# Anomaly Detection¶

BidSwitch processes massive volumes of data, and while doing so employs anomaly detection to spot deviations from the norm when applied to domains, publishers, user agent data, and other metrics. These deviations are then investigated to try and ascertain if any fraud is involved in generating these anomalies, and if so, learn to spot whatever new tricks are being used. The process of ensuring higher quality trading on the network, follows these three concepts.

Blocking Rules

Basic rules that filter out the most obviously suspicious traffic based on factor such as the following:

• External Services: Sites with swinging traffic patterns are blocked, as this signals that traffic is being pumped through bots. This is based on reliable external traffic analysis providers such as similarweb.com
• Mismatching Data: For example, if a user’s data differs between the bid request and impression calls.
• No Publisher Information: All traffic with an empty publisher_ID field is blocked, see the Publisher Object section for how to include this information. You can also check the BidSwitch Policies.
• Sudden Spikes If a surge in activity is seen in one particular parameter, such as certain UUIDs (universally unique identifier) displaying very high frequency usage.
Expert Blacklisting
This is an ongoing process that involves people investigating and developing solutions to potential problems discovered on the network. Experts examine logs and data sets; then analyse these against expected results to identify bad actors, and if necessary blacklist them.
The Anomaly Detection Engine

This is a sophisticated tool built on machine learning technology that processes the complete set of incoming bid logs. Every update to the Anomaly Detection Engine goes through an expert audit, and an extensive set of QA procedures.

Every bid request is filtered through the Anomaly Detection Engine, which is synced in real-time against a database of prior records. All bids are confirmed as acceptable before the bid request is sent to a Buyer. If a request fails these criteria a No Bid Reason is returned to the Supplier, see the Supplier No Bid Reason section. This means that pre-bid fraud detection is in place.

Type Description
Bots

Software that runs automated tasks repetitively, at a much higher rate than would be possible for a human alone. Usually designed to generate fake impressions or serve unseen ads in the background of a real users computer.

This method can be difficult to detect and generally problematic because bots can be retargeted or even whitelisted as a real audience.

Ad Stacking While a user only sees one ad, the publisher may be serving multiple ads, or 1x1 pixel ads simultaneously. These types of ads register as an impression but are never actually seen.
Spoof Sites

Sites built mainly for the purpose of serving ads. Spoof sites are often part of a larger network of sites created to avoid triggering suspicion around a single site collecting very large amounts of revenue.

Spoof sites are becoming increasingly sophisticated and often include 1-2 layers of real content that could be considered worthy of real traffic.

Spoof Domain Domains created to replicate premium, well known sites. Advertisers can be duped into thinking they are buying high quality inventory from a recognized site when they are not. This can also impact publishers who will appear to have more inventory than they do, decreasing their prices.

## Benefits of Anomaly Detection¶

For BidSwitch

• A higher quality network is a more attractive place for Buyers and Suppliers to do business
• The size, scope, and historic nature of BidSwitch’s data across many Buyers and Suppliers allows us to detect irregularities other fraud vendors cannot, placing BidSwitch as a market leader in fraud detection.