Abstract: The present teaching relates to a fraud detecting system and method for providing protection against fraudulent advertisement requests. Upon receiving a request for an advertisement, the system extracts an identifier, associated with a source from which the request originates, included in the request. The system determines whether the extracted identifier is included in a list of designated identifiers, and when the identifier is included in the list, the system denies the request for the advertisement. When the identifier is not included in the list of designated identifiers, the system provides the advertisement in response to the request, and extracts a set of features from the request and other requests that originate from the source to determine whether the identifier associated with the source is to be included in the list of designated identifiers based on the set of features in accordance with one or more models.

Abstract: The present teaching relates to a fraud detecting system and method for providing protection against fraudulent advertisement requests. Upon receiving a request for an advertisement, the system extracts an identifier, associated with a source from which the request originates, included in the request. The system determines whether the extracted identifier is included in a list of designated identifiers, and when the identifier is included in the list, the system denies the request for the advertisement. When the identifier is not included in the list of designated identifiers, the system provides the advertisement in response to the request, and extracts a set of features from the request and other requests that originate from the source to determine whether the identifier associated with the source is to be included in the list of designated identifiers based on the set of features in accordance with one or more models.

Abstract: Methods, systems, and computer programs are presented for predicting a response probability to a sent notification. One method includes an operation for training respective neural networks to obtain a first, second, and third models. The first model generates an embedding based on member information. The second and third model generate parameters for a distribution function. The first model is used to calculate a member embedding when accessing a notification for a member. Further, the method second model calculates a first parameter value, and the third model calculates a second parameter value based on the member embedding. Further, the method determines, a first probability that the member will visit the online service in response to the notification and a second probability that the member will visit without sending the notification. The method further includes determining to send the notification based on the first probability and the second probability.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: The present teaching generally relates to removing perturbations from predictive scoring. In one embodiment, data representing a plurality of events detected by a content provider may be received, the data indicating a time that a corresponding event occurred and whether the corresponding event was fraudulent. First category data may be generated by grouping each event into one of a number of categories, each category being associated with a range of times. A first measure of risk for each category may be determined, where the first measure of risk indicates a likelihood that a future event occurring at a future time is fraudulent. Second category data may be generated by processing the first category data and a second measure of risk for each category may be determined. Measure data representing the second measure of risk for each category and the range of times associated with that category may be stored.

Abstract: The present teaching generally relates to removing perturbations from predictive scoring. In one embodiment, data representing a plurality of events detected by a content provider may be received, the data indicating a time that a corresponding event occurred and whether the corresponding event was fraudulent. First category data may be generated by grouping each event into one of a number of categories, each category being associated with a range of times. A first measure of risk for each category may be determined, where the first measure of risk indicates a likelihood that a future event occurring at a future time is fraudulent. Second category data may be generated by processing the first category data and a second measure of risk for each category may be determined. Measure data representing the second measure of risk for each category and the range of times associated with that category may be stored.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: The present teaching generally relates to detecting fraudulent networks. First data associated with a plurality of entities may be obtained, and a representation characterizing similarities among the plurality may be generated. Based on the representation, at least one entity cluster may be identified as corresponding to a candidate fraud network. A score associated with each of the at least one entity cluster may be determined, where the score indicates a likelihood that a corresponding entity cluster represents a fraud network, and at least some of the at least one entity cluster may be identified as a fraud network based on the score.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: Services often utilize scoring techniques to distinguish between user requests that comply with a usage policy of the service from those that represent a misuse of the service. Users who endeavor to misuse the service engages in probing by submitting a variety of requests to the service until one such request exhibiting a score that is within a score threshold, and then patterning further requests that misuse the service upon the successful request. Instead, when a first request from a user is identified that violates the score threshold, a score offset is selected. The scores of second and future requests by the user are adjusted by the score offset, indicating increased suspicion of the user's requests, while allowing legitimate requests that fulfill the score threshold by a larger margin. Additionally, absent further misuse, the score offset decays over time to restore trust incrementally in the legitimacy of the user's requests.

Abstract: One or more computing devices, systems, and/or methods for assessing riskiness of a domain are provided. For example, a content request is received from a content provider service that hosts a website associated with a domain. The content request is evaluated to identify request features. Feature scores are assigned to the request features using labeled feature data. The feature scores are aggregated to generate a content request risk score corresponding to a riskiness of the content request corresponding to fraud, such as domain spoofing. The content request risk score along with other content request risk scores of content requests associated with the content provider service are aggregated to create a content provider risk score corresponding to a riskiness of the content provider service, such as a risk of the domain being fraudulent. The content provider risk score is used to either block or process the content request.

