Anty Fraud DOM Methodology

Solution Technical Specification • TrafficWatchDog

TwD Functionalities
TwD Functionalities
Technical Architecture
How Codes Work
Technical Implementation
Impact on Website
IT Security
Parameter Categories
Parameters Benchmark
Click Audit Methodology
Reporting & Classification
Downloads

1. TrafficWatchDog (TwD) System – description of functionalities

TrafficWatchDog (TwD) is a system operating in the field of detecting online/mobile advertising fraud and abuse for advertising formats such as: CLICK and LEAD. TwD collects and analyzes click and/or lead parameters (anonymous data) from individual paid sources and evaluates the click/lead based on these parameters:

  • CLICK Scanner – identification of 'invalid clicks' in accordance with IAB standards - Interactive Advertising Bureau Click Measurement Guidelines:
    "Invalid Clicks arising from suspected “click fraud” are a sub-component of Invalid Clicks and originate from a user, program or automated agent (e.g., Internet robot or spider) that accesses a URL for the purpose of manipulating click measurement activity or click-based advertising payments, having no intention of legitimately browsing site content, making a purchase or performing any other type of legitimate conversion action. Suspected click fraud can arise from both human-initiated and application-initiated automated activity; also, suspected click fraud can arise from invalid Ad Impression activity. Click Fraud also includes situations where a user is unwillingly, or tricked into, accessing information(for example, user “virus” infected activity, or auto-clicking functions)."
  • GOOGLE ADS Scanner – identification of 'invalid clicks' in Google Ads campaigns, in accordance with IAB guidelines.

    Google Ads Scanner additionally allows automatic blocking of Client's Google Ads clicks by the same users, as well as blocking invalid clicks in Google Ads campaigns.

  • LEAD Scanner – identification of 'invalid leads' in accordance with IAB standards - Interactive Advertising Bureau Online Lead Generation:
    "Lead fraud occurs when leads are submitted with malicious intent or simply for financial gain. These leads should be deemed invalid, and advertisers and agencies should not pay for these leads. Although uncommon, there have been cases when offers are filled out by an artificial, automated system to generate a large quantity of leads. Consumers or companies may also fraudulently fill out offers."

Main functionalities:

  • Full 24/7 monitoring of all paid click/lead sources for the Client.
  • Automatic analysis of ads and clicks in Google Ads.
  • User device detection and analysis – based on a virtual device fingerprint (DEVICE FINGERPRINT).
  • Identification of the click/lead country of origin and IP providers.
  • Automatic blocking of Google Ads click fraud by suspicious/fraudulent IP addresses.
  • Automatic blocking of Google Ads click fraud by suspicious/fraudulent devices (DEVICE FINGERPRINT identification).
  • Automatic blocking of Google Ads click fraud by suspicious/fraudulent cookies.
  • Ability to set and customize individual rules for automatic blocking of Google Ads campaigns.
  • Complaint reports for invalid clicks and leads from paid sources.
  • Google Ads invalid clicks complaint report.
  • Periodic reports sent to a specified email address.
  • Detailed information for each verified click/lead – including behavioral analysis of the potential user/bot on the monitored page.
  • Online access to the Client Panel.

2. Technical Architecture of the TwD Solution

The system consists of the following components:

  • TwD Tracking Script – an application responsible for collecting parameters used to evaluate clicks/leads.
  • Webservice – an application installed on the TwD server, to which data collected by the script is sent.
  • Database
  • Server
  • AI - a neural network that analyzes collected data.
  • Client Panel – the Client front-end for presenting the results of the TwD system.

3. How TwD Codes Work

The operation of dedicated tracking codes is tailored to the structure of the Client's monitored website - where appropriate HTML code fragments containing JavaScript scripts and pixels are implemented. Optimally, these should be placed directly within the monitored page code (the 'body' of the page). Scripts run solely on the user's side, in their browser.

Implementation of the tracking JavaScript/pixels code on the Client's website can also take place via Google Tag Manager (GTM). The scripts are executed solely in the user's browser. In the case of GTM implementation, the loading of TwD codes depends on the user's browser supporting GTM (some browser versions block GTM). This might result in a slight loss of monitored clicks/leads statistics.

Scripts and code elements of TwD initialize during website loading. They also run in the background while the user operates on the website, utilizing event listeners generated by web page elements. Data is sent during form submissions (lead) using the POST method, or via GET when an image element is loaded on the page.

Data is transferred to the destination server for detailed analysis. Analysis results are rendered and available within the dedicated TrafficWatchDog Client Panel.

4. Technical Implementation of TwD Codes

The integration process and system architecture consist of the following elements:

On TrafficWatchDog side:

  • Development of the tracking code (JavaScript file/pixels) responsible for collecting data, adjusted to the specific monitored website.
  • Webservice – running the application on the TrafficWatchDog server to receive encrypted information sent by TwD code using the HTTPS protocol.
  • Server – logging and storage of the collected evaluation parameters.
  • Neural Network – calibration of the data analysis models and record evaluation algorithms.
  • Provisioning the dedicated Client Panel – enabling real-time analysis and generating complaint reports.

On Client side (monitored website owner):

  • Embedding the dedicated TwD code (JavaScript/pixels) in the target website source code.
  • It is up to the Client's decision which pages will host the TwD code – it can be placed only on selected marketing landing pages or microsites. Secure areas such as admin panels, checkout pages, or financial transaction views can be excluded from monitoring simply by not embedding the TwD script.
  • Depending on the Client's preference – linking the JavaScript script directly from the TrafficWatchDog server or hosting the JavaScript tracking file on the Client's own web server.

