DESC:METHOD AND SYSTEM FOR CLICK TO INSTALL BEHAVIOR BASED DETECTION OF FRAUD

TECHNICAL FIELD

[0001] The present disclosure relates to the field of fraud detection systems and, in particular, relates to a method and system to detect advertisement fraud based on time distribution analysis.

BACKGROUND

[0002] With the advancements in technology over the last few years, users have predominantly shifted towards smartphones for accessing multimedia content. Nowadays, users access content through a number of mobile applications available for download through various online application stores. Businesses (Advertisers) have started focusing on generating revenue by targeting consumers through these mobile applications. In addition, businesses have started investing heavily on doing business through these mobile applications. Moreover, businesses (publishers and/or advertising networks) have started developing advertisement capable applications for serving advertisements through these mobile applications. These advertisements are published in real time or fixed placements through these mobile applications and watched by the users. The advertisers are benefited in terms of internet traffic generated on clicking, taking action like installing or on watching these advertisements. However, certain online publishers and advertising networks working with these publishers take undue advantage of this in order to generate high revenues. These online publishers and advertising networks employ fraudulent techniques in order to generate clicks, or increasing actions like increasing number of application installs for the advertisers through fraudulent means. In addition, these online publishers incentivize the users for clicking the links, downloading applications and the like. This results in a loss of advertisers marketing budget spent as many times these publishers claim a normal user-initiated action (Organic action, e.g. Organic Install) as one initiated by them or at times the clicks or application installs are not driven by humans at all and instead by bots. There is a consistent need to stop publishers from performing such types of click fraud and transaction fraud.

OBJECT OF THE DISCLOSURE

[0003] A primary object of the present disclosure is to provide a method and system to detect fraud in advertisements based on click to install time for a mobile application.

[0004] Another object of the present disclosure is to alert an advertiser about the fraudulent behavior of the publisher for driving application installs and accordingly take action.

[0005] Another object of the present disclosure is to deter publishers from performing click spamming techniques and driving installs by using bots.

[0006] Yet another object of the present disclosure is to stop publishers who are performing fraudulent techniques to generate more revenue.

[0007] Yet another object of the present disclosure is to prevent loss to advertisers by providing access to information related to fraudulent activities.

SUMMARY

[0008] In one aspect, the present disclosure provides a computer system. The computer system includes one or more processors and a memory. The memory is coupled to the one or more processors. The memory stores instructions. The instructions are executed by the one or more processors. The execution of instructions causes the one or more processors to perform a method to detect advertisement fraud based on time between events. The method includes a first step to receive device data and application data collected from a plurality of sources. In addition, the method includes a second step to identify a plurality of parameters based on the device data and the application data. Further, the method includes a third step to generate a plurality of graphs based on the device data, the application data, user behavior and the plurality of parameters. Furthermore, the method includes a fourth step to analyze the plurality of graphs with trained data. The device data and the publisher data are associated with one or more advertisements published on at least one publisher on one or more media devices. The plurality of parameters comprises of time taken between two events on the one or more media devices. The plurality of graphs is generated with respect to time when a signal generator circuitry embedded inside the one or more media devices generates a signal to trigger one or more hardware components. The one or more hardware components of the one or more media devices are triggered. The analysis is done based on the user behavior, the application data and the device data. The analysis is done to identify fraud based on the deviation. The analysis is done in real time.

BRIEF DESCRIPTION OF FIGURES

[0009] Having thus described the invention in general terms, references will now be made to the accompanying figures, wherein:

[0010] FIG. 1A illustrates an interactive computing environment for detection of advertisement fraud in real time, in accordance with various embodiments of the present disclosure;

[0011] FIG. 1B illustrates a block diagram of various modules of the interactive computing environment; and

[0012] FIG. 2 illustrates a block diagram of a computing device, in accordance with various embodiments of the present disclosure.

[0013] It should be noted that the accompanying figures are intended to present illustrations of exemplary embodiments of the present invention. These figures are not intended to limit the scope of the present invention. It should also be noted that accompanying figures are not necessarily drawn to scale.

