research-article

Clicktok: click fraud detection using traffic analysis

Authors:

Shishir Nagaraja,

Ryan ShahAuthors Info & Claims

WiSec '19: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

Pages 105 - 116

https://doi.org/10.1145/3317549.3323407

Published: 15 May 2019 Publication History

Abstract

Advertising is a primary means for revenue generation for millions of websites and smartphone apps. Naturally, a fraction abuse ad networks to systematically defraud advertisers of their money. Modern defences have matured to overcome some forms of click fraud but measurement studies have reported that a third of clicks supplied by ad networks could be clickspam. Our work develops novel inference techniques which can isolate click fraud attacks using their fundamental properties. We propose two defences, mimicry and bait-click, which provide clickspam detection with substantially improved results over current approaches. Mimicry leverages the observation that organic clickfraud involves the reuse of legitimate click traffic, and thus isolates clickspam by detecting patterns of click reuse within ad network clickstreams. The bait-click defence leverages the vantage point of an ad network to inject a pattern of bait clicks into a user's device. Any organic clickspam generated involving the bait clicks will be subsequently recognisable by the ad network. Our experiments show that the mimicry defence detects around 81% of fake clicks in stealthy (low rate) attacks, with a false-positive rate of 110 per hundred thousand clicks. Similarly, the bait-click defence enables further improvements in detection, with rates of 95% and a reduction in false-positive rates of between 0 and 30 clicks per million - a substantial improvement over current approaches.

References

[1]

2016. You can now rent a Mirai botnet of 400000 bots. https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/

[2]

Patrick Billingsley. 1995. Probability and Measure (3 ed.). Wiley-Interscience. http://www.worldcat.org/isbn/0471007102

[3]

Hamad Binsalleeh, Thomas Ormerod, Amine Boukhtouta, Prosenjit Sinha, Amr Youssef, Mourad Debbabi, and Lingyu Wang. 2010. On the analysis of the zeus botnet crimeware toolkit. In 2010 Eighth International Conference on Privacy, Security and Trust. IEEE, 31--38.

[4]

Carlo Blundo and Stelvio Cimato. 2002. SAWM: a tool for secure and authenticated web metering. In Proceedings of the 14th international conference on Software engineering and knowledge engineering (SEKE '02). ACM, New York, NY, USA, 641--648.

Digital Library

[5]

Y-Lan Boureau, Jean Ponce, and Yann Lecun. 2010. A Theoretical Analysis of Feature Pooling in Visual Recognition. In 27TH INTERNATIONAL CONFERENCE ON MACHINE LEARNING, HAIFA, ISRAEL.

Digital Library

[6]

Gregory Buehrer, Jack W. Stokes, and Kumar Chellapilla. 2008. A large-scale study of automated web search traffic. In AIRWeb (ACM International Conference Proceeding Series), Carlos Castillo, Kumar Chellapilla, and Dennis Fetterly (Eds.). 1--8.

Digital Library

[7]

Neha Chachra, Stefan Savage, and Geoffrey M. Voelker. 2015. Affiliate Crookies: Characterizing Affiliate Marketing Abuse. In Proceedings of the 2015 Internet Measurement Conference (IMC '15). ACM, New York, NY, USA, 41--47.

Digital Library

[8]

Yizheng Chen, Panagiotis Kintis, Manos Antonakakis, Yacin Nadji, David Dagon, and Michael Farrell. 2017. Measuring lower bounds of the financial abuse to online advertisers: A four year case study of the TDSS/TDL4 Botnet. Computers & Security 67 (2017), 164--180.

Digital Library

[9]

Click-spam accounting {n. d.}. The lane's gift v. google report. http://googleblog.blogspot.in/pdf/Tuzhilin_Report.pdf.

[10]

Neil Daswani and Michael Stoppelman. 2007. The Anatomy of Clickbot. A. In Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07). USENIX Association, Berkeley, CA, USA, 11--11. http://dl.acm.org/citation.cfm?id=1323128.1323139

Digital Library

[11]

Vacha Dave, Saikat Guha, and Yin Zhang. 2012. Measuring and fingerprinting click-spam in ad networks. In Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication (SIGCOMM '12). ACM, New York, NY, USA, 175--186.

Digital Library

[12]

Vacha Dave, Saikat Guha, and Yin Zhang. 2013. ViceROI: Catching Click-spam in Search Ad Networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 765--776.

