TWI810339B - Keyword Ad Malicious Click Analysis System - Google Patents

Abstract

A keyword advertisement malicious click analysis system, comprising a central server connected to at least one advertising website; a malicious click analysis agency resides in the central server; visitors enter the advertisement by clicking on the advertisement window of the advertisement website The website browses webpages, and the visitor enters the advertising website through various electronic devices or generates different IPs; the malicious click analysis mechanism includes a feature storage for storing the characteristics of the electronic devices of the visitors of each advertising website; and It also includes at least one of an unreasonable behavior determiner, a summary page analyzer, and a feature classifier; the unreasonable behavior determiner can determine whether the visitor's behavior is unreasonable; the summary page analyzer can store the characteristics The feature in the feature store generates a summary page and compares it to determine whether it is the same electronic device; the feature classifier can classify the features in the feature store and then compare them step by step; therefore, one or more electronic devices can be obtained The device may have the behavior of making malicious clicks, which may be from the same or multiple visitors.

Description

Keyword Ad Malicious Click Analysis System

The invention relates to a website analysis system, in particular to a keyword advertisement malicious click analysis system.

Nowadays, due to the popularity of the Internet, online advertising also rises. As more and more people receive information from the Internet, the amount of online advertising has surpassed any traditional media. Generally, online advertisements mainly use clicks to determine the charges. That is, each click charges an additional fee. So the more clicks you get, the more advertising fees you get charged. Generally, normal clicks contribute to the marketing of website products. However, due to commercial competition, often the opponent will click maliciously to consume the advertisement cost of the other party. Its purpose is to make the other party withdraw from the advertising market due to the huge advertising costs. So malicious clicks are actually a big killer of online advertisements. Therefore, it is hoped that there is a technology that can learn malicious clickers and prevent them.

Generally, people who make malicious clicks do not use fixed IPs to access websites, but use many existing network technologies, such as virtual private networks (Virtual Private Network, VPN), floating IPs, multiple mobile phone clicks, zombie computers, etc. etc. means. Therefore, if you want to judge malicious clickers from the website side, you must extract them according to the characteristics of these network technologies, and then analyze these characteristics to know which user has maliciously clicked on the website, so as to implement preventive actions, so that Advertisements on the website can play a real role.

Therefore, this case hopes to propose a brand-new malicious click analysis system for keyword advertisements to solve the above-mentioned defects in the prior art.

Therefore, the purpose of the present invention is to solve the above-mentioned problems in the prior art. In the present invention, a malicious click analysis system for keyword advertisements is proposed, which is to analyze the behavior of visitors who enter a website by using the characteristics of the software, hardware and network in the computer. And those who decide to click maliciously will provide necessary preventive actions for the website. Apply fully automatic analysis to analyze the characteristics of visitors to effectively capture visitors who click maliciously. Therefore, the utility of the advertisement can be increased, and the cost of the advertisement provider can also be saved.

In order to achieve the above object, the present invention proposes a malicious click analysis system for keyword advertisements, which includes a central server; a malicious click analysis mechanism resides in the central server; wherein the central server is connected to at least one advertising website, the Advertisement websites are entered by clicking on an advertisement window, so that visitors can click on the advertisement window through electronic devices to enter the advertisement website and browse the web pages of the advertisement website, wherein the visitor enters the advertisement website through various electronic devices or generates different IP to enter the advertising website; wherein the central server includes a processor and a memory; the processor is used to perform the operations required by the malicious click analysis agency; the memory is used to store the computer in the malicious click analysis agency Data or calculation programs stored in the form of programs, related operation results and related data; where all the operation results and related data are stored in the memory of the central server; where the malicious click analysis mechanism includes a feature storage A device for storing the characteristics of the electronic devices used by the visitors of each advertising website; and the malicious click analysis mechanism also includes at least one of an unreasonable behavior determiner, a summary page analyzer, and a feature classifier; wherein The unreasonable behavior determiner is connected to the feature storage and is used to decide to access the advertisement Whether the visiting and browsing behavior of website visitors is unreasonable; the unreasonable behavior determiner defines unreasonable visiting and browsing behavior to determine whether there is a visitor who maliciously clicks on the advertising website; the summary page analyzer connects the feature Storage, used to retrieve the features stored in the feature storage, and make these features into a summary page; where each summary page is assigned a version number; when the content of the summary page changes, its version number will also change ; The summary page analyzer also includes a summary page comparator for comparing the similarity of each summary page; wherein the comparison logic and weighting of each feature are set in the summary page comparator; The degree of similarity between different summary pages; if the degree of similarity is higher than a certain threshold value, it is considered that the same electronic device enters the advertising website; if the same electronic device enters the advertising website more than once within a set period of time set value, it is considered that the user of the electronic device maliciously clicks on the advertising website; the feature classifier is connected to the feature storage for comparing the features stored in the feature storage, wherein the features to be compared are Grading, the higher the level is compared first, when the high-level features are determined to be malicious clicks after comparison, then compare the features of the next level; when the features with more levels show higher similarity, malicious The higher the rate of clicks; applying the methods listed above, it is possible to obtain malicious clicks on one or more different electronic devices. These behaviors may be malicious clicks from the same visitor or from multiple different visitors. .