DETAILED DESCRIPTION

[0014] Reference will now be made in detail to selected embodiments of the present invention in conjunction with accompanying figures. The embodiments described herein are not intended to limit the scope of the invention, and the present invention should not be construed as limited to the embodiments described. This invention may be embodied in different forms without departing from the scope and spirit of the invention. It should be understood that the accompanying figures are intended and provided to illustrate embodiments of the invention described below and are not necessarily drawn to scale. In the drawings, like numbers refer to like elements throughout, and thicknesses and dimensions of some components may be exaggerated for providing better clarity and ease of understanding.

[0015] It should be noted that the terms "first", "second", and the like, herein do not denote any order, ranking, quantity, or importance, but rather are used to distinguish one element from another. Further, the terms "a" and "an" herein do not denote a limitation of quantity, but rather denote the presence of at least one of the referenced item.

[0016] FIG. 1A illustrates an interactive computing environment 100 for detection of an advertisement fraud in real time. The interactive computing environment 100 shows a relationship between various entities involved in detection of fraud in an advertisement based on time distribution analysis. The advertisement fraud is a type of fraud which is being done to generate more revenue from the advertisement being displayed by generating fake install or clicks. The fake install is done with the help of software, bots. The fake install or fake traffic is faked through techniques such as click fraud, transaction fraud and the like. The click fraud corresponds to regular or constant clicking by a user 102 or group of users on the advertisement in order to generate more revenue for a publisher 106. The click fraud is when the publisher 106 gets paid based on pay-per-click or pay-per-view bases whenever the advertisement gets clicked. The click fraud refers to the generation of fraudulent clicks through online bots which are not identifiable and are treated as genuine install. The transaction fraud refers to initiating install via fake clicks and bots (as described above in the application). The transaction fraud takes place when the publisher 106 applies fraudulent techniques to drive fake installs of applications in order to generate more revenue.

[0017] The interactive computing environment 100 includes the user 102, one or more media devices 104, the publisher 106, one or more advertisements 108, a signal generator circuitry 110, one or more hardware components 112, one or more advertisers 114, a fraud detection platform 116, a server 118 and a database 120. Each of the components of the interactive computing environment 100 interacts with each other to enable detection of advertisement fraud in real time based on time distribution analysis.

[0018] The interactive computing environment includes the user 102 who is any person present at any location and accessing the multimedia content. The user 102 may be any legal person or natural person who access online multimedia content and need an IP based network for accessing the multimedia content. In addition, the user 102 is an individual or person who access online multimedia content on the respective one or more media devices 104. Further, the user may be a computer or bots who is programmed to view the advertisement and performs click and transaction in order to do fraud. In an embodiment of the present disclosure, the user 102 includes but may not be limited to a natural person, legal entity, individual, machine and robots for viewing advertisement. The user 102 is associated with the one or more media devices 104.

[0019] The interactive computing environment further includes the one or more media devices 104 which help to communicate information. The one or more media devices 104 includes but may not be limited to a Smartphone, a laptop, a desktop computer, a tablet and a personal digital assistant. In an embodiment of the present disclosure, the one or more media devices 104 include a smart television, a workstation, an electronic wearable device and the like. In an embodiment, the one or more media devices 104 include portable communication devices and fixed communication devices. In an embodiment of the present disclosure, the one or more media devices 104 are currently in the switched-on state. The user 102 accesses the one or more media devices 104 in real time. The one or more media devices 104 are any type of devices having an active internet. The one or more media devices 104 are internet-enabled device for allowing the user 102 to access the publisher 106. In an embodiment of the present disclosure, the user 102 may be an owner of the one or more media devices 104. In another embodiment of the present disclosure, the user 102 may not be the owner of the one or more media devices 104. In addition, the one or more media devices 104 are used for viewing an application which is installed on the one or more media devices 104.