Digital Library

[13]

Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wagner. 2011. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 3--14.

Digital Library

[14]

Thore Graepel, Joaquin Quinonero Candela, Thomas Borchert, and Ralf Herbrich. 2010. Web-Scale Bayesian Click-Through rate Prediction for Sponsored Search Advertising in Microsoft's Bing Search Engine. In Proceedings of the 27th International Conference on Machine Learning (ICML-10), Johannes Fürnkranz and Thorsten Joachims (Eds.). Omnipress, Haifa, Israel, 13--20. http://www.icml2010.org/papers/901.pdf

Digital Library

[15]

Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. 2012. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In Proc. of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[16]

Ramakrishna Gummadi, Hari Balakrishnan, Petros Maniatis, and Sylvia Ratnasamy. 2009. Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks. In NSDI 2009. Boston, MA.

Digital Library

[17]

Hamed Haddadi. 2010. Fighting online click-fraud using bluff ads. SIGCOMM Comput. Commun. Rev. 40, 2 (April 2010), 21--25.

Digital Library

[18]

Google Inc. Accessed Mar 2018. Monkeyrunner reference. https://developer.android.com/studio/test/monkeyrunner

[19]

Gregoire Jacob, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2012. PUBCRAWL: Protecting Users and Businesses from CRAWLers. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). USENIX, Bellevue, WA, 507--522. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/jacob

Digital Library

[20]

Ari Juels, Sid Stamm, and Markus Jakobsson. 2007. Combating click fraud via premium clicks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (SS'07). USENIX Association, Berkeley, CA, USA, Article 2, 10 pages. http://dl.acm.org/citation.cfm?id=1362903.1362905

Digital Library

[21]

Hongwen Kang, Kuansan Wang, David Soukal, Fritz Behr, and Zijian Zheng. 2010. Large-scale Bot Detection for Search Engines. In Proceedings of the 19th International Conference on World Wide Web (WWW '10). ACM, New York, NY, USA, 501--510.

Digital Library

[22]

Sara Khanchi, Nur Zincir-Heywood, and Malcolm Heywood. 2018. Streaming Botnet traffic analysis using bio-inspired active learning. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--6.

[23]

Carmelo Kintana, David Turner, Jia-Yu Pan, Ahmed Metwally, Neil Daswani, Erika Chin, and Andrew Bortz. 2009. The Goals and Challenges of Click Fraud Penetration Testing Systems. In International Symposium on Software Reliability Engineering.

[24]

G Kirubavathi and R Anitha. 2014. Botnets: A study and analysis. In Computational Intelligence, Cyber Security and Computational Models. Springer, 203--214.

[25]

Brendan Kitts, Jing Ying Zhang, Gang Wu, Wesley Brandi, Julien Beasley, Kieran Morrill, John Ettedgui, Sid Siddhartha, Hong Yuan, Feng Gao, et al. 2015. Click fraud detection: adversarial pattern recognition over 5 years at Microsoft. In Real World Data Mining Applications. Springer, 181--201.

[26]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2017. ImageNet Classification with Deep Convolutional Neural Networks. Commun. ACM 60, 6 (May 2017), 84--90.

Digital Library

[27]

Nir Kshetri. 2010. The Economics of Click Fraud. IEEE Security & Privacy 8, 3 (2010), 45--53. http://dblp.uni-trier.de/db/journals/ieeesp/ieeesp8.html#Kshetri10

Digital Library

[28]

Daniel D. Lee and H. Sebastian Seung. 2000. Algorithms for Non-negative Matrix Factorization. In In NIPS. MIT Press, 556--562.

[29]

Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. 2014. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14). USENIX Association, Seattle, WA, 57--70. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/liu_bin

Digital Library

[30]

Wei Meng, Ruian Duan, and Wenke Lee. 2013. DNS Changer remediation study. Talk at M3AAWG 27th (2013).

[31]

Ahmed Metwally, Divyakant Agrawal, Amr El Abbad, and Qi Zheng. 2007. On Hit Inflation Techniques and Detection in Streams of Web Advertising Networks. In Proceedings of the 27th International Conference on Distributed Computing Systems (ICDCS '07). IEEE Computer Society, Washington, DC, USA, 52-.

