Fraud has always been a serious and widespread challenge in the advertising and online earning industries. With the rapid development of the Internet, more and more companies are shifting their marketing activities to digital channels, resulting in an endless stream of cheating methods such as false clicks and traffic brushing.

In order to maintain the fairness of market competition and ensure the interests of advertisers and media partners, the advertising and online earning industries have adopted various anti-fraud measures. This article will deeply explore the common anti-cheating strategies in the domestic advertising and online earning fields, and analyze their principles, advantages and disadvantages, and the difficulties faced in meeting the challenges.

 Important consensus

Anti-cheating is a long-term confrontational game HE Tuber process. It does not mean to leave illegal equipment and teams alone and allow false traffic to be generated; nor does it mean to "kill them all", thereby causing the loss of some potential "reasonable" benefits. Instead, we are looking for a dynamic value balance point, seeking to fit the criteria of advertisers/advertising platforms, and maximizing revenue.

Different businesses and different products need to be continuously improved and tracked according to different situations.

3. Explanation of basic terms

The advertising platform's identification of false traffic is in a black box state and we cannot accurately match it. However, through continuous business development, we can also summarize some methods, and now there are endless third-party anti-fraud platforms.

However, some products and businesses will still be subject to reductions by advertisers and advertising platforms. In fact, various advertising platforms in the industry generally not only identify the characteristics of equipment modifications, cheating tool risks, behaviors and other risks, but also look at data related to the effects of downstream advertising after clicks, such as activation, retention, conversion and other information after N days of advertising. , to determine the quality of traffic after clicks on partial app ads, and to reduce low-quality and poor-effect situations.

E-commerce: brushing orders and brushing reputation

APP: brush activation, download

Search: fake external links

Advertising: exposure, clicks

Form class: invalid form

Insurance Category: Brush Order

There is a need to increase monitoring and avoidance of risky behaviors, not only through the device level, but also through advertising data.

CPM, CPC payment: brush advertising indicators, such as impressions, clicks, etc.

CPA payment: brush download, activation and retention, etc.

CPS: Brush orders, such as insurance products that have surrender behavior during the hesitation period

Each type of advertisement has a corresponding payment form, and also has appeal points for false traffic benefits, which constitute the form of false traffic benefits. The usual characteristics are that clicks become very frequent but there are invalid interactions, the same person frequently visits the advertisements within a period of time, etc.

3. Common dimensions of false traffic

Equipment dimensions:

Device Identifier: Detect repeated or unusual patterns of device identifiers (such as IMEI, IDFA, etc.).

Device model and operating system: Detect abnormal device model and operating system combinations.

Device properties: Detect abnormalities or inconsistencies in device properties (such as screen resolution, device language, etc.).

IP address dimensions:

IP address ownership: Detect whether the IP address comes from an anonymous proxy, VPN or a well-known cheating IP address range.

IP address frequency: Detects frequent changes in IP addresses or patterns of heavy usage.

User behavior dimensions:

Installation time: Detect unusual patterns in installation time, such as installations in quick succession or concentrated in a specific time period.

Installation sources: Detect installations from untrusted or unusual sources.

Usage Behavior: Detect unusual patterns in user behavior, such as brief app usage or invalid click behavior.

Bounce rate: Bounce rate is usually used to measure APP performance and quality, and can also be used as a reference indicator for false traffic.

Average access depth: For fake traffic intended to increase traffic, user access depth is usually very low. However, it is necessary to exclude failed guidance such as landing pages.

Average visit duration: False traffic pursues “volume” rather than duration, and can be identified by the visit duration.

User behavior path: The behavior sequence distribution of ordinary users is irregular, but false traffic will be pre-set and executed, and there are traces to follow.

Advertising related dimensions:

Ad click-through rate: Detect unusually high or low click-through rates.

Ad Conversion Rate: Detect unusually high or low conversion rates.

Ad Impressions: Detects abnormally high or low ad impressions.

Data statistics dimensions:

Duplicate Data: Detect duplicate installation or event data.

Abnormal data patterns: Detect anomalies in data patterns, such as abnormal distribution, aggregation, or changes.

Configure different levels of anti-cheating strategies according to different business scenarios.

