed_score = score * (0.5 ^ (time_elapsed / DECAY_HALF_LIFE_SECONDS))
// Add score for the new click and update cache
new_score = decayed_score + 15
set_cached_score(ip, new_score)
IF new_score > IP_SCORE_THRESHOLD:
add_to_temp_blacklist(ip, duration="1_HOUR")
RETURN "BLOCKED"
Example 2: Session Authenticity Scoring
This logic assesses the authenticity of a user session. A session that starts with a suspicious signal (e.g., from a known datacenter) gets a high initial score. If the user then behaves normally, the score decays. If more suspicious signals appear, the score rises again, leading to a block.
// Logic: Score a session's authenticity based on event timing
SESSION_BLOCK_THRESHOLD = 80
DECAY_RATE_PER_MINUTE = 0.05 // 5% decay per minute
FUNCTION score_session_event(session, event):
// Decay current session score based on time
time_since_last_event = event.timestamp - session.last_event_time
minutes_passed = time_since_last_event / 60
decay_multiplier = (1 - DECAY_RATE_PER_MINUTE) ^ minutes_passed
session.score *= decay_multiplier
// Add score for the new event
IF event.is_suspicious:
session.score += 40
session.last_event_time = event.timestamp
IF session.score > SESSION_BLOCK_THRESHOLD:
RETURN "SESSION_INVALID"
π Python Code Examples
This Python function simulates calculating a fraud score for an IP address based on click timestamps. It applies an exponential decay formula, where more recent clicks contribute significantly more to the score, helping to identify rapid-fire bot activity.
import time
# Store last click time and score for each IP
ip_records = {}
HALF_LIFE = 600 # 10 minutes in seconds
def get_fraud_score(ip):
if ip not in ip_records:
ip_records[ip] = {'score': 0, 'timestamp': 0}
record = ip_records[ip]
current_time = time.time()
time_diff = current_time - record['timestamp']
# Apply exponential time decay
decay_factor = 0.5 ** (time_diff / HALF_LIFE)
record['score'] *= decay_factor
# Add points for the new click and update timestamp
record['score'] += 1.0
record['timestamp'] = current_time
return record['score']
# --- Simulation ---
ip_address = "123.45.67.89"
print(f"Score 1: {get_fraud_score(ip_address)}")
time.sleep(2)
print(f"Score 2 (after 2s): {get_fraud_score(ip_address)}")
time.sleep(1200) # Wait 20 minutes
print(f"Score 3 (after 20m): {get_fraud_score(ip_address)}")
This code example demonstrates filtering a batch of incoming clicks. It uses a helper function to decide whether a click is fraudulent based on a time-decay score. This is useful for post-processing logs to identify suspicious IPs that should be added to a blocklist.
# (Assumes get_fraud_score function from Example 1 exists)
def filter_suspicious_clicks(click_log):
suspicious_ips = set()
FRAUD_THRESHOLD = 5.0
for click in click_log:
ip = click['ip_address']
score = get_fraud_score(ip) # Calculates score with decay
print(f"IP: {ip}, Current Score: {score:.2f}")
if score > FRAUD_THRESHOLD:
suspicious_ips.add(ip)
return list(suspicious_ips)
# --- Simulation ---
clicks = [
{'ip_address': '11.22.33.44'}, {'ip_address': '99.88.77.66'},
{'ip_address': '11.22.33.44'}, {'ip_address': '11.22.33.44'},
{'ip_address': '99.88.77.66'}, {'ip_address': '11.22.33.44'},
{'ip_address': '11.22.33.44'}
]
flagged_ips = filter_suspicious_clicks(clicks)
print(f"nIPs to investigate: {flagged_ips}")
Types of Time decay attribution
- Linear Decay β A model where the fraud score of an event decreases by a constant amount over time. It’s simple to implement but less effective at modeling the urgency of very recent threats compared to exponential decay.
- Exponential Decay (Half-Life) β The most common type in fraud detection, where an event’s fraud score is halved over a fixed period (the “half-life”). This model heavily weights recent activity, making it ideal for detecting rapid, automated attacks like bot clicks.
- Positional Decay β This model assigns decreasing value based on an event’s position in a sequence, not just time. The last event in a session receives the most weight. In fraud detection, it helps identify suspicious final actions before a conversion event.