[0020] The interactive computing environment 100 further includes the publisher 106 which is used for viewing content on the one or more media devices 104. The publisher 106 includes but may not be limited to mobile application, web application and website. The publisher 106 is the mobile application which displays content to the user 102 on the one or more media devices 104. The content may include one or more publisher content, one or more video content and the like. The application or the publisher 106 accessed by the user 102 shows content related to interest of the users 102. In an example, the user 102 may be interested in watching online videos, reading blogs, play online games, accessing social networking sites and the like. The publisher 106 is the application developed by the application developer for viewing or accessing specific content. The publisher 106 or applications are advertisement supporting applications which are stored on the one or more media devices 104. The publishers 106 or mobile applications are of many type which includes gaming application, a utility application, a service based application and the like. The publishers 106 provide space, frame, area or a part of their application pages for advertising purposes which is referred to as advertisement slots. The publisher 106 consists of various advertisement slots which depend on the choice of the publisher 106. The publishers 106 advertise products, services or businesses to the users 102 for generating revenue. The publisher 106 displays the one or more advertisements 108 on the one or more devices 104 when the user 102 is accessing the publisher 106.

[0021] The one or more advertisements 108 are a graphical or pictorial representation of the information in order to promote a product, an event, service and the like. In general, the one or more advertisements 108 are a medium for promoting a product, service, or an event. The one or more advertisements 108 include text advertisement, video advertisement, graphic advertisement and the like. The one or more advertisements 108 are displayed in third party applications developed by application developers. The one or more advertisements 108 are presented to attract the user 102 based on his interest in order to generate revenue. The one or more advertisements 108 are presented to the user 102 on the publisher 106 based on interest of the user 102 which is shown for a specific period of time. The user 102 click on the one or more advertisements 108 and the user 102 is re-directed to a website or application or application store associated with the clicked one or more advertisements 108. The one or more advertisements 108 are provided to the publisher 106 by the one or more advertisers 114 who want to advertise their product, service through the publisher 106. The publisher 106 gets paid if the user 102 visits the application or website through the one or more advertisements 108 of the one or more advertisers 114. The number of user 102 who visits the one or more advertisements 108 through the publisher 106 generates more revenue for the publisher 106.

[0022] The one or more advertisers 114 are those who want to advertise their product or service and the like to the user 102. The one or more advertisers 114 approach the publisher 106 and provide the one or more advertisements 108 to be displayed for the user 102 on the publisher 106. The one or more advertisers 114 pay the publisher 106 based on the number of user 102 being redirected or taking the product or services provided by the one or more advertisers 114.

[0023] The one or more advertisements 108 are placed on the advertisement slots in the publisher application on the one or more media devices 104 associated with the user 102. The one or more advertisers 114 purchase the advertisement slots from the publisher 106. The one or more advertisements 108 may be served based on a real-time bidding technique or a direct contract between the one or more advertisers 114 and the publisher 106. The one or more advertisers 114 may provide the one or more advertisements 108 to advertising networks and information associated with advertising campaigns. The advertisement networks enable display of the one or more advertisements 108 in real time on the publisher 106 on behalf of the one or more advertisers 114. The advertising networks are entities that connect the one or more advertisers 114 to websites and mobile applications that are willing to serve advertisements.

[0024] The interactive computing environment 100 further includes the signal generator circuitry 110 for generating signal and to trigger the one or hardware component 112 associated with the one or more media devices 104. The one or more hardware components 112 are triggered for one or more purposes. The one or more purposes includes but may not be limited to receiving data, connection establishment between the third party databases and fraud detection platform 116. The one or more purposes include but may not be limited to blocking the IP address, sending and receiving information, and the like. The one or more purposes include generating a signal based on the requirement of the fraud detection platform 116. The signal generator circuitry 110 triggers the one or more hardware components 112 to perform a specific task in the one or more media devices 104.