Abstract: The present teaching generally relates to detecting abnormal user activity associated with an entity. In a non-limiting embodiment, baseline distribution data representing a baseline distribution characterizing normal user activities for an entity may be obtained. Information related to online user activities with respect to the entity may be received, distribution data representation a dynamic distribution may be determined based, at least in part, on the information. One or more measures characterizing a difference between the baseline distribution and the dynamic distribution may be computed, and in real-time it may be assessed whether the information indicates abnormal user activity. If the first information indicates abnormal user activity, then output data including the distribution data and the one or more measures may be generated.

Abstract: The present teaching generally relates to identifying fraudulent content provider-user device pairs. In one embodiment, an initial user risk value and an initial content provider risk value may be determined. A first functional representation of a user risk value may be generated based on the initial user risk value and relational data. A second functional representation of a content provider risk value may be generated based on the initial content provider risk value and the relational data. A converged user risk value and a converged content provider risk value associated with the first and second representations converging may be determined. A pair risk value may be determined based on the converged user risk value and the converged content provider risk value. A fraudulent label may then be applied to interaction events detected by the content provider from the user in response to the risk pair value satisfying a condition.

Abstract: The present teaching generally relates to removing perturbations from predictive scoring. In one embodiment, data representing a plurality of events detected by a content provider may be received, the data indicating a time that a corresponding event occurred and whether the corresponding event was fraudulent. First category data may be generated by grouping each event into one of a number of categories, each category being associated with a range of times. A first measure of risk for each category may be determined, where the first measure of risk indicates a likelihood that a future event occurring at a future time is fraudulent. Second category data may be generated by processing the first category data and a second measure of risk for each category may be determined. Measure data representing the second measure of risk for each category and the range of times associated with that category may be stored.

Abstract: Services often utilize scoring techniques to distinguish between user requests that comply with a usage policy of the service from those that represent a misuse of the service. Users who endeavor to misuse the service engages in probing by submitting a variety of requests to the service until one such request exhibiting a score that is within a score threshold, and then patterning further requests that misuse the service upon the successful request. Instead, when a first request from a user is identified that violates the score threshold, a score offset is selected. The scores of second and future requests by the user are adjusted by the score offset, indicating increased suspicion of the user's requests, while allowing legitimate requests that fulfill the score threshold by a larger margin. Additionally, absent further misuse, the score offset decays over time to restore trust incrementally in the legitimacy of the user's requests.

Abstract: The present teaching relates to a fraud detecting system and method for providing protection against fraudulent advertisement requests. Upon receiving a request for an advertisement, the system extracts an identifier, associated with a source from which the request originates, included in the request. The system determines whether the extracted identifier is included in a list of designated identifiers, and when the identifier is included in the list, the system denies the request for the advertisement. When the identifier is not included in the list of designated identifiers, the system provides the advertisement in response to the request, and extracts a set of features from the request and other requests that originate from the source to determine whether the identifier associated with the source is to be included in the list of designated identifiers based on the set of features in accordance with one or more models.

Abstract: The present teaching generally relates to detecting fraudulent networks. First data associated with a plurality of entities may be obtained, and a representation characterizing similarities among the plurality may be generated. Based on the representation, at least one entity cluster may be identified as corresponding to a candidate fraud network. A score associated with each of the at least one entity cluster may be determined, where the score indicates a likelihood that a corresponding entity cluster represents a fraud network, and at least some of the at least one entity cluster may be identified as a fraud network based on the score.

Abstract: The present teaching generally relates to detecting abnormal user activity associated with an entity. In a non-limiting embodiment, baseline distribution data representing a baseline distribution characterizing normal user activities for an entity may be obtained. Information related to online user activities with respect to the entity may be received, distribution data representation a dynamic distribution may be determined based, at least in part, on the information. One or more measures characterizing a difference between the baseline distribution and the dynamic distribution may be computed, and in real-time it may be assessed whether the information indicates abnormal user activity. If the first information indicates abnormal user activity, then output data including the distribution data and the one or more measures may be generated.

Abstract: Methods, systems, and programs are provided to determine event-level traffic quality for event(s) related to user interaction with online content (e.g., via a webpage, a mobile application, etc.). Data related to a current user event and past user events may be received, where such data may include information regarding a set of entities associated with each respective user event. A feature value set for the current user event is generated based on the information regarding the respective sets of entities associated with the current user event and the past user events. Based at least on such feature value set, a traffic quality score for the current user event may be determined, e.g., based on a weighted combination of elements of the feature value set. An entity-level traffic quality score for an entity may be determined based on event-level traffic quality scores of user events that involve that entity.