Tech CHEQ: Presenting & Analyzing Fake Web Data
Data & Analytics | March 24, 2022
Co-Authors: Noa Cohen & Raz Kiselnik
The ‘Tech CHEQ’ series offers internal expertise from CHEQ’s cybersecurity team.
When presenting the impact of Invalid Traffic (IVT) and Sophisticated Invalid Traffic (SIVT) to customers, we analyze anomalies that are determined on the back end of our technology by cybersecurity challenges. Whether the anomalies we are looking at are new threats or known threats, our goal is to show our clients, with a high level of certainty, that a specific visitor is either valid or invalid. Some of the ways our platform achieves that accuracy are as follows.
Monitoring before determining.
Before we analyze and present the actual traffic, our technology is monitoring it by running a queue of challenges on each customer domain. For example, if someone visits a website and appears to be coming from a mobile device, an initial challenge might pick up that the visit actually has several browser extensions installed on this device. Since mobile devices do not allow for browser extensions, this raises a concern for potential malicious activity. Since this does not yet determine that this user is malicious beyond any doubt, additional challenges that follow will reveal additional information and ultimately determine their level of legitimacy. We can then share this information with the client so that they can decide how to address these behaviors and what it means for them.
Observing user behaviors.
In addition to evaluating actual sources compared to initially perceived sources, our technology also looks at the behavior of each visitor. Standard behaviors can vary based on industry and specific domain, so looking at benchmarks and averages for a particular site can be helpful. For example, when it comes to frequency capping, we can see on average how many times a typical visitor clicks on links or how many times they revisit the same page within a given timeframe. If a particular IP returns to a site or performs a specific action several more times than the average site visitor, additional cybersecurity challenges can be run to determine whether or not they are suspicious users. Additionally, automation tools like malicious scrapers can also have very specific patterns of behavior that can be monitored on a domain when they are scanning for promotions, prices, and other website information. By looking at the aim of each action, the origin of the traffic, and the way each visitor moves throughout the site, cybersecurity technology can determine their level of validity. We present these findings to the client and help them determine how critical each IVT type is for them based on their specific benchmarks and what the standard is for their industry.
Avoiding false positives.
Just because one cybersecurity challenge notices a behavioral anomaly or suspicious source, that does not automatically mean that the visitor is invalid. If technology was designed to block that user immediately before performing additional tests, they could be incorrectly marked as a false positive for IVT. In order to avoid this, our technology runs thousands of challenges before determining whether or not a user is likely invalid. All challenges are run within seconds, so results can be delivered in real-time. This information is segmented in the back end as data and then analyzed by our team to say whether a visitor is malicious and what type of threat they fall under.
Handling IVT based on customer parameters.
Since each domain and customer has different needs, and a behavioral anomaly on one website could be a typical behavior on another website, each visitor determined to be potentially malicious can be handled differently as well. For example, IVT from paid sources will be blocked in order to avoid polluted campaigns and lost revenue, while affiliate fraud might be monitored or blocked in real time. Additionally, VPN users might be the standard on some gambling and gaming websites, but would raise a red flag on a particular eCommerce site. Executive summaries with detailed reporting can also be run to include volume of traffic, domains monitored, specific keywords and campaigns contributing the most IVT to a website, and which channels are providing the highest and lowest quality traffic. Pass backs on different events and behaviors are also provided in order to come back with the right suggestions on how to adjust protections.