[0025] The one or more hardware components 112 are components which are embedded inside the one or more media devices 104. The one or more hardware components 112 include but may not be limited to camera, microphone, LED, light sensor, proximity sensor and accelerometer sensor. The one or more hardware components 112 include but may not be limited to gyroscope, compass and the like. The one or more hardware components 112 are triggered when the signal generator circuitry embedded inside the one or more media devices 104 generates a signal to trigger the one or more hardware components 112.

[0026] The interactive computing environment 100 further includes the fraud detection platform 116 which is associated with the publisher 106 and the one or more advertisers 114. The fraud detection platform 116 detects advertisement fraud being done by the publisher 106 in order to generated fake traffic for the one or more advertisements 108. The fraud detection platform 116 is linked with the publisher 106 which may be more than one in real time. The fraud detection platform 116 is a platform for detecting click fraud and transaction fraud done by the publisher 106. The fraud detection platform 116 performs the detection of fraud in the one or more advertisements 108 in real time. The fraud detection platform 116 performs the detection of fraud by performing sequence of tasks which includes but may not be limited to receiving device data, receiving application data. Further, the fraud detection platform 116 performs the tasks of identifying parameters, generating graphs, analyzing graphs, indentify fraud and the like.

[0027] Reference will now be made to the components mentioned in FIG. 1B in order to explain the embodiments of the fraud detection platform 116. FIG 1A illustrates the various module of the interactive computing environment 100.

[0028] The fraud detection platform 116 receives device data and application data which are collected from a plurality of sources. The fraud detection platform 116 receives the device data and the application data which is associated with the one or more advertisements 108. The one or more advertisements 108 are published on at least one publisher 106 on one or more media devices 104. The device data includes network type, device type, service provider, location, time-stamp, operating system, model number, number of application installed, IP address and the like. In an embodiment of the present disclosure, the device data includes but may not be limited to number of application uninstalled, screen size, network speed.

[0029] The network type include but may not be limited to any network used for communication such as 2G, 3G, 4G, Wi-Fi, LAN, broadband and leased line. The device type include but may not be limited to device used in the computing environment 100 such as 2G enabled, 3G enabled,4G handset, Android OS device, windows OS and blackberry phone. The location is used to identify the country in which users 102 is viewing the one or more advertisements 108 on the one or more media devices 104. The user location facilitates to provide the maximum bandwidth in the particular location. The service provider is provider of internet service to the user 102; the service provider may be Airtel, Bsnl, Vodafone, reliance and the like. The time-stamp is the time at which the user 102 is accessing the one or more advertisements 108. The operating system is the software which is used in the one or more media device for performing its functions windows, ios, Android OS, bada, blackberry OS, and the like. In an embodiment of the present disclosure, the operating system includes but may not be limited to BlackBerry OS, MeeGo OS, Palm OS, Symbian OS and webOS. The network speed is network bandwidth provided by the network provider for accessing the one or more advertisements 108 on the one or more media devices 104.
[0030] The application data includes but may not limited to application size, time to download, time to run, redirection time, click to install and click to run. Further, the application data includes user click time, device load time, time to run, time to install, network download time, application usage time and the like. In an embodiment of the present disclosure, the application data include but may not be limited to application idle time, IP address switching time, application opening time and time to server.

[0031] The redirection time is the time required by the application from the click to the launch of the mobile application in the application store which is displayed in the one or more advertisements 108. The redirection time is based on the network speed and the device type and the like. The user click time is the time required by the user 102 to click the on or more advertisements 108 displayed on the one or more media devices 104. The user click time is based on the network type, network speed, download speed and the like. Time to install is the time required by the user 102 to install mobile application which is displayed using the one or more advertisements 108 on the one or more media devices 104. The user 102 install the mobile application displayed in the one or more advertisements 108 from the application store. The time to install is based on the network type, device type, bandwidth, location and the like. Time to run is the time required to run the application based upon the type of device being used by the user. Time to server is time required to send an install event to the tracking server. Time to download is the time required to download the application from the app store or the third party servers based on the connection type and bandwidth statistical analysis.