- Custom Decay β A flexible model allowing different decay rates for different types of fraudulent signals. For example, a high-risk signal like a known proxy IP might decay much more slowly than a lower-risk signal like an unusual user agent.
π‘οΈ Common Detection Techniques
- IP Velocity Tracking β This technique monitors the rate of clicks or other events from a single IP address. A time decay model is used to lower the risk score of an IP over time, preventing it from being permanently flagged for a temporary spike in activity.
- Behavioral Heuristics β This involves analyzing user behavior patterns like mouse movements, scroll speed, and time between clicks. Recent, unnatural behaviors are given a higher weight, allowing the system to distinguish between human users and bots whose activity patterns often differ.
- Session Risk Scoring β A session’s overall risk is calculated by aggregating the scores of individual events within it. Time decay ensures that recent suspicious events, like failed logins or rapid page loads, contribute more to the total score, flagging the entire session as potentially fraudulent.
- Device Fingerprinting Anomalies β This technique tracks unique browser and device characteristics. If a device fingerprint suddenly produces signals from a different geographic location, the time decay model assigns a high, slow-decaying fraud score, as this is a strong indicator of an attempt to cloak identity.
- Honeypot Traps β This involves placing invisible links or forms on a webpage that only automated bots would interact with. When a bot clicks a honeypot, it receives a very high fraud score that decays extremely slowly, effectively tagging the source as malicious for an extended period.
π§° Popular Tools & Services
| Tool | Description | Pros | Cons |
|---|---|---|---|
| Traffic Sentinel AI | A real-time traffic analysis platform that uses machine learning and time-decay models to score incoming clicks. It focuses on pre-bid fraud prevention by analyzing request metadata to block bots before they can click. | Highly adaptive to new threats; Integrates with major ad platforms; Provides detailed reporting on blocked threats. | Can be expensive for small businesses; Initial setup and tuning may require technical expertise. |
| ClickGuard Pro | A service focused on post-click analysis and IP blocking for PPC campaigns. It uses time-decay rules to identify IPs with abnormal click frequencies and automatically adds them to exclusion lists in Google Ads and other platforms. | Easy to set up and use; Effective for direct response campaigns; Offers automated IP exclusion management. | Less effective against sophisticated bots that rotate IPs; Primarily reactive (post-click). |
| AdSecure Engine | A comprehensive ad security suite that combines malware scanning with traffic quality analysis. Its time-decay feature is part of a broader behavioral analysis engine that detects non-human patterns and geo-location fraud. | Holistic protection beyond just click fraud; Good at detecting coordinated botnet attacks; Real-time alerts. | Complex feature set can be overwhelming; Higher resource consumption than simpler tools. |
| BotBlocker Analytics | A developer-focused API that provides a fraud score for users or events. It relies heavily on time-decayed fingerprinting and velocity checks, allowing businesses to integrate fraud detection directly into their applications. | Highly flexible and customizable; Pay-per-use pricing model can be cost-effective; Strong documentation. | Requires significant development resources to implement; No user interface or out-of-the-box dashboards. |
π KPI & Metrics
Tracking the right KPIs is crucial for evaluating the effectiveness of a time decay attribution model in fraud protection. It’s important to measure not only the technical accuracy of the detection engine but also its impact on business outcomes like ad spend efficiency and conversion quality.
| Metric Name | Description | Business Relevance |
|---|---|---|
| Fraud Detection Rate (FDR) | The percentage of total fraudulent clicks correctly identified by the system. | Measures the core effectiveness of the fraud filter in catching invalid traffic. |
| False Positive Rate (FPR) | The percentage of legitimate clicks incorrectly flagged as fraudulent. | Indicates if the detection rules are too aggressive, potentially blocking real customers. |
| Invalid Traffic (IVT) Reduction % | The overall percentage decrease in invalid traffic on ad campaigns after implementation. | Directly shows the impact on cleaning up ad traffic and reducing wasted spend. |
| CPA / ROAS Improvement | Change in Cost Per Acquisition or Return On Ad Spend after filtering fraudulent traffic. | Translates technical filtering into tangible financial gains and campaign efficiency. |
These metrics are typically monitored through real-time dashboards that pull data from ad platforms and server logs. Alerts are often configured to notify teams of sudden spikes in fraud rates or false positives. This continuous feedback loop is essential for optimizing the time decay model’s parameters, such as the half-life period or risk thresholds, to adapt to new threats while minimizing the impact on legitimate users.