High-risk device labels:

Repackaging: An attacker may repackage an existing software or application into a new version that has similar functionality but is difficult to detect to avoid detection by anti-cheat systems (detection signatures)

Group control: Attackers usually use automated programs or scripts to control multiple computers or devices for attacks (detect the same IP)

Code receiving platform: The code receiving platform is a third-party platform that provides SMS verification code receiving services. Attackers usually use these platforms to send a large number of spam or malicious SMS messages for cheating (detecting the same IP)

Modification tool: Modification tool is a software that can modify the information of mobile phone devices. It can be used to forge device information, such as IMEI number, model, etc. (detect device-related ID)

Medium risk device label:

Simulated clicks: Cheaters can write automated scripts to complete a series of operations by simulating mouse clicks (detecting mouse click time intervals)

Emulator: An emulator is software that emulates another operating system or device on a computer, allowing users to run applications without the actual device (Virtual Machine Detection Tool)

root: root is a super user authority that allows the user to have complete control over the system (file detection)

Shell: Shell is a command line interpreter that allows users to perform various commands and operations on the computer. Because Shell can bypass some security restrictions, it has also become one of the tools used by some cheaters (file detection)

Low risk device label:

VPN, multi-open tools, bonus wall, custom rom tools, etc.

2) Monetization data: Black users or abnormal users usually generate a large number of clicks or consumption behaviors in a short period of time, so their ARPU, IPU and eCPM data may be much higher than normal users. You can filter and analyze users exceeding a certain value by setting a threshold.

3) WeChat installation time: Black users or abnormal users usually commit fraud by quickly installing a large number of WeChat accounts. Therefore, you can compare the WeChat installation time to find users with short installation time but abnormal consumption behavior.

6. Risk control type

1. Install risk control

Data collection and analysis:

Collect various data related to ad installation, including device information, IP address, user behavior, etc.

Data is processed and analyzed using data analysis tools and algorithms to identify abnormal patterns and risk signals.

Device fingerprint recognition:

Create a device fingerprint by collecting and analyzing data such as the device's unique identifier, hardware information, and operating system.

IP address verification:

Check whether the installed IP address belongs to an anonymizing proxy, VPN or other anonymizing service.

Identify potential fraud by comparing it to a database of known fraudulent IP addresses.

User Behavior Analysis:

Analyze user installation behavior, including installation time, installation source, application usage, etc.

Detect unusual patterns, such as rapid installations, large numbers of repeated installations, etc., to identify possible cheating.

Machine learning and model building:

Use machine learning algorithms to build models, using historical data and labeled cheating behaviors as training sets.

Use trained models to predict whether new installs are at risk of fraud.

Real-time monitoring and anti-cheating measures:

Monitor and analyze data in real time during the ad installation process to detect cheating in a timely manner.

Apply anti-cheating measures, such as blocking the installation of cheating devices, limiting repeated installations, etc.

Installation verification and billing processing:

After the install is confirmed as valid, billing is processed to ensure that advertisers only pay for valid installs.

Monitor and audit installation data to ensure accuracy and compliance of billing processes.

data collection:

Collect advertising-related data in real time, including event data such as ad clicks, installations, and conversions.

Obtain data such as device information, IP address, user behavior, etc.

Data preprocessing:

Clean and preprocess the collected data, including removing duplicate data, correcting outliers, etc.

Convert data into a format that can be analyzed and processed.

Feature extraction and calculation:

Extract key features, such as device fingerprints, IP address features, click behavior features, etc.

Calculate important metrics such as click-through rate, conversion rate, impressions, etc.

Data is analyzed and processed using real-time monitoring algorithms to detect cheating.

Commonly used algorithms include machine learning algorithms, anomaly detection algorithms, rule engines, etc.

Threshold settings and rules engine:

Based on historical data and business needs, set appropriate thresholds and rules to determine cheating behavior.

Thresholds and rules can be dynamically adjusted based on changes in real-time data to increase accuracy and flexibility.

Risk assessment and alarm:

Conduct risk assessments for each event based on monitoring results and rule judgments.

For risk events, the alarm mechanism is triggered and relevant personnel are notified for further processing.

Real-time anti-cheating measures:

Based on the monitoring results and risk assessment, implement corresponding