ABSTRACT
Advertising is a primary means for revenue generation for millions of websites and smartphone apps. Naturally, a fraction abuse ad networks to systematically defraud advertisers of their money. Modern defences have matured to overcome some forms of click fraud but measurement studies have reported that a third of clicks supplied by ad networks could be clickspam. Our work develops novel inference techniques which can isolate click fraud attacks using their fundamental properties. We propose two defences, mimicry and bait-click, which provide clickspam detection with substantially improved results over current approaches. Mimicry leverages the observation that organic clickfraud involves the reuse of legitimate click traffic, and thus isolates clickspam by detecting patterns of click reuse within ad network clickstreams. The bait-click defence leverages the vantage point of an ad network to inject a pattern of bait clicks into a user's device. Any organic clickspam generated involving the bait clicks will be subsequently recognisable by the ad network. Our experiments show that the mimicry defence detects around 81% of fake clicks in stealthy (low rate) attacks, with a false-positive rate of 110 per hundred thousand clicks. Similarly, the bait-click defence enables further improvements in detection, with rates of 95% and a reduction in false-positive rates of between 0 and 30 clicks per million - a substantial improvement over current approaches.
- 2016. You can now rent a Mirai botnet of 400000 bots. https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/Google Scholar
- Patrick Billingsley. 1995. Probability and Measure (3 ed.). Wiley-Interscience. http://www.worldcat.org/isbn/0471007102Google Scholar
- Hamad Binsalleeh, Thomas Ormerod, Amine Boukhtouta, Prosenjit Sinha, Amr Youssef, Mourad Debbabi, and Lingyu Wang. 2010. On the analysis of the zeus botnet crimeware toolkit. In 2010 Eighth International Conference on Privacy, Security and Trust. IEEE, 31--38.Google ScholarCross Ref
- Carlo Blundo and Stelvio Cimato. 2002. SAWM: a tool for secure and authenticated web metering. In Proceedings of the 14th international conference on Software engineering and knowledge engineering (SEKE '02). ACM, New York, NY, USA, 641--648. Google ScholarDigital Library
- Y-Lan Boureau, Jean Ponce, and Yann Lecun. 2010. A Theoretical Analysis of Feature Pooling in Visual Recognition. In 27TH INTERNATIONAL CONFERENCE ON MACHINE LEARNING, HAIFA, ISRAEL. Google ScholarDigital Library
- Gregory Buehrer, Jack W. Stokes, and Kumar Chellapilla. 2008. A large-scale study of automated web search traffic.. In AIRWeb (ACM International Conference Proceeding Series), Carlos Castillo, Kumar Chellapilla, and Dennis Fetterly (Eds.). 1--8. Google ScholarDigital Library
- Neha Chachra, Stefan Savage, and Geoffrey M. Voelker. 2015. Affiliate Crookies: Characterizing Affiliate Marketing Abuse. In Proceedings of the 2015 Internet Measurement Conference (IMC '15). ACM, New York, NY, USA, 41--47. Google ScholarDigital Library
- Yizheng Chen, Panagiotis Kintis, Manos Antonakakis, Yacin Nadji, David Dagon, and Michael Farrell. 2017. Measuring lower bounds of the financial abuse to online advertisers: A four year case study of the TDSS/TDL4 Botnet. Computers & Security 67 (2017), 164--180. Google ScholarDigital Library
- Click-spam accounting {n. d.}. The lane's gift v. google report. http://googleblog.blogspot.in/pdf/Tuzhilin_Report.pdf.Google Scholar
- Neil Daswani and Michael Stoppelman. 2007. The Anatomy of Clickbot. A. In Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07). USENIX Association, Berkeley, CA, USA, 11--11. http://dl.acm.org/citation.cfm?id=1323128.1323139 Google ScholarDigital Library
- Vacha Dave, Saikat Guha, and Yin Zhang. 2012. Measuring and fingerprinting click-spam in ad networks. In Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication (SIGCOMM '12). ACM, New York, NY, USA, 175--186. Google ScholarDigital Library
- Vacha Dave, Saikat Guha, and Yin Zhang. 2013. ViceROI: Catching Click-spam in Search Ad Networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 765--776. Google ScholarDigital Library
- Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, and David Wagner. 2011. A survey of mobile malware in the wild. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 3--14. Google ScholarDigital Library