The features and advantages of the present invention can be further understood from the following description, please refer to the accompanying drawings when reading.

1‧‧‧Malicious click analysis agency

3‧‧‧Advertising website

5‧‧‧Ad window

7‧‧‧visitor

10‧‧‧central server

11‧‧‧Processor

12‧‧‧memory

20‧‧‧Electronic Devices

30‧‧‧Flow Analyzer

40‧‧‧Characteristic storage

50‧‧‧Unreasonable Behavior Judger

60‧‧‧Summary Page Analyzer

65‧‧‧Summary Page

70‧‧‧Summary Page Comparator

80‧‧‧Feature classifier

90‧‧‧Sequencer

Figure 1 shows the hardware architecture of this case and the connection architecture diagram between the malicious click analysis agency and the electronic device.

Figure 2 shows the schematic diagram of the operation of the central server and malicious click analysis organization in this case.

Figure 3 shows a block diagram of the component architecture of the malicious click analysis mechanism in this case.

Figure 4 shows a schematic diagram of the summary page of this case.

Figure 5 shows the schematic diagram of the application of the comparator on the summary page of this case.

Figure 6 shows a schematic diagram of the application of the sequencer in this case.

Figure 7 shows a block diagram of another component architecture of the malicious click analysis mechanism in this case, which includes a traffic analyzer.

Hereby, with regard to the structural composition of this case, and the effects and advantages that can be produced, in conjunction with the drawings, one of the preferred embodiments of this case is described in detail as follows.

Please refer to FIGS. 1 to 7 , which show the keyword advertisement malicious click analysis system of the present invention, which includes the following components: As shown in FIG. 1 , the hardware architecture of the present invention includes a central server 10 .

A malicious click analysis mechanism 1 resides in the central server 10 and uses the central server 10 to perform its functions. Wherein the central server 10 is connected to at least one advertisement website 3, and the advertisement website 3 is entered through an advertisement window 5, so that the visitor 7 can click the advertisement window 5 to enter the advertisement website 3 through the electronic device 20, and browse The webpage of the advertisement website 3, wherein the visitor 7 enters the advertisement website 3 via various electronic devices 20 or generates different IPs. The electronic device 20 can be various electronic information devices, such as computers, laptops, tablet computers, mobile phones, PDAs, etc., which can be connected to the advertising website 3 via the network.

As shown in FIG. 2 , the central server 10 includes a processor 11 and a memory 12 . The processor 11 is used to perform operations required by the malicious click analysis mechanism 1 . The memory 12 is used to store Data or calculation programs stored in the form of computer programs in the malicious click analysis organization 1, related operation results and related data. All operation results and related data are stored in the memory 12 of the central server 10 .

The relevant software and data of the malicious click analysis mechanism 1 are stored in the memory 12 , and the processor 11 executes the relevant operations of the malicious click analysis mechanism 1 . Wherein the central server 10 can be realized by different electronic information systems, wherein the electronic information systems include various computers, mobile phones, tablet computers, laptops, PDAs, etc. And the central server 10 needs to be constructed in these electronic information systems.

As shown in Figure 3, the malicious click analysis organization 1 includes: A traffic analyzer 30 is used to analyze the traffic of the visitors 7 of the advertising website, as shown in FIG. 7 . When there are abnormally many visitors 7 in a certain or certain period of time, malicious click analysis is performed to obtain information about visitors 7 who may perform malicious clicks. These messages mainly include the IP of the visitor 7, so that the owner of the IP can be known through the telecommunications company and the implementer of the malicious click can be determined.

A characteristic storage 40 is used to store the characteristics of the electronic device 20 used by the visitor 7 of each advertising website 3, these characteristics include the header of the user's browser (with MD5 encoding to make a message abstract for easy query), visitor language, Color depth, access source, IP segment, operating system, recognition rate, resolution, user agent (UserAgent), first visit URL, start visit time, visitor source, permanent identity cookie, IP affiliation, previous page visits, The number of pages visited this time, browser version, etc.

An unreasonable behavior determiner 50 is connected to the feature storage 40 and is used to determine whether the browsing behavior of the visitor 7 visiting the advertising website 3 is unreasonable. Should it be unreasonable The behavior determiner 50 defines unreasonable access browsing behaviors to determine whether there is a visitor 7 who maliciously clicks on the advertising website 3 . These unreasonable access and browsing behaviors include short entry time, no or few page flips, no or few page transfers, etc., unreasonable access behaviors.

