Abstract: Methods and systems for fraudulent traffic detection and estimation are disclosed. Initially, an empirical distribution of a plurality of features based on a first plurality of datapoints for the plurality of features is received. Next, a model distribution of the plurality of features based on a second plurality of datapoints for the plurality of features is received. Then, it is determined, a minimum number of datapoints to remove from the first plurality of datapoints to create a modified empirical distribution corresponding to the model distribution within a first significance level. Finally, an alert that the first plurality of web traffic includes at least one fraudulent instance of web traffic is generated in response to the determination that the minimum number of datapoints is greater than a first threshold.

Abstract: A computerized method of transmitting content to a first device and a second device may include receiving a first identifier and first location data of the first device, and a second identifier and second location data of the second device. The method may include comparing the first location data with the second location data, and generating a co-location score in response to the comparison. The method may include determining that the co-location score is greater than a threshold, and responsively generating household data indicative of a relationship between the first device and the second device. The method may further include generating and transmitting a report indicating the relationship to a content provider that transmits content to the first device and the second device.

Abstract: A reporting server may access a first data set that indicates an association between one or more device identifiers and one or more content identifiers and a second data set that indicates an association between the one or more device identifiers and one or more user identifiers. The reporting server may determine, based on the first data set and the second data set, that at least one user associated with a user identifier of the second data set has accessed content associated with a plurality of the content identifiers of the first data set, and may generate a report that represents, for each content identifier, a number of unique user identifiers associated with the content identifier.

Abstract: A process of detecting an implemented blacklist may include downloading data from at least one blacklist. The process may also include compiling a list of image elements from the at least one blacklist based on a feature of the image elements, and selecting an image element from the list of image elements. The process may further include receiving a report indicative of the selected image successfully loading while a webpage is loaded on a web browser of a client device, and analyzing the report based on an expected response of the web browser to detect the implemented blacklist of the at least on blacklist.

Abstract: A computerized method of generating a report is disclosed, along with a corresponding system and non-transitory computer-readable medium. The method may include receiving training data including labeled feature sets and an indicator of a common device. The method may include receiving a first identifier with a first feature set, and a second identifier with a second feature set. The method may include correlating the first and second feature sets, and generating a common device score based on the correlated first and second feature sets and the training data. The method may also include comparing the common device score to a threshold, and associating, in response to the comparison, the first identifier and the second identifier with a device. The method may further include generating the report that indicates that the first and second identifiers are associated with the device.

Abstract: A computerized process of detecting content blocking software may include forwarding, to a client device, instructions to enable scanning of a web browser and a file with features resembling advertisement content, and receiving a report from the forwarded instructions indicative of a response of a webpage generated by a web browser of the client device in response to the loaded file. The computerized process may also include analyzing the report based on an expected response of the web browser, and indicating the presence of the content blocking software based on the analysis.

Abstract: A computerized method of transmitting content to a first device and a second device may include receiving a first identifier and first location data of the first device, and a second identifier and second location data of the second device. The method may include comparing the first location data with the second location data, and generating a co-location score in response to the comparison. The method may include determining that the co-location score is greater than a threshold, and responsively generating household data indicative of a relationship between the first device and the second device. The method may further include generating and transmitting a report indicating the relationship to a content provider that transmits content to the first device and the second device.

Abstract: A computerized process of detecting content blocking software may include forwarding, to a client device, instructions to enable scanning of a web browser and a file with features resembling advertisement content, and receiving a report from the forwarded instructions indicative of a response of a webpage generated by a web browser of the client device in response to the loaded file. The computerized process may also include analyzing the report based on an expected response of the web browser, and indicating the presence of the content blocking software based on the analysis.

Abstract: A process of detecting an implemented blacklist may include downloading data from at least one blacklist. The process may also include compiling a list of image elements from the at least one blacklist based on a feature of the image elements, and selecting an image element from the list of image elements. The process may further include receiving a report indicative of the selected image successfully loading while a webpage is loaded on a web browser of a client device, and analyzing the report based on an expected response of the web browser to detect the implemented blacklist of the at least on blacklist.