[0032] The plurality of sources includes but may not be limited to historical database, network type database, anonymous database, click/ install database and the like which are stored in the database 120. In an embodiment of the present disclosure, the plurality of sources includes but may not be limited to click database, a plurality of third party database, a plurality of sensors and actuator. The plurality of sensor includes but may not be limited to global positioning system (GPS), proximity sensor, gyroscope sensor, accelerometer and the like.

[0033] The database 120 is as shown in FIG. 1B is where all the information is stored for accessing. The database 120 includes data which is pre-stored in the database and data collected in real-time. The database 120 may be a cloud database or any other database based on the requirement for the fraud detection. The data is stored in the database 120 in various tables. The tables are matrix which stored different type of data. In an example, one table may store data related to the user 102 and in other table the one or more media devices 104 related data is stored. The database 116 is area where all the information is stored for accessing.

[0034] In an embodiment of the present disclosure, the database 120 includes anonyms DB, network type DB, Historical DB, click/ install DB and the like as shown in FIG. 1B. In another embodiment of the present disclosure, the database 120 includes but may not be limited to blocked publisher DB and safe publisher DB. The anonyms DB hold data related to public IP addresses, internet cafe IP addresses, shopping malls IP addresses, Airports IP addresses, hotel IP addresses, hosting providers and the like. The network type DB hold data related to type of network, the type of network includes home network, public network, tor networks and the like. The click/install DB hold data related to click time, run time, network time, install time and the like. The historical DB hold data related to past click time, run time, install time, location, time-stamp, the device data, the application data and the like. The historical DB is the data which is pre-defined or is already stored in the database 120. The database 120 is included inside the server 118 as shown in FIG. 1B.

[0035] The server 118 as shown in FIG. 1B is used to perform task of accepting request and respond to the request of other functions. The server 118 may be a cloud server which is used for cloud computing to enhance the real time processing of the system and using virtual space for task performance. In an embodiment of the present disclosure, the server 118 may be any other server based on the requirement for the fraud detection. The server 118 is used to perform task of accepting request and respond to the request of other functions.

[0036] In addition, the fraud detection platform 116 identifies a plurality of parameters based on the device data and the application data. The plurality of parameters comprises of time taken between two events on the one or more media devices 104. The plurality of parameters includes minimum redirection time, minimum click to install, minimum click to run, minimum user click time and the like. In an embodiment of the present disclosure, the plurality of parameters includes but may not be limited to minimum time to download, minimum device load time and minimum time to run. In another embodiment of the present disclosure, the plurality of parameters includes minimum time to install, minimum network download time and country bandwidth.

[0037] In an example, if the user perform purchase than he add the item to cart, checkout, validate payment and a confirmation will be send which will require certain time to run. If the time to run shows that the user has completed payment in less than the usual time to run than the fraud may be detected.

[0038] The identification is performed by the listing engine 116b of the fraud detection platform 116 which is shown in FIG. 1B. The listing engine 116b performs historical analysis and real time analysis of the device data and the application data in order to identify the plurality of parameters. In an embodiment of the present disclosure, the listing engine 116b uses data collected from a plurality of third party databases. The listing engine 118b performs historical analysis and real time analysis of the device data and application data in order to identify the plurality of parameters.

[0039] Further, the fraud detection platform 116 identifies the user behavior based on the application data, the past data and the third party database. The fraud detection platform 116 collects the data from the third party databases and the past data of the user 102 and the publisher 106. The user behavior includes user routine, time stamp, user interactions, application usage data, user usage time and the like. In an embodiment of the present disclosure, user behavior includes the user 102 usage pattern based on the data collected from the plurality of third party databases. The user behavior is based on the local time of the location of the user 102.

[0040] Furthermore, the fraud detection platform 116 examines the user behaviour based on the real-time and past data of the user 102 and the publisher 106. The examination is done based on the user behavior data collected from the plurality of third party databases, the device data and the application data. The examination is done to identify abnormal user behaviour in real time. The examination is done by the machine learning engine 116a. The machine learning engine 116a as shown in FIG. 1B receives the user behavior data, the application data, the past data and the device data. Further, the machine learning engine 116a collected data from the third party databases and receives real-time data of the one or more media devices 104.

