Cybersecurity Use Case: AI Agent for Anomaly Detection
The case discussed here concerns fraudulent paid clicks to defraud a Google advertiser. The sophisticated click fraud scheme involving clicking viruses, data centers and other means, is undetected by Google.
I worked with the law firm involved in the litigation, to build an agent able to pinpoint the sources of fraudulent traffic. The agent processes an Excel spreadsheet repository with transactional data spread across multiple tabs in multiple spreadsheets: IP address, time stamp, user device, zip code, HTTP request and many related fields. It involved automatically querying the spreadsheets with a combination of SQL queries and AI algorithms to produce insights summarized as text as well as the pictures below.
Overview
The purpose of this study is to assess the amount of fraud that can be attributed to “advertiser fraud”. Click fraud shows up in at least two different versions:
- Publisher fraud is perpetrated by a Google affiliate (partner) displaying paid clicks on its websites, for keywords relevant to its audience, that is, relevant to the material published on the websites in question. Typically, the referral field in click logs is not Google nor one of its top partners (YouTube) but instead smaller domain names.
- Advertiser fraud aims at depleting the Ad budget of competitors while generating traffic that do not convert to leads or sales. It may involve VPNs and non-static rotating IP addresses to avoid detection by Google, using tools such as BrightData, with multiple IPs attached to a same device. Some red flags may include a large volume of IP addresses that have the exact same small number of clicks each day. The fraud may be perpetrated directly on Google rather than on its affiliates.
Since the perpetrator must generate both impressions and clicks to look legitimate, the bad actor (the competing advertiser) may end up lowering the bid on targeted keywords for the victim due to high CTR (click-through rate) while having the opposite effect on his Ad campaigns.
To counter that effect, the bad actor may generate fake clicks against himself to increase his CTR, to appear more relevant to users: in one scheme designed and published by the author of this article, it resulted in all competitors vanishing on Google, leaving the operator as sole advertiser for specific keywords, also lowering bids when competition is gone.
Large-scale sophisticated click fraud targeting specific keywords may have a noticeable impact on the click distribution over time and zip codes. For instance, traffic related to golfing peaks in June and is minimum in January. Google searches are more common in the South while places like the Northeast or Pacific Northwest receive fewer golf-related queries. If click logs show a strong departure from this natural pattern, it is a red flag.
Read the full paper
With Python source code, explanations, and details about this curious insight: 25% of the traffic originates from only 3 zip codes, with the largest volume from a special Seattle zip code with only 240 inhabitants. Conversely, zero clicks are coming from the largest US zip code while the expected number was well over 100. The shift in fraud patterns between the two time periods is massive, with a more elaborate scheme discussed in the paper, to better elude detection in the most recent period. Figures 1 and 2 show some of the patterns automatically found. Both were automatically generated.
Read the full report as paper #58, here. To no miss future articles, subscribe to my AI newsletter, here.
About the Author
Vincent Granville is a pioneering GenAI scientist, co-founder at BondingAI.io, the LLM 2.0 platform for hallucination-free, secure, in-house, lightning-fast Enterprise AI at scale with zero weight and no GPU. He is also author (Elsevier, Wiley), publisher, and successful entrepreneur with multi-million-dollar exit. Vincent’s past corporate experience includes Visa, Wells Fargo, eBay, NBC, Microsoft, and CNET. He completed a post-doc in computational statistics at University of Cambridge.