5. Impact of TwD Codes on the Monitored Website Architecture

Monitored TwD codes do not alter the technical architecture of the target web server or page structure. The JavaScript scripts and tracking pixels execute entirely client-side inside the user's browser. There is no impact on User Experience or page loading speed (as benchmarked using Lighthouse audits).

Monitored scripts have no access or influence on login pathways, customer transactional checkout routes, or authentication systems.

6. IT Security Standards

Monitored TwD codes running on the Client's website collect technical indicators generated during site usage. All data is collected anonymously – it is completely impossible to associate the collected metrics with any specific natural person on the side of the TwD application provider.

All metrics are transmitted and stored on internal TwD servers under multi-level security policies. Communication between the tracking script in the user's browser and our ingestion servers uses secure, encrypted HTTPS channels (SSL/TLS 1.2 with a 2048-bit key). Data is then processed on an application server protected by a Stateful Packet Inspection (SPI) firewall, Intrusion Detection system, and active anti-Brute Force safeguards.

Processed records are stored in an isolated internal database accessible only within a restricted local network. Server administration access is secured strictly via personal 4096-bit RSA keys.

Deployment workflows align with international cybersecurity practices in accordance with PN-ISO/IEC 27002:2014-12 security techniques covering access control, cryptography, and communications safety.

7. Analyzed Categories of Parameters

The system analyzes 10 core categories of technical parameters:

  • URL details
  • Visit details
  • IP parameters
  • Browser parameters + Browser Fingerprint
  • Operating system parameters
  • Device parameters + Device Fingerprint
  • User behavioral analytics
  • Script execution and page rendering
  • Google reCaptcha v3 parameters (optional)
  • Session metrics

8. Analyzed Parameters Benchmark

Here are exemplary parameters collected by TwD monitoring tags. To protect our fraud detection integrity from evasion attempts, we maintain the confidentiality of our complete parameter tracking manifest.

URL, Page & Visit Data

  • Page URL
  • DOM structure components
  • Resource load speed
  • Cookie support status
  • Visit counters and identifiers
  • Data transmission latency
  • Page refresh rates

IP Inquiries

  • Internet Service Provider (ISP)
  • Geographical location
  • Connection flags (Proxy, VPN, TOR, Datacenters)
  • Mobile GSM carrier
  • WebRTC local IP scans

Browser Profiling

  • Browser engine, name, version
  • User Agent string verification
  • Window canvas size & resolution
  • Plugin configuration & system fonts
  • Audio Context & Canvas Fingerprints

User Behavioral (UBA)

  • Cursor coordinates and motion vectors
  • Scroll velocity and patterns
  • Keyboard cadence (speed, press intervals)
  • Time inside form inputs
  • Interactive element triggers

9. Click Audit Methodology

The click audit methodology executed by the TwD system strictly aligns with IAB guidelines (documented in "Click Measurement Guidelines", Version 1.0, Final Release).

Description of the Click Audit Process

To inspect marketing campaigns, TwD deploys CLICK SCANNER, GOOGLE ADS SCANNER, and LEAD SCANNER, checking every recorded click and form lead. Detection workflows use:

  • Browser signature audits to isolate automated scrapers masquerading as humans.
  • Detection of headless browsers and automation frameworks (e.g., Selenium, PhantomJS).
  • Advanced Device and Canvas Fingerprinting techniques.
  • Machine Learning classification pipelines to analyze traffic.
  • Bot honeypots – transparent traps configured directly inside the DOM.
  • User Behavioral Analysis (UBA) – modeling client side navigation vectors.
  • IP reputation checks against global blocklists and infrastructure databases.
  • Google reCAPTCHA v3 API verification.
  • Client-side "Proof of Work" tasks proving browser compliance.

The TwD system processes Resolved Clicks – clicks triggering a successful load of the advertiser's target URL, opening a potential commercial connection.

Security Notice: The audit process maintains complete data anonymity – no keyboard input within forms or private content is ever scraped, analyzed, or processed.

10. Click Classification & Reporting

Classification Logic

Classification screens out invalid interactions (Invalid Clicks) designed solely to inflate ad budgets without genuine intent. Clicks are audited across 10 distinct vectors. Failing validation in even one area flags the click as invalid.

Audit Vectors:

  • Site Rendering - honeypot traps and javascript asset check validation.
  • System Parameters - validation of system headers matching actual user agent signals.
  • Browser Parameters - PoW challenge-response validation and automation blocking.
  • User Behavioral - isolation of synthetic movements and bot events.
  • Device Specs - WebGL, Canvas, Audio, and WebRTC system properties.
  • IP Profiling - location mappings, host reputation, and network flags (VPN/Proxy/TOR).
  • Device Fingerprint - persistent hardware-based unique device token.
  • Browser Fingerprint - software profile configurations independent of tracking state.
  • Google Score - behavioral risk indexing via reCAPTCHA v3.
  • Session History - access frequency, user pathways, and repetitive pattern anomalies.

Reporting Capabilities

Evaluated and classified records populate the Client Panel live. Metrics include timestamps, classification reasons, client IPs and ISP providers, unique fingerprints, visual behavioral playback sequences, and campaign summaries.

Monitored ad records are maintained on secure storage for a minimum retention window of 3 months.

Download Documentation

Technical Specification - Description of Methodology (PDF)