Digital Library

[32]

Ahmed Metwally, Divyakant Agrawal, and Amr El Abbadi. 2007. Detectives: detecting coalition hit inflation attacks in advertising networks streams. In Proceedings of the 16th international conference on World Wide Web (WWW '07). ACM, New York, NY, USA, 241--250.

Digital Library

[33]

Ahmed Metwally, Fatih Emekçi, Divyakant Agrawal, and Amr El Abbadi. 2008. SLEUTH: Single-pubLisher attack dEtection Using correlaTion Hunting. Proc. VLDB Endow. 1, 2 (Aug. 2008), 1217--1228. http://dl.acm.org/citation.cfm?id=1454159.1454161

Digital Library

[34]

Brad Miller, Paul Pearce, Chris Grier, Christian Kreibich, and Vern Paxson. 2011. What's Clicking What? Techniques and Innovations of Today's Clickbots. In Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'11). Springer-Verlag, Berlin, Heidelberg, 164--183. http://dl.acm.org/citation.cfm?id=2026647.2026661

Digital Library

[35]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of the IEEE Symposium on Security and Privacy.

Digital Library

[36]

Riwa Mouawi, Mariette Awad, Ali Chehab, Imad H El Hajj, and Ayman Kayssi. 2018. Towards a Machine Learning Approach for Detecting Click Fraud in Mobile Advertizing. In 2018 International Conference on Innovations in Information Technology (IIT). IEEE, 88--92.

[37]

Bob Mungamuru and Stephen Weis. 2008. In Financial Cryptography and Data Security, Gene Tsudik (Ed.). Springer-Verlag, Berlin, Heidelberg, Chapter Competition and Fraud in Online Advertising Markets, 187--191.

[38]

G. Ollmann. 2009. Want to rent an 80-120k DDoS Botnet? Blog: Damballa. http://bit.ly/W9Hh2x

[39]

Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. 2014. Characterizing Large-Scale Click Fraud in ZeroAccess. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 141--152.

Digital Library

[40]

Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M Voelker. 2014. Characterizing large-scale click fraud in zeroaccess. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 141--152.

Digital Library

[41]

The Selenium Project. Accessed Oct 2017. Selenium IDE. https://docs.seleniumhq.org

[42]

Michael G. Reed, Paul F. Syverson, and David M. Goldschlag. 1998. Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communications 16, 4 (1998). citeseer.ist.psu.edu/reed98anonymous.html

Digital Library

[43]

Tahere Shakiba, Sajjad Zarifzadeh, and Vali Derhami. 2018. Spam query detection using stream clustering. World Wide Web 21, 2 (2018), 557--572.

Digital Library

[44]

Brett Stone-Gross, Ryan Stevens, Apostolis Zarras, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna. 2011. Understanding Fraudulent Activities in Online Ad Exchanges. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC '11). ACM, New York, NY, USA, 279--294.

Digital Library

[45]

Thanh N. Tran, Ron Wehrens, and Lutgarde M.C. Buydens. 2006. KNN-kernel density-based clustering for high-dimensional multivariate data. Computational Statistics & Data Analysis 51, 2 (2006), 513 -- 525.

Digital Library

[46]

Western Division of Washington at Seattle United States District Court. June 2009. United States District Court: Microsoft vs Eric Lam et. al., Civil Case Number CO 9-0815. http://graphics8.nytimes.com/packages/pdf/business/LamComplaint.pdf

[47]

Jialu Wei. 2016. DDoS on internet of things - a big alarm for the future.

[48]

William Wu-Shyong Wei. 1994. Time series analysis. Addison-Wesley publ.

[49]

Fang Yu, Yinglian Xie, and Qifa Ke. 2010. SBotMiner: Large Scale Search Bot Detection. In Proceedings of the Third ACM International Conference on Web Search and Data Mining (WSDM '10). ACM, New York, NY, USA, 421--430.

Digital Library

[50]

Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 373--380.

Digital Library

[51]

Qing Zhang, Thomas Ristenpart, Stefan Savage, and Geoffrey M. Voelker. 2011. Got Traffic?: An Evaluation of Click Traffic Providers. In Proceedings of the 2011 Joint WICOW/AIRWeb Workshop on Web Quality (WebQuality '11). ACM, New York, NY, USA, 19--26.