- Thore Graepel, Joaquin Quinonero Candela, Thomas Borchert, and Ralf Herbrich. 2010. Web-Scale Bayesian Click-Through rate Prediction for Sponsored Search Advertising in Microsoft's Bing Search Engine. In Proceedings of the 27th International Conference on Machine Learning (ICML-10), Johannes Fürnkranz and Thorsten Joachims (Eds.). Omnipress, Haifa, Israel, 13--20. http://www.icml2010.org/papers/901.pdf Google ScholarDigital Library
- Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. 2012. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In Proc. of the ACM Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Ramakrishna Gummadi, Hari Balakrishnan, Petros Maniatis, and Sylvia Ratnasamy. 2009. Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks. In NSDI 2009. Boston, MA. Google ScholarDigital Library
- Hamed Haddadi. 2010. Fighting online click-fraud using bluff ads. SIGCOMM Comput. Commun. Rev. 40, 2 (April 2010), 21--25. Google ScholarDigital Library
- Google Inc. Accessed Mar 2018. Monkeyrunner reference. https://developer.android.com/studio/test/monkeyrunnerGoogle Scholar
- Gregoire Jacob, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2012. PUBCRAWL: Protecting Users and Businesses from CRAWLers. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). USENIX, Bellevue, WA, 507--522. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/jacob Google ScholarDigital Library
- Ari Juels, Sid Stamm, and Markus Jakobsson. 2007. Combating click fraud via premium clicks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (SS'07). USENIX Association, Berkeley, CA, USA, Article 2, 10 pages. http://dl.acm.org/citation.cfm?id=1362903.1362905 Google ScholarDigital Library
- Hongwen Kang, Kuansan Wang, David Soukal, Fritz Behr, and Zijian Zheng. 2010. Large-scale Bot Detection for Search Engines. In Proceedings of the 19th International Conference on World Wide Web (WWW '10). ACM, New York, NY, USA, 501--510. Google ScholarDigital Library
- Sara Khanchi, Nur Zincir-Heywood, and Malcolm Heywood. 2018. Streaming Botnet traffic analysis using bio-inspired active learning. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--6.Google ScholarCross Ref
- Carmelo Kintana, David Turner, Jia-Yu Pan, Ahmed Metwally, Neil Daswani, Erika Chin, and Andrew Bortz. 2009. The Goals and Challenges of Click Fraud Penetration Testing Systems. In International Symposium on Software Reliability Engineering.Google Scholar
- G Kirubavathi and R Anitha. 2014. Botnets: A study and analysis. In Computational Intelligence, Cyber Security and Computational Models. Springer, 203--214.Google Scholar
- Brendan Kitts, Jing Ying Zhang, Gang Wu, Wesley Brandi, Julien Beasley, Kieran Morrill, John Ettedgui, Sid Siddhartha, Hong Yuan, Feng Gao, et al. 2015. Click fraud detection: adversarial pattern recognition over 5 years at Microsoft. In Real World Data Mining Applications. Springer, 181--201.Google Scholar
- Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2017. ImageNet Classification with Deep Convolutional Neural Networks. Commun. ACM 60, 6 (May 2017), 84--90. Google ScholarDigital Library
- Nir Kshetri. 2010. The Economics of Click Fraud. IEEE Security & Privacy 8, 3 (2010), 45--53. http://dblp.uni-trier.de/db/journals/ieeesp/ieeesp8.html#Kshetri10 Google ScholarDigital Library
- Daniel D. Lee and H. Sebastian Seung. 2000. Algorithms for Non-negative Matrix Factorization. In In NIPS. MIT Press, 556--562.Google Scholar
- Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. 2014. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14). USENIX Association, Seattle, WA, 57--70. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/liu_bin Google ScholarDigital Library
- Wei Meng, Ruian Duan, and Wenke Lee. 2013. DNS Changer remediation study. Talk at M3AAWG 27th (2013).Google Scholar
- Ahmed Metwally, Divyakant Agrawal, Amr El Abbad, and Qi Zheng. 2007. On Hit Inflation Techniques and Detection in Streams of Web Advertising Networks. In Proceedings of the 27th International Conference on Distributed Computing Systems (ICDCS '07). IEEE Computer Society, Washington, DC, USA, 52-. Google ScholarDigital Library
