Database Reference
In-Depth Information
(a)
0.4
0.3
0.2
During the attack
0.1
Reference PDF
0
0
2
4
6
8 0
12 4
IP size
(b)
0.2
0.15
0.1
During the attack
0.05
Reference PDF
0 0
2
4
6
8 0
12 4
IP size
FIGURE 14.8 Types of attacks and their effect on the IP size distribution: The expected IP
size distribution is marked as “Reference PDF”. (a) A botnet-based attack: clicks are gener-
ated by a large number of bots. These are typically end-user machines and thus skew the
distribution toward small IP sizes. (b) A proxy-based attack: the IP addresses generating the
clicks are rerouted through anonymizing proxies (e.g., TOR nodes). Since many users share
these proxies, this attack skews the IP size distribution toward large IP sizes.
traffic. The score obtained through this system is called the quality score . This clas-
sification system takes as input a variety of features that accounts for different types
of user inputs and different types of anomalies. This classifier provides an estimate on
the aggregate quality of a large set of clicks. Similar classifiers exist for other kinds of
attacks depending on the application. For instance, in the case of email spam, a clas-
sifier can be built on several features of the email, such as the relative number of users
that labeled this email as spam, or the relative number of invalid recipient addresses.
In addition, a fraud score is defined as a function of the ratio between the number
of abusive clicks and the total number of clicks, with different weights assigned to
the abusive clicks depending on the reason for tagging them as fraudulent.
Search WWH ::




Custom Search