π Comparison with Other Detection Methods
Detection Accuracy and Speed
Compared to static, signature-based detection (e.g., blocking known bad IPs), time decay attribution is more dynamic. Signature-based methods are fast but ineffective against new or unknown bots. Time decay models can identify novel threats based on behavior over time. However, they can be computationally more intensive and may introduce slightly more latency than a simple blacklist lookup.
Real-Time vs. Batch Processing
Time decay models excel in real-time environments where recent behavior is a strong predictor of intent. This makes them highly suitable for pre-bid ad environments and immediate post-click filtering. In contrast, more complex behavioral analytics or machine learning models might require more data and are often used in batch processing to analyze historical logs, which can delay the response to an active attack.
Effectiveness Against Different Threats
Time decay logic is particularly effective against automated, high-velocity attacks (e.g., simple click bots) where timing and frequency are key indicators. It may be less effective against “low-and-slow” attacks, where a bot attempts to mimic human behavior over a longer period. Methods based on deeper behavioral analysis or CAPTCHA challenges are often better suited for these more sophisticated threats.
β οΈ Limitations & Drawbacks
While powerful, time decay attribution is not a silver bullet for fraud detection. Its effectiveness depends heavily on proper configuration and context. The model can be inefficient or problematic when dealing with certain types of traffic or sophisticated attack vectors.
- High Resource Consumption β Calculating decay scores for every click event in real-time can be computationally expensive and may not be suitable for high-volume environments without significant hardware.
- Latency Concerns β The processing time required for scoring can introduce latency, which is a major issue in real-time bidding (RTB) auctions where decisions must be made in milliseconds.
- Difficulty in Tuning β Setting the correct “half-life” or decay rate is challenging. If the decay is too fast, it may miss slow attacks; if it’s too slow, it may penalize legitimate users for past, unrelated events.
- Vulnerability to Sophisticated Bots β Advanced bots can mimic human timing (“low and slow” attacks), making their behavior difficult to flag with a model that prioritizes recent, rapid activity.
- False Positives from Shared IPs β Users on large carrier-grade NATs or public Wi-Fi can be unfairly penalized if another user on the same IP address engages in fraudulent activity.
In scenarios involving highly sophisticated bots or where zero latency is required, a hybrid approach combining time decay with signature-based filtering or device fingerprinting is often more suitable.
β Frequently Asked Questions
How does time decay differ from a simple click-per-second limit?
A simple click limit (e.g., “block IP after 5 clicks in 1 minute”) is a static rule. Time decay is more fluid; it creates a score that rises with each click but continuously decreases over time. This allows it to penalize rapid bursts of activity more heavily than clicks that are spaced out, making it more nuanced and less prone to false positives.
Is time decay effective against sophisticated, human-like bots?
By itself, it can be less effective. Sophisticated bots often mimic human behavior by spacing out their actions (“low-and-slow” attacks). However, time decay is rarely used in isolation. When combined with other signals like behavioral analysis, device fingerprinting, and IP reputation, it becomes a powerful component of a multi-layered defense system.
What data is required to implement a time decay model for fraud detection?
At a minimum, you need the user’s IP address and a precise timestamp for each click or event. For a more robust model, you would also incorporate other data points like user agent strings, device IDs, geographic location, and specific actions taken on the page to create a more comprehensive risk score.
Can time decay rules lead to blocking legitimate users?
Yes, this is a risk, particularly with poorly tuned models. For example, if the decay rate is too slow, a user on a shared network (like a university or mobile carrier) could be blocked because of another user’s previous bad activity. This is why it’s crucial to monitor false positive rates and adjust the decay parameters accordingly.
How do you choose the right “half-life” for a decay model?
The ideal half-life depends on the context of the ad campaign and typical user behavior. For short-term promotional campaigns where decisions are made quickly, a shorter half-life (e.g., 5-10 minutes) is effective. For B2B scenarios with longer consideration periods, a longer half-life (e.g., hours or days) might be more appropriate. It often requires empirical testing and analysis of traffic data.
π§Ύ Summary
Time decay attribution is a fraud detection model that assigns greater importance to more recent user actions. By applying a “decay” factor to the risk score of security signals over time, it prioritizes immediate threats. This makes it highly effective at identifying automated click fraud and other bot-driven activities, helping businesses protect ad spend and maintain data integrity by focusing on timely, relevant behavioral patterns.