- Ahmed Metwally, Divyakant Agrawal, and Amr El Abbadi. 2007. Detectives: detecting coalition hit inflation attacks in advertising networks streams. In Proceedings of the 16th international conference on World Wide Web (WWW '07). ACM, New York, NY, USA, 241--250. Google ScholarDigital Library
- Ahmed Metwally, Fatih Emekçi, Divyakant Agrawal, and Amr El Abbadi. 2008. SLEUTH: Single-pubLisher attack dEtection Using correlaTion Hunting. Proc. VLDB Endow. 1, 2 (Aug. 2008), 1217--1228. http://dl.acm.org/citation.cfm?id=1454159.1454161 Google ScholarDigital Library
- Brad Miller, Paul Pearce, Chris Grier, Christian Kreibich, and Vern Paxson. 2011. What's Clicking What? Techniques and Innovations of Today's Clickbots. In Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'11). Springer-Verlag, Berlin, Heidelberg, 164--183. http://dl.acm.org/citation.cfm?id=2026647.2026661 Google ScholarDigital Library
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Riwa Mouawi, Mariette Awad, Ali Chehab, Imad H El Hajj, and Ayman Kayssi. 2018. Towards a Machine Learning Approach for Detecting Click Fraud in Mobile Advertizing. In 2018 International Conference on Innovations in Information Technology (IIT). IEEE, 88--92.Google ScholarCross Ref
- Bob Mungamuru and Stephen Weis. 2008. In Financial Cryptography and Data Security, Gene Tsudik (Ed.). Springer-Verlag, Berlin, Heidelberg, Chapter Competition and Fraud in Online Advertising Markets, 187--191.Google Scholar
- G. Ollmann. 2009. Want to rent an 80-120k DDoS Botnet? Blog: Damballa. http://bit.ly/W9Hh2xGoogle Scholar
- Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker. 2014. Characterizing Large-Scale Click Fraud in ZeroAccess. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 141--152. Google ScholarDigital Library
- Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M Voelker. 2014. Characterizing large-scale click fraud in zeroaccess. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 141--152. Google ScholarDigital Library
- The Selenium Project. Accessed Oct 2017. Selenium IDE. https://docs.seleniumhq.orgGoogle Scholar
- Michael G. Reed, Paul F. Syverson, and David M. Goldschlag. 1998. Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communications 16, 4 (1998). citeseer.ist.psu.edu/reed98anonymous.html Google ScholarDigital Library
- Tahere Shakiba, Sajjad Zarifzadeh, and Vali Derhami. 2018. Spam query detection using stream clustering. World Wide Web 21, 2 (2018), 557--572. Google ScholarDigital Library
- Brett Stone-Gross, Ryan Stevens, Apostolis Zarras, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna. 2011. Understanding Fraudulent Activities in Online Ad Exchanges. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC '11). ACM, New York, NY, USA, 279--294. Google ScholarDigital Library
- Thanh N. Tran, Ron Wehrens, and Lutgarde M.C. Buydens. 2006. KNN-kernel density-based clustering for high-dimensional multivariate data. Computational Statistics & Data Analysis 51, 2 (2006), 513 -- 525. Google ScholarDigital Library
- Western Division of Washington at Seattle United States District Court. June 2009. United States District Court: Microsoft vs Eric Lam et. al., Civil Case Number CO 9-0815. http://graphics8.nytimes.com/packages/pdf/business/LamComplaint.pdfGoogle Scholar
- Jialu Wei. 2016. DDoS on internet of things - a big alarm for the future.Google Scholar
- William Wu-Shyong Wei. 1994. Time series analysis. Addison-Wesley publ.Google Scholar
- Fang Yu, Yinglian Xie, and Qifa Ke. 2010. SBotMiner: Large Scale Search Bot Detection. In Proceedings of the Third ACM International Conference on Web Search and Data Mining (WSDM '10). ACM, New York, NY, USA, 421--430. Google ScholarDigital Library
- Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 373--380. Google ScholarDigital Library
- Qing Zhang, Thomas Ristenpart, Stefan Savage, and Geoffrey M. Voelker. 2011. Got Traffic?: An Evaluation of Click Traffic Providers. In Proceedings of the 2011 Joint WICOW/AIRWeb Workshop on Web Quality (WebQuality '11). ACM, New York, NY, USA, 19--26. Google ScholarDigital Library
- Nicola Zingirian and Michele Benini. 2018. Click Spam Prevention Model for On-Line Advertisement. CoRR abs/1802.02480 (2018). arXiv:1802.02480 http://arxiv.org/abs/1802.02480Google Scholar
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A Survey on Intrusion Detection and Prevention Systems
AbstractIn the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...
Comments