[0041] The machine learning engine 116a performs training on the data in order to receive trained data. The machine learning engine 116a performs training based on the past data and real-time data. The training is performed using the machine learning and the data is trained by using the past data and real-time data. The training is done based on time taken between two events on the one or more media devices 104. In an embodiment of the present disclosure, the machine learning engine 116a performs training based on the application data, the device data and the user behavior. In addition, the machine learning engine 116a also performs modeling of the data in real-time. In an embodiment of the present disclosure, the machine learning engine 116a modeling in order to represent data in the database 120.

[0042] Moreover, the fraud detection platform 116 generates a plurality of graphs based on the device data, the application data and the plurality of parameters. The plurality of graphs is generated with respect to time when a signal generator circuitry 110 embedded inside the one or more media devices 104 generates a signal to trigger the one or more hardware components 112 of the one or more media devices 104. In an embodiment of the present disclosure, the signal generator circuitry 110 embedded inside the one or more media devices 104 trigger the GPS to identify location of the one or more media devices 104 at an instance.

[0043] The plurality of graphs comprises interaction graph and network graph. In an embodiment of the present disclosure, the plurality of graphs includes but is not limited to anonyms IP graph. In an embodiment of the present disclosure, the plurality of graphs may be any other graph based on the data collected from the plurality of third party databases, the device data, and the application data. The plurality of graphs is plotted by the fraud detection platform 116 with respect to time. The interaction graph is plotted between time and the user interaction of the user 102. The fraud detection platform generates at least one interaction graph based on the on the device data, the application data, user behavior and the plurality of parameters. The anonyms IP graph is plotted between time and the IP addresses data collected from the user 102. The network graph is plotted between time and the network information collected from the one or more media devices 104. The network graph contains information regarding the network speed and time.

[0044] Moreover, the fraud detection platform 116 analyzes the plurality of graphs with the trained data based on the user behavior, the application data and the device. The analysis is done to identify deviation from the trained data. The deviation may be determined by numerous statistical analyses including least mean square, or polynomial matching and the like. The analysis is done in real time by the machine learning engine 116a and the distribution analysis 116c.

[0045] The distribution analysis 116c as shown in FIG. 1B perform analysis of the data based on the publisher 106, one or more media devices 104 and the campaign being run by the publisher 106. The distribution analysis 118c collects data stored in the database 120 and the data related to the publisher 106, the device data and the campaign being run by the one or more advertisers 114. The distribution analysis 116c performs the analysis of the plurality of graphs in real-time to identify the fraud being committed by the publisher 106 by analyzing the deviation from the trained data.

[0046] Also, the fraud detection platform 116 scores the publisher 106 based on the deviation from the trained data. The scoring of the publisher 106 is done based on analysis of the plurality of graphs with the trained data. The deviation shows the change in the user behavior which identify if the user 102 is a genuine user or bots which is used by the publisher 106 for committing fraud. The scoring of the publisher based on the deviation of the plurality of the graphs by the fraud detection platform 116 helps to identify fraud.

[0047] Also, the fraud detection platform 116 blocks the publisher 106 based on the scores of the publisher 106. The blocking is performed by the fraud detection platform 116 by comparing the score of the publisher 106 with predefined level. The predefined level is the level which is defined by the one or more advertisers 114. In an embodiment of the present disclosure, the predefined level is defined by the advertising network. The fraud detection platform 116 blocks the publisher 106 from publishing the one or more advertisements 108 on the one or more media devices 104 if the score of the publisher 106 is above the predefined level.

[0048] In an embodiment of the present disclosure, the fraud detection platform 116 analyzes the already past data and the real-time data in order to identify abnormality in the data. The fraud detection platform 112 will mark the abnormality for analyzing it in the future in order to identify future fraud.

