Clicktok: Click Fraud Detection using Traffic Analysis

Advertising is a primary means for revenue generation for millions of websites and smartphone apps (publishers). Naturally, a fraction of publishers abuse the ad-network to systematically defraud advertisers of their money. Defenses have matured to overcome some forms of click fraud but are inadequate against the threat of organic click fraud attacks. Malware detection systems including honeypots fail to stop click fraud apps; ad-network filters are better but measurement studies have reported that a third of the clicks supplied by ad-networks are fake; collaborations between ad-networks and app stores that bad-lists malicious apps works better still, but fails to prevent criminals from writing fraudulent apps which they monetise until they get banned and start over again. This work develops novel inference techniques that can isolate click fraud attacks using their fundamental properties. In the {\em mimicry defence}, we leverage the observation that organic click fraud involves the re-use of legitimate clicks. Thus we can isolate fake-clicks by detecting patterns of click-reuse within ad-network clickstreams with historical behaviour serving as a baseline. Second, in {\em bait-click defence}. we leverage the vantage point of an ad-network to inject a pattern of bait clicks into the user's device, to trigger click fraud-apps that are gated on user-behaviour. Our experiments show that the mimicry defence detects around 81\% of fake-clicks in stealthy (low rate) attacks with a false-positive rate of 110110 per hundred thousand clicks. Bait-click defence enables further improvements in detection rates of 95\% and reduction in false-positive rates of between 0 and 30 clicks per million, a substantial improvement over current approaches.