When an electronic device 20 frequently enters an advertising website 3 and its unreasonable behavior exceeds the boundary defined by the unreasonable behavior determiner 50 , it is considered that the visitor 7 who uses the electronic device 20 maliciously clicks on the advertising website 3 .

A summary page analyzer 60 is connected to the feature storage 40 for extracting the features stored in the feature storage 40 and making these features into a summary page 65 , as shown in FIG. 4 . Each of the summary pages 65 is assigned a version number. When the content of the summary page 65 changes, its version number also changes. The summary page analyzer 60 includes a summary page comparator 70 for comparing the similarity of each summary page 65 , as shown in FIG. 4 and FIG. 5 . The comparison logic and weighting of each feature are set in the summary page comparator 70 . The similarity between different summary pages 65 is obtained through weighted calculation after comparison of each feature. If the degree of similarity is higher than a certain threshold value, it is determined that the same electronic device 20 enters the advertising website 3 . If the number of times the same electronic device 20 enters the advertising website 3 within a set period of time exceeds a set value, it is considered that the user of the electronic device 20 maliciously clicks on the advertising website 3 . This method is relatively easy to determine that the same visitor 7 uses the same electronic device to generate multiple IP malicious clicks. If a visitor 7 enters through multiple different electronic devices 20, he will not agree to notice.

A feature grader 80 is connected to the feature storage 40 for comparing the features stored in the feature storage 40, wherein the features to be compared are classified, Those with higher levels are compared first, and when the features with higher levels are determined to be malicious clicks after comparison, then the features of the next level are compared. For example, taking the screen resolution as the first-level feature, if 10,000 clicks occur within a set period of time on the same screen resolution of the webpage visiting the advertising website 3 , it is considered that malicious clicks may come from the same electronic device 20 . Then set the comparison of the second level as the telecommunication company, if it is the same telecommunication company, it is considered that the clicks performed by the same electronic device 20 are very likely. If necessary, the next level of feature comparison can be performed. The higher the similarity of features with more levels, the higher the rate of malicious clicks.

A sorter 90 is connected to the unreasonable behavior determiner 50, the feature classifier 80 and the summary page comparator 70, and the sorter 90 is used to determine the unreasonable behavior determiner 50, the feature classifier 80 and the summary page Whether the comparator 70 is used or not is determined sequentially. Therefore, managers can use different combinations of judgment methods according to their needs.

Wherein the sorter 90 can give priority to the three different judgment methods of summary page comparison, unreasonable behavior judgment and feature classification. As shown in Figure 6, for example, the unreasonable behavior determiner 50 is firstly used to judge unreasonable behavior, and when it is determined that the electronic devices using certain IPs have unreasonable behaviors, then the feature classification is applied from these IPs with unreasonable behaviors The device 80 performs feature classification, and brushes and selects according to different classifications in order to determine which IPs have the possibility of malicious clicks. If above-mentioned mode all can not obtain the IP of effective malicious click, then apply this summary page comparator 70 of this summary page analyzer 60 to carry out summary page comparison, each summary page 65 is compared, if some summary pages 65 other When the similarity is higher than the preset value, it is considered to be from the same visitor7.

When the user can decide which judgment method to use according to his needs, or according to which arrangement to decide the crawling operation of the visitor 7 who performs malicious clicks.

Applying the methods listed above, it is possible to obtain one or more different electronic devices that have malicious clicking behavior, and the relevant units can be handed over to track down the visitors 7 behind these electronic devices 20, which may be from the same visitor 7, or Malicious clicks by multiple different visitors7.

This case mainly uses the software, hardware and network characteristics of the computer to analyze the behavior of visitors who enter a website and decides to make malicious clicks, so as to provide necessary preventive actions for the website. Apply fully automatic analysis to analyze the characteristics of visitors to effectively capture visitors who click maliciously. Therefore, the utility of the advertisement can be increased, and the cost of the advertisement provider can also be saved.

To sum up, the humanized and thoughtful design of this case is quite in line with actual needs. Its specific improvement has existing deficiencies, and compared with the prior art, it has the advantage of breakthrough progress, and indeed has the enhancement of efficacy, and it is not easy to achieve. This case has not been published or disclosed in domestic and foreign literature and market, which is in compliance with the provisions of the patent law.

The above detailed description is a specific description of a feasible embodiment of the present invention, but this embodiment is not used to limit the patent scope of the present invention, and any equivalent implementation or change that does not depart from the technical spirit of the present invention shall be included in In the patent scope of this case.

