How Moat catches CTV advertising misbehavior

Invalid Traffic (IVT) and ad fraud are pervasive in online advertising. It’s estimated that $44B of yearly digital ad spend will be lost to ad fraud by 2022. Connected TV (CTV) advertising is no exception, and as ad-supported CTV apps become an ever greater part of people's lives, the CTV advertising ecosystem becomes a more attractive target for increasingly sophisticated fraudsters.

Moat by Oracle's engineers and data scientists devote substantial effort to researching and developing methods of detecting IVT that address or even specifically target the unique nature of CTV IVT. Here’s an overview of some of the underlying principles we rely on most.

Leaning into what we don’t know

Automated "bot" activity doesn't account for all invalid traffic out there, but it’s one of the easier ways to generate IVT. Malicious parties who want to boost their revenue from CTV advertising in their apps—or collect CTV ad spending despite not even having any real CTV apps—will have to automate the generation of ad impressions somehow. This automation reliably creates uniformity. Exactly what characteristics of these automated impressions are uniform differs from operation to operation, but with enough data and enough signals, we can overcome that variability in a principled way.

The concept we need here is entropy. Entropy measures exactly how little you know about an unpredictable process. An example of this is the distribution of "User-Agent" request headers (or "user agents") that Moat observes on ad impressions we measure coming from a given “server-side ad insertion” (or “SSAI”) server IP.

Most real SSAI servers stream content to users with many different device models, which means the entropy of that SSAI server’s distribution of user agents will be high, i.e. the user agents are unpredictable. If 99% of a server’s impressions have the same CTV device model with the exact same user agent, the entropy of that SSAI server’s user agent distribution will be near zero. This is the same as saying we can almost always correctly guess the user agent we'll see impressions from on that server.

Hypothetical, simplified user agent distributions for “normal” and “suspicious” SSAI servers

User agent headers are easy to check in this way but also easy to spoof. We can apply this same logic to dozens of other harder-to-spoof features of ad impressions as well. Moat runs an automated process that flags traffic clusters with unusual entropy across many features in the impressions we measure for further review, which we then blocklist if our researchers determine that those impressions are invalid.

Identifying implausible CTV consumption

There are many cases where an app has some amount of invalid traffic, but that app itself shouldn’t be blocklisted.

For example, imagine there's a CTV app that periodically checks that the TV is powered on and stops streaming content and ads when it sees that the TV is off. However, this behavior is inadvertently disabled for some users by an update––the app “hijacks” some devices and generates thousands of impressions for days on end that should be considered invalid.

Supposing Moat doesn’t have direct access to the “TV is off” signal (unfortunately, a common limitation in the current state of CTV measurement), how can we label those impressions as invalid without incriminating the entire app?

Hypothetical hourly impression counts over time for a “normal” CTV device with a user that takes breaks, and a “suspicious” CTV device constantly running for days on end

Moat doesn't collect true user or device identifiers, but we can still tell when consecutive impressions were likely to have come from a given app on the same device. This allows us to automatically and transiently label particular installs of a given app as generating IVT when we observe conditions that clearly indicate as such over time. That’s even when most of the traffic coming from that app is valid—and where we wouldn't have enough evidence to call any of those impressions invalid in isolation.

Applying these IVT monitoring methods across mediums

Many of Moat's IVT detection methods and supporting technologies developed for web and mobile in-app measurement are also just as relevant in CTV environments. For example:

• There’s a relatively low limit to the number of ads that can reasonably be served to one user over time on a connected TV device. For instance, it doesn’t make any sense to claim that 100 30-second video ads were delivered to one device in a span of 10 minutes. Our excessive activity detection identifies situations like this in CTV environments and flags them as invalid.

• Spoofed CTV impressions are known to originate from mobile apps with mobile device user agents. Our proprietary user agent parsing identifies those impressions as non-CTV devices and excludes them from our reporting in CTV datasets.

• Low-effort CTV ad fraud attempts might generate impressions from known invalid proxies, or even from data center IP addresses, which we’ll then label as IVT.

A tested and trusted team of detectives

We’re always developing new ways to stay one step ahead of fraudsters and continuously validate our existing IVT detection methods.

Check out this list to learn more about IVT detection and Moat’s leadership in ad fraud discovery:

• Everything you need to know about StreamScam: The largest CTV ad fraud operation ever discovered

• Playing to lose: How Moat uncovered an in-game advertising fraud scheme

• How one botnet evolved its fraud to elude detection and steal revenue

• Invalid traffic and ad fraud in advertising: Interview with an expert