Measuring Network Reputation in the Ad-Bidding Process

  • Yizheng Chen
  • Yacin Nadji
  • Rosa Romero-Gómez
  • Manos Antonakakis
  • David Dagon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)


Online advertising is a multi-billion dollar market, and therefore a target for abuse by Internet criminals. Prior work has shown millions of dollars of advertisers’ capital are lost due to ad abuse and focused on defense from the perspective of the end-host or the local network egress point. We investigate the potential of using public threat data to measure and detect adware and malicious affiliate traffic from the perspective of demand side platforms, which facilitate ad bidding between ad exchanges and advertisers. Our results show that malicious ad campaigns have statistically significant differences in traffic and lookup patterns from benign ones, however, public blacklists can only label a small percentage of ad publishers (0.27%), which suggests new lists dedicated to ad abuse should be created. Furthermore, we show malicious infrastructure on ad exchanges can be tracked with simple graph analysis and maliciousness heuristics.


Publisher Domain Fantasy Sport Interesting Score Browser Extension Domain Flux 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank TAPAD and in particular their CTO, Dag Liodden, for his invaluable help throughout this project. This material is based upon work supported in part by the US Department of Commerce grant 2106DEK, National Science Foundation (NSF) grant 2106DGX and Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce, National Science Foundation, Air Force Research Laboratory, or Defense Advanced Research Projects Agency.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Malc0de Database.
  5. 5.
  6. 6.
    PassiveTotal: RiskIQ.
  7. 7.
  8. 8.
  9. 9.
    Mozilla Public Suffix List (2015).
  10. 10.
    Advertising Age. Ad Fraud Will Cost $7.2 Billion in 2016, ANA Says, Up Nearly $1 Billion.
  11. 11.
    Alexa: The web information company (2007).
  12. 12.
    Alrwais, S.A., Gerber, A., Dunn, C.W., Spatscheck, O., Gupta, M., Osterweil, E.: Dissecting ghost clicks: ad fraud via misdirected human clicks. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACM (2012)Google Scholar
  13. 13.
    Antonakakis, M., Demar, J., Stevens, K., Dagon, D.: Unveiling the network criminal infrastructure of tdss/tdl4 dgav14: a case study on a new tdss/tdl4 variant. Technical Report, Damballa Inc.,Georgia Institute of Technology (GTISC) (2012)Google Scholar
  14. 14.
    Association of National Advertisers: The Bot Baseline: Fraud in Digital Advertising.
  15. 15.
    Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Lee, W., Farrell, M.: Financial lower bounds of online advertising abuse. In: International conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2016)Google Scholar
  16. 16.
    ClickZ. Fake Display Ad Impressions Comprise 30% of All Online Traffic [Study].
  17. 17.
    Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: The First Workshop on Hot Topics in Understanding Botnets. USENIX Association (2007)Google Scholar
  18. 18.
    Dave, V., Guha, S., Zhang, Y.: Measuring and fingerprinting click-spam in ad networks. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (2012)Google Scholar
  19. 19.
    Dave, V., Guha, S., Zhang, Y.: Viceroi: catching click-spam in search ad networks. In: 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)Google Scholar
  20. 20.
    Department of Homeland Security: Trusted Cyber Risk Research Data Sharing.
  21. 21.
    Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security) (2014)Google Scholar
  22. 22.
    Malware Tips: How to remove
  23. 23.
    Malware Tips: Remove virus.
  24. 24.
    Meng, W., Duan, R., Lee, W.: DNS Changer Remediation Study. In: M3AAWG 27th General Meeting (2013)Google Scholar
  25. 25.
    Metwally, A., Agrawal, D., El Abbadi, A.: Detectives: detecting coalition hit inflation attacks in advertising networks streams. In: Proceedings of the 16th International Conference on World Wide Web, pp. 241–250. ACM (2007)Google Scholar
  26. 26.
    Miller, B., Pearce, P., Grier, C., Kreibich, C., Paxson, V.: What’s clicking what? Techniques and innovations of today’s clickbots. In: Detection of Intrusions and Malware, and Vulnerability Assessment (2011)Google Scholar
  27. 27. OpenRTB: Documentation and Issue tracking for the OpenRTB Project (2014).
  28. 28.
    Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)Google Scholar
  29. 29.
    Springborn, K., Barford, P.: Impression fraud in online advertising via pay-per-view networks. In: Proceedings of the 22nd USENIX Security Symposium (2013)Google Scholar
  30. 30.
    Stone-Gross, B., Stevens, R., Zarras, A., Kemmerer, R., Kruegel, C., Vigna, G.: Understanding fraudulent activities in online ad exchanges. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (2011)Google Scholar
  31. 31.
    Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  32. 32.
    Tian, T., Zhu, J., Xia, F., Zhuang, X., Zhang, T.: Crowd fraud detection in internet advertising. In: Proceedings of the 24th International Conference on World Wide Web, pp. 1100–1110. ACM (2015)Google Scholar
  33. 33.
    TrendMicro, Inc.: Threat Encyclopedia: TROJ_LEMIR.CS (2012).
  34. 34.
    Tuzhilin, A.: The Lane’s Gift v. Google Report (2006)Google Scholar
  35. 35.
    VirusTotal: Antivirus scan (2014).
  36. 36.
    VirusTotal: Antivirus scan (2015).
  37. 37.
    VirusTotal: IP address information (2015).
  38. 38.
    Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., Lee, W.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web (2015)Google Scholar
  39. 39.
    Zeus Tracker: Zeus IP & domain name block list.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Yizheng Chen
    • 1
  • Yacin Nadji
    • 2
  • Rosa Romero-Gómez
    • 2
  • Manos Antonakakis
    • 2
  • David Dagon
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyAtlantaGeorgia
  2. 2.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaGeorgia

Personalised recommendations