Abstract: Systems and methods for identifying anomalous content requests are disclosed. Initially, a first data set containing a first plurality of attributes for each of a first plurality of content requests is received. A second data set containing a second plurality of attributes for each of the first plurality of content requests is also received, where the second plurality of attributes is different from the first plurality of attributes. A first attribute of the first plurality of attributes is determined that is indicative of a first type of anomalous content request. It is then determined that the first attribute of the first plurality of attributes is common to the second plurality of attributes. A first subset of the second data set having the first attribute is then identified. Finally, content requests of the first subset of the second data set having the first attribute are indicated.

Abstract: Methods and systems for delivering a creative are disclosed. Initially, a first tag including a first link to the creative to be displayed on a webpage to be displayed on a first device is received. Next, a second tag corresponding to the first tag is generated, where the second tag includes a second link to a first set of instructions including instructions to forward a first rating request. The second tag is forwarded to a creative provider. Then, it is determined, based on first metadata of the first rating request, that a first rating satisfies a first set of parameters. Finally, the first tag including the first link to the creative is forwarded in response to the determination that the first rating satisfies the first set of parameters.

Abstract: A method and apparatus for detecting and localizing an anomaly for a network are disclosed. For example, the method sends a first set of probe packets on at least one path of the network, and detects a performance anomaly on a first path of the at least one path. The method then identifies at least one link on the first path that is responsible for the performance anomaly by applying a second set of probe packets.

Abstract: Methods and systems for fraudulent traffic detection and estimation are disclosed. Initially, an empirical distribution of a plurality of features based on a first plurality of datapoints for the plurality of features is received. Next, a model distribution of the plurality of features based on a second plurality of datapoints for the plurality of features is received. Then, it is determined, a minimum number of datapoints to remove from the first plurality of datapoints to create a modified empirical distribution corresponding to the model distribution within a first significance level. Finally, an alert that the first plurality of web traffic includes at least one fraudulent instance of web traffic is generated in response to the determination that the minimum number of datapoints is greater than a first threshold.

Abstract: Performance for a network is measured by sending multi-objective probes on a path, receiving at least one of the multi-objective probes for the path, and determining performance measurements for at least two parameters of the path determined from the at least one of the multi-objective probes. Separate algorithms are simultaneously executed to measure the at least two parameters of the path determined from the at least one of the multi-objective probes.

Abstract: A method and an apparatus for providing a measurement of performance for a network are disclosed. For example, the method sends a plurality of multi-objective probes on a path, and receives one or more of said plurality of multi-objective probes for the path. The method then determines a plurality of performance measurements.

Abstract: A method and apparatus for detecting and localizing an anomaly for a network are disclosed. For example, the method sends a first set of probe packets on at least one path of the network, and detects a performance anomaly on a first path of the at least one path. The method then identifies at least one link on the first path that is responsible for the performance anomaly by applying a second set of probe packets.

Abstract: A method and an apparatus for providing a measurement of performance for a network are disclosed. For example, the method sends a plurality of multi-objective probes on a path, and receives one or more of said plurality of multi-objective probes for the path. The method then determines a plurality of performance measurements.

Abstract: A monitor of malicious network traffic attaches to unused addresses and monitors communications with an active responder that has constrained-state awareness to be highly scalable. In a preferred embodiment, the active responder provides a response based only on the previous statement from the malicious source, which in most cases is sufficient to promote additional communication with the malicious source, presenting a complete record of the transaction for analysis and possible signature extraction.

Abstract: An automatic technique for generating signatures for malicious network traffic performs a cluster analysis of known malicious traffic to create a signature in the form of a state machine. The cluster analysis may operate on semantically tagged data collected by connection or session and normalized to eliminate protocol specific features. The signature extractor may generalize the finite-state machine signatures to match network traffic not previously observed.