1‧‧‧Malicious click analysis agency

3‧‧‧Advertising website

5‧‧‧Ad window

7‧‧‧visitor

10‧‧‧central server

11‧‧‧Processor

12‧‧‧memory

20‧‧‧Electronic Devices

Claims (9)

A malicious click analysis system for keyword advertisements, comprising: a central server; a malicious click analysis agency residing in the central server; wherein the central server is connected to at least one advertising website through an advertising window Click on the entrant, so that the visitor can click the advertisement window to enter the advertisement website through an electronic device, and browse the webpage of the advertisement website, wherein the visitor enters the advertisement website through various electronic devices or generates different IPs; Wherein the central server includes a processor and a memory; the processor is used to perform operations required by the malicious click analysis institution; the memory is used to store data or calculations stored in the form of computer programs in the malicious click analysis institution Programs, related operation results and related data; where all the operation results and related data are stored in the memory of the central server; where the malicious click analysis mechanism includes a feature storage for storing each advertisement The characteristics of the electronic devices used by the visitors of the website; and the malicious click analysis mechanism also includes at least one of an unreasonable behavior determiner, a summary page analyzer, and a feature classifier; wherein the unreasonable behavior determiner is connected to The characteristic storage is used to determine whether the visiting and browsing behavior of the visitor who visits the advertising website is unreasonable; performing malicious clicks; the summary page analyzer is connected to the feature storage for retrieving the features stored in the feature storage, and making these features into a summary page; wherein each summary page is given a version number; when the summary page When the content of the content changes, its version number also changes accordingly change; the summary page analyzer also includes a summary page comparator for comparing the similarity of each summary page; where the comparison logic and weighting of each feature are set in the summary page comparator; Get the degree of similarity between different summary pages; if the degree of similarity is higher than a certain threshold value, it is determined that the same electronic device enters the advertising website; if the number of times the same electronic device enters the advertising website within a set period exceeds a set value, it is considered that the user of the electronic device maliciously clicks on the advertising website; It is graded, and the higher the level is compared first, when the high-level features are determined to be malicious clicks after comparison, then compare the features of the next level; when the features with more levels show higher similarity, then The higher the rate of malicious clicks; applying the methods listed above, it is possible to obtain malicious click behaviors of one or more different electronic devices. click. The keyword advertisement malicious click analysis system described in item 1 of the patent application, wherein the features stored in the feature storage are selected from the user's browser header, visitor language, color depth, access source, IP segment, operation System, recognition rate, resolution, user agent (UserAgent), initial visit URL, start time of visit, visitor source, permanent identity cookie, IP affiliation, number of pages visited before, number of pages visited this time, browser version at least one item. The keyword advertisement malicious click analysis system described in item 1 of the scope of the patent application, wherein the unreasonable access browsing behavior is selected from a short entry time, no or few page flips, no Or rarely transfer at least one item in the page. As for the keyword advertisement malicious click analysis system described in item 1 of the scope of the patent application, when an electronic device frequently enters an advertising website, and its unreasonable behavior exceeds the limit defined by the unreasonable behavior determiner, it is considered A visitor using the electronic device maliciously clicks on the advertising website. The keyword advertisement malicious click analysis system as described in item 1 of the patent application, wherein the malicious click analysis mechanism also includes a sorter connected to the unreasonable behavior determiner, the feature classifier and the summary page comparator, the sorter The device is used to determine the use of the unreasonable behavior determiner, the feature classifier and the summary page comparator, or the order of judgment; therefore, the manager can use different combinations of judgment methods according to needs. As for the keyword advertisement malicious click analysis system described in item 1 of the scope of the patent application, the malicious click analysis agency also includes a traffic analyzer for traffic analysis of the visitors of the advertisement website; When there are an abnormal number of visitors in certain periods of time, malicious click analysis is performed to obtain information about visitors who may perform malicious clicks; these information mainly include the IP of the visitor, so that the IP address can be obtained through the telecommunications company owner to determine the perpetrator of malicious clicks. The keyword advertisement malicious click analysis system described in item 1 of the patent application, wherein the malicious click analysis agency first applies the unreasonable behavior determiner to judge unreasonable behavior, when it is determined that the electronic device using certain IP has unreasonable behavior Reasonable behavior, and then apply the feature classifier to perform feature classification from these IPs with unreasonable behaviors, and brush and select according to different classifications in order to determine which IPs have the possibility of malicious clicks; , then apply the summary page comparator of the summary page analyzer to compare the summary pages, and compare each summary page if Certain summary pages are considered from the same visitor when their similarity is higher than a preset value. The keyword advertisement malicious click analysis system described in item 1 of the scope of the patent application, wherein the electronic device is selected from a computer, a laptop, a tablet computer, a mobile phone, and a PDA. The keyword advertisement malicious click analysis system described in Item 1 of the scope of the patent application, wherein the central server is selected from computers, laptops, tablet computers, mobile phones, and PDAs.

Images