[0049] In another embodiment of the present disclosure, the fraud detection platform 116 build profile for each user 102 based on the application data, device data, and size of application that the user 102 usually downloads and has downloaded in the past. In yet another embodiment of the present disclosure, the fraud detection platform 112 may analyze past data, data collected from the third party databases where the user 102 has uninstalled the mobile application after downloading it. The fraud detection platform 116 may analyze the time difference of uninstalling and reinstalling the mobile application to determine download by fraudulent means and the user 102 was not interested in using the application.

[0050] In an example, if a user X is visiting a publisher Y and an advertisement Z is displayed on the publisher Y. The fraud detection platform 116 collects information about the location, device type, network type. The fraud detection platform 116 determines redirection time, user click time, click to install, time to run, time to server, and the like. Further, the fraud detection platform 116 identify the minimum click to install, minimum redirection time, minimum user click time, minimum time to run, minimum time to server time for the mobile application Y.

[0051] In another example, if a user X is visiting a publisher Y and an advertisement Z is displayed on the publisher Y. The fraud detection platform 116 collects information about the location, device type, network type, network speed. The fraud detection platform 116 determines redirection time, time to click, time to install, time to run, time to server, and the like. Further, the fraud detection platform 116 analyzes time to install the mobile application as a 50 MB application will require 3-second download based on location, network type, and device type. If a user X is downloading the 50 MB application in 1 second than fraud detection platform 116 will be able to identify the fraud. The fraud detection platform 116 will generate network graph and analysis will identify fraud as the deviation is high than the predefined level.

[0052] In an embodiment of the present disclosure, the one or more media devices 104 may include a monitoring application/service installed inside the one or more media devices 104. The monitoring application/service is associated with the fraud detection platform 116. In an embodiment of the present disclosure, the monitoring application/service enables the fraud detection platform 116 to perform correlation of real user interaction with reported interaction during install. The monitoring application/service enables the fraud detection platform 116 to intercept any touch/gesture events globally and checks whether the touch/gesture events match with publisher reported install/clicks. The monitoring application/service is packaged as an anti-malware/anti-virus solution and has other features as well.

[0053] FIG. 2 illustrates a block diagram of a computing device 200, in accordance with various embodiments of the present disclosure. The device 200 is a non-transitory computer readable storage medium. The device 200 includes a bus 202 that directly or indirectly couples the following devices: memory 204, one or more processors 206, one or more presentation components 208, one or more input/output (I/O) ports 210, one or more input/output components 212, and an illustrative power supply 214. The bus 202 represents what may be one or more busses (such as an address bus, data bus, or combination thereof). Although the various blocks of FIG. 2 are shown with lines for the sake of clarity, in reality, delineating various components is not so clear, and metaphorically, the lines would more accurately be grey and fuzzy. For example, one may consider a presentation component such as a display device to be an I/O component. Also, processors have memory. The inventors recognize that such is the nature of the art, and reiterate that the diagram of FIG. 2 is merely illustrative of an exemplary device 200 that can be used in connection with one or more embodiments of the present invention. Distinction is not made between such categories as “workstation,” “server,” “laptop,” “hand-held device,” etc., as all are contemplated within the scope of FIG. 2 and reference to “computing device.”

[0054] The device 200 typically includes a variety of computer-readable media. The computer-readable media can be any available media that can be accessed by the device 200 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, the computer-readable media may comprise computer storage media and communication media. The computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. The computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the device 200. The communication media typically embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer-readable media.

[0055] Memory 204 includes computer-storage media in the form of volatile and/or nonvolatile memory. The memory 204 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid-state memory, hard drives, optical-disc drives, etc. The device 200 includes the one or more processors 206 that read data from various entities such as memory 204 or I/O components 212. The one or more presentation components 208 present data indications to a user or other device. Exemplary presentation components include a display device, speaker, printing component, vibrating component, etc. The one or more I/O ports 210 allow the device 200 to be logically coupled to other devices including the one or more I/O components 212, some of which may be built in. Illustrative components include a microphone, joystick, game pad, satellite dish, scanner, printer, wireless device, etc.