Digital Library

[52]

Nicola Zingirian and Michele Benini. 2018. Click Spam Prevention Model for On-Line Advertisement. CoRR abs/1802.02480 (2018). arXiv:1802.02480 http://arxiv.org/abs/1802.02480

Cited By

Kaur B(2024)Online Fraud ForensicsInternationalization of Sport Events Through Branding Opportunities10.4018/979-8-3693-4038-7.ch015(269-296)Online publication date: 23-Oct-2024
https://doi.org/10.4018/979-8-3693-4038-7.ch015
Vekaria YNithyanand RShafiq Z(2024)The Inventory is Dark and Full of Misinformation: Understanding Ad Inventory Pooling in the Ad-Tech Supply Chain2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00003(1590-1608)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00003
Debnath NJain A(2024)A comprehensive survey on mobile browser security issues, challenges and solutionsInformation Security Journal: A Global Perspective10.1080/19393555.2024.2347256(1-20)Online publication date: 29-Apr-2024
https://doi.org/10.1080/19393555.2024.2347256
Show More Cited By

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '19: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

May 2019

359 pages

ISBN:9781450367264

DOI:10.1145/3317549

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

EPSRC

Conference

WiSec '19

Sponsor:

SIGSAC

WiSec '19: 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 15 - 17, 2019

Florida, Miami

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
487
Total Downloads

Downloads (Last 12 months)69
Downloads (Last 6 weeks)5

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kaur B(2024)Online Fraud ForensicsInternationalization of Sport Events Through Branding Opportunities10.4018/979-8-3693-4038-7.ch015(269-296)Online publication date: 23-Oct-2024
https://doi.org/10.4018/979-8-3693-4038-7.ch015
Vekaria YNithyanand RShafiq Z(2024)The Inventory is Dark and Full of Misinformation: Understanding Ad Inventory Pooling in the Ad-Tech Supply Chain2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00003(1590-1608)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00003
Debnath NJain A(2024)A comprehensive survey on mobile browser security issues, challenges and solutionsInformation Security Journal: A Global Perspective10.1080/19393555.2024.2347256(1-20)Online publication date: 29-Apr-2024
https://doi.org/10.1080/19393555.2024.2347256
Castaldo MFrasca PVenturini TGargiulo F(2024)Fake views removal and popularity on YouTubeScientific Reports10.1038/s41598-024-63649-w14:1Online publication date: 4-Jul-2024
https://doi.org/10.1038/s41598-024-63649-w
Purwar AJain AChawla IGupta IRaj MJain D(2024)Click Fraud Detection Using Ensemble ClassifierAdvances in Artificial-Business Analytics and Quantum Machine Learning10.1007/978-981-97-4860-0_2(15-23)Online publication date: 19-Oct-2024
https://doi.org/10.1007/978-981-97-4860-0_2
Wu BZou FZhang CYu TLi Y(2023)Multi-field relation mining for malicious HTTP traffic detection based on attention and cross networkJournal of Information Security and Applications10.1016/j.jisa.2022.10341173(103411)Online publication date: Mar-2023
https://doi.org/10.1016/j.jisa.2022.103411
Sisodia DSisodia D(2023)Stacked Generalization Architecture for Predicting Publisher Behaviour from Highly Imbalanced User-Click Data Set for Click Fraud DetectionNew Generation Computing10.1007/s00354-023-00218-141:3(581-606)Online publication date: 29-May-2023
https://doi.org/10.1007/s00354-023-00218-1
Jigalur RModi C(2023)A Conceptual Model for Click Fraud Detection and Prevention in Online Advertising Using BlockchainSecurity, Privacy and Data Analytics10.1007/978-981-99-3569-7_17(235-246)Online publication date: 19-Aug-2023
https://doi.org/10.1007/978-981-99-3569-7_17
Li KXiang MKakaiya MKaul SWang X(2023)Web Bot Detection Based on Hidden Features of HTTP Access LogTools for Design, Implementation and Verification of Emerging Information Technologies10.1007/978-3-031-33458-0_3(32-43)Online publication date: 17-Jun-2023
https://doi.org/10.1007/978-3-031-33458-0_3
Sisodia DSisodia D(2022)A hybrid data‐level sampling approach in learning from skewed user‐click data for click fraud detection in online advertisingExpert Systems10.1111/exsy.1314740:2Online publication date: 21-Sep-2022
https://doi.org/10.1111/exsy.13147
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents