Cybersecurity Use Case: AI Agent for Anomaly Detection – Part 2

In the first part of this series, here, I feature a click fraud case that we are working on, litigated by one of the largest law firms in the US.  The input data comes from an Excel repository, automatically processed by an AI agent part of our BondingAI enterprise solutions. It comes with insights generation via automated SQL queries and pattern detection. In other contexts, the data may come from a PDF repository, the Internet, databases, or a combination of all.

In this article, I showcase animated data produced by the generic anomaly detection agent. The goal is to illustrate granular spatial fraud patterns as they evolve over time in the video, without having to rely on analysts or statisticians to produce striking insights or to clean the data. Each video frame represents a day, with timestamp the top left corner. The data comes from two different time periods, showing the sharp contrast in fraud patterns between year 2019 and 2022 as you progress in the video.

Once you start the video, use the cursor at the bottom to move backward or forward in time at a different speed, or to stop on any particular day.

Highlights

Each dot in the video represents a zip code. Gray dots correspond to zip codes with at least 60k inhabitants. The radius represents the population.  These dots are static.

Red, green and orange dots feature zip codes with click activity on a given day. The radius represents the proportion of clicks originating from the zipcode, in a specific day. Thus, the data is normalized to make daily comparisons meaningful, as the overall daily click total in 2022 is twice the level of 2019 due to increased ad spend. The main highlights are:

• In 2022, about 30% of the traffic comes from 3 zip codes, one of them very small in terms of population. These clicks come from data centers and never convert to a lead.
• Red and orange zip codes have far more clicks than expected by chance. In addition, the orange ones are unusual zip codes not listed in standard tables, associated with PO boxes rather than actual cities.
• The largest bad zip codes vary over time, and on occasions disappear for a day or so (very few clicks) and then come back.
• Numerous bad zip codes pop up now and then at various times and then disappear for extended time periods. They correspond to localized fraud spikes.
• Some of the largest zip codes show no traffic activity, which is unexpected.
• The click concentration is spread across much fewer zip codes in 2019. Part of it is due to lower traffic volume and perhaps more accurate tracking capabilities in 2022. But these two factors alone cannot explain such a big shift. In fact, the fraud is more sophisticated in 2022, while in 2019 there were a lot more devices linked to multiple zip codes, making fraud detection and attribution easier.

This video is also on YouTube, here. A Gif version is available here.

Context

Google works with advertising partners such as Outbrain or Taboola, known for questionable activities including clicking viruses spreading across personal devices. For instance, when a user downloads some apps. The device may then generate fake clicks (and potentially other malicious activity) without the user being aware of. The author of this article also worked with advertising partners to mitigate fraud issues. In one case, most of the fraud originated from an AWS cloud center in a specific location in Northern Virginia, along with infected government websites.

Services such as Bright Data offer a large network of over 150 million residential IP addresses. These IPs come from participants who agreed to be part of the network in exchange for some benefits. These IP addresses are used to crawl large websites at industrial scale without being blocked. Bad actors use such services, and it would be easy to turn it into a large click fraud engine. Chances are that this is probably the case already.

Learn more about our enterprise AI solutions, here. See also our new book No-Blackbox, Secure, Efficient AI and LLM Solutions. To no miss future articles, subscribe to our AI newsletter, here. 

About the Author

Vincent Granville is a pioneering GenAI scientist, co-founder at BondingAI.io, the LLM 2.0 platform for hallucination-free, secure, in-house, lightning-fast Enterprise AI at scale with zero weight and no GPU. He is also author (Elsevier, Wiley), publisher, and successful entrepreneur with multi-million-dollar exit. Vincent’s past corporate experience includes Visa, Wells Fargo, eBay, NBC, Microsoft, and CNET. He completed a post-doc in computational statistics at University of Cambridge.