[0056] It may be noted that the foregoing description has been explained with help of one user for the explanation purpose only. In an embodiment of the present disclosure, the interactive computing environment may contain any number of users 102 being associated with any number of portable communication devices 104 at any instant of time.

[0057] The foregoing descriptions of specific embodiments of the present technology have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the present technology to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to explain the principles of the present technology best and its practical application, to thereby enable others skilled in the art to best utilize the present technology and various embodiments with various modifications as are suited to the particular use contemplated. It is understood that various omissions and substitutions of equivalents are contemplated as circumstance may suggest or render expedient, but such are intended to cover the application or implementation without departing from the spirit or scope of the claims of the present technology.

[0058] While several possible embodiments of the invention have been described above and illustrated in some cases, it should be interpreted and understood as to have been presented only by way of illustration and example, but not by limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments.
,CLAIMS:What is claimed is:

1. A computer system comprising:
one or more processors (206); and
a memory (204) coupled to the one or more processors (206), the memory (204) for storing instructions which, when executed by the one or more processors (206), cause the one or more processors (206) to perform a method for detecting advertisement fraud based on time between events, the method comprising:
receiving, at a fraud detection platform (116), device data and application data collected from a plurality of sources, wherein the device data and the publisher data is associated with one or more advertisements (108) published on at least one publisher (106) on one or more media devices (104);
identifying, at the fraud detection platform (116), a plurality of parameters based on the device data and the application data, wherein the plurality of parameters comprises of time taken between two events on the one or more media devices (104);
generating, at the fraud detection platform (116), a plurality of graphs based on the device data, the application data, user behavior and the plurality of parameters, wherein the plurality of graphs is generated with respect to time when a signal generator circuitry (110) embedded inside the one or more media devices (104) generates a signal to trigger one or more hardware components (112) of the one or more media devices (104); and
analyzing, at the fraud detection platform (116), the plurality of graphs with trained data, wherein the analysis is done based on the user behavior, the application data and the device data, wherein the analysis is done to identify fraud based on the deviation, wherein the analysis is done in real time.
2. The computer system as recited in claim 1, wherein the device data comprises network type, service provider, location, time-stamp, operating system, model number, number of application installed, number of application uninstalled, screen size, network speed and device type.
3. The computer system as recited in claim 1, wherein the application data comprises application size, time to download, time to run, redirection time, click to install, click to run, user click time, device load time, time to run, time to install, network download time, application usage time, application idle time and application opening time.
4. The computer system as recited in claim 1, wherein the plurality of sources comprises historical database, network type database, anonymous database, click database, a plurality of third party database, a plurality of sensors and actuator.
5. The computer system as recited in claim 1, wherein the plurality of parameters comprises minimum redirection time, minimum click to install, minimum click to run, minimum user click time, minimum time to download, minimum device load time, minimum time to run, minimum time to install, minimum network download time and country bandwidth.
6. The computer system as recited in claim 1, wherein the plurality of graphs comprises interaction graph, network graph and anonyms IP graph.
7. The computer system as recited in claim 1, further comprising,
identifying, at the fraud detection platform (116), the user behavior from the application data, the past data and the third party database, wherein the user behavior comprises user routine, time stamp, user interactions and application usage data; and
examining, at the fraud detection platform (116), the user behaviour based on the real-time and past data, wherein the examination is done to identify abnormal user behaviour, wherein examination is done in real time.
8. The computer system as recited in claim 1, further comprising
training, at the fraud detection platform (116), the trained data using machine learning, wherein the data is trained by using the past data and real-time data, wherein the training is done based on time taken between two events on the one or more media devices (104).
9. The computer system as recited in claim 1, further comprising
scoring, at the fraud detection platform (116), the publisher (106) based on the deviation, wherein the scoring is done based on the analysis of the plurality of graphs.
10. The computer system as recited in claim 1, further comprising
blocking, at the fraud detection platform (116), the publisher (106) if the score is above a predefined level, wherein the blocking is done in real time.