There are two types of invalid traffic: General Invalid Traffic (GIVT) and Sophisticated Invalid Traffic (SIVT). GIVT consists of traffic identified through routine filtering processes or with other standardized parameter checks. SIVT consists of more difficult to detect situations that require advanced analytics, multi-point corroboration/coordination, significant human intervention, etc. to analyze and identify. In addition, Forensiq further breaks down the type of risk identified into 13 reason codes.
Reason Code | Description | Criteria |
Hosting Provider | Hosting Providers are geo organizations identified as providers of hosting services. Hosting Providers are often used for malicious activities. | If an organization matches our list of hosting providers associated with high-risk activity, we will score that organization as a hosting provider. |
Identified Crawler | Crawlers are Internet bots and non-browser user agents that systematically browse the internet. Web crawlers may trigger ad impressions or clicks. | Forensiq uses IAB/ABC International Spiders and Bots List as well as an appended Forensiq list of common crawlers to mark crawlers. |
Proxy | Proxies are often used to mask the real location of the user and simulate activity from multiple users. | Forensiq uses a combination of a list-based approach and analysis of multiple other connection and device characteristics to identify proxies. |
Automated Traffic | Automated Traffic is malicious traffic from botnets and other types of hijacked devices. | Forensiq flags irregular browsing patterns among groups of users consistent with command and control patterns exhibited by a botnet. |
IP Reputation | IP Reputation is the historical behavior of an IP address over a period of time. Bad reputation IPs are the ones with recent malicious activity. | Forensiq IP reputation aggregated over a period of time based on data from Forensiq’s tag. |
Spoofed | Spoofed means the user's device and browser are manipulated to resemble a different device or browser. | Front-end JavaScript tag sends multiple device parameters to the Forensiq database for risk evaluation. |
Device Reputation | Device reputation allows us to store reputation for the user's device and identify patterns of repeat device activity on the click and conversion level only. | Front-end JavaScript tag sends multiple device parameters to the Forensiq database for risk evaluation. |
Ad Placement Risk | Ad Placement Risk is when ads are obstructed, stuffed, or hidden maliciously. | Forensiq flags behavior as “Ad Placement Risk” when ad creatives are maliciously placed to be non-viewable or unwanted by users. This is a reason code that is measured on the Impressions and Tracked Ads level (requires JS tag). |
Abnormal Activity | Abnormal Activity is defined as unusual patterns over a certain period of time. Because these algorithmic techniques rely on a lookback duration to compile a certain number of aggregate events, fraud risk metrics will take up to 24 hours to be finalized. In order to provide clients with a relatively stable fraud risk score, we have isolated batched fraud analysis (“Combined Risk”) from real-time fraud analysis (“Impression/Tracked Ads Risk”). | Forensiq Inspects events over time to determine the pattern of the ad requests. If unusual patterns are identified, Forensiq flags these events as Abnormal Activity. |
Domain Reputation | Domain Reputation is the practice of filtering domains that have been identified by our algorithms and fraud investigations to have a high risk of being the origin and/or destination for invalid traffic. | Forensiq identifies high risk domains from our backend then generates a list to lookup to. |
Bundle ID Spoofing | Bundle ID Spoofing is the practice of apps falsifying their bundle names to another app name in order to present themselves as a legitimate traffic source. | Forensiq will compare the reported Bundle ID with additional parameters from the environment to determine if an app is misrepresenting itself. |
GIVT | A summarized number of GIVT risk. | Forensiq provides a summarized number for the risk associated with GIVT. |
SIVT | A summarized number of SIVT risk. | Forensiq provides a summarized number for the risk associated with SIVT. |