Security and Communication Networks

Security and Communication Networks / 2020 / Article
Special Issue

Malware Analysis and Vulnerability Detection Using Machine Learning

View this Special Issue

Research Article | Open Access

Volume 2020 |Article ID 8810817 | https://doi.org/10.1155/2020/8810817

Jinlong Hu, Tenghui Li, Yi Zhuang, Song Huang, Shoubin Dong, "GFD: A Weighted Heterogeneous Graph Embedding Based Approach for Fraud Detection in Mobile Advertising", Security and Communication Networks, vol. 2020, Article ID 8810817, 12 pages, 2020. https://doi.org/10.1155/2020/8810817

GFD: A Weighted Heterogeneous Graph Embedding Based Approach for Fraud Detection in Mobile Advertising

Academic Editor: Hammad Afzal
Received09 Apr 2020
Revised28 Jul 2020
Accepted25 Aug 2020
Published04 Sep 2020

Abstract

Online mobile advertising plays a vital role in the mobile app ecosystem. The mobile advertising frauds caused by fraudulent clicks or other actions on advertisements are considered one of the most critical issues in mobile advertising systems. To combat the evolving mobile advertising frauds, machine learning methods have been successfully applied to identify advertising frauds in tabular data, distinguishing suspicious advertising fraud operation from normal one. However, such approaches may suffer from labor-intensive feature engineering and robustness of the detection algorithms, since the online advertising big data and complex fraudulent advertising actions generated by malicious codes, botnets, and click-firms are constantly changing. In this paper, we propose a novel weighted heterogeneous graph embedding and deep learning-based fraud detection approach, namely, GFD, to identify fraudulent apps for mobile advertising. In the proposed GFD approach, (i) we construct a weighted heterogeneous graph to represent behavior patterns between users, mobile apps, and mobile ads and design a weighted metapath to vector algorithm to learn node representations (graph-based features) from the graph; (ii) we use a time window based statistical analysis method to extract intrinsic features (attribute-based features) from the tabular sample data; (iii) we propose a hybrid neural network to fuse graph-based features and attribute-based features for classifying the fraudulent apps from normal apps. The GFD approach was applied on a large real-world mobile advertising dataset, and experiment results demonstrate that the approach significantly outperforms well-known learning methods.

1. Introduction

Online mobile advertising plays a vital role in the mobile app ecosystem. One of the popular models in mobile app advertising is known as cost per action (CAP), where payment is based on user action, such as downloading and installing an app on the user’s mobile device. This CAP model may incentivize malicious mobile content publishers (typically app owners) to generate fraudulent actions on advertisements to get more financial returns [13]. Some traditional methods and techniques have been used for detecting and stopping click fraud, such as threshold-based method [4], CAPTCHA [5], splay tree [6], TrustZone [7], power spectral density analysis [8], and social network analysis [9].

To automatically detect mobile advertising fraud behaviors, machine learning methods have been successfully applied to find fraud patterns in data, distinguishing suspicious advertising fraud operation from normal one [1014]. As for learning model with attribute features, researchers usually use several attributes from each sample to train a learning model to identify the fraud behaviors. Unfortunately, such approaches may suffer from labor-intensive feature engineering and robustness of the detection algorithms, since the online advertising big data and complex fraudulent advertising actions generated by malicious codes, botnets, and click-firms are constantly changing. What is more, fraudsters could easily adjust their fraud patterns based on existing fraud detection attributes and rules to avoid being detected. Recently, some researchers try to use the relationship between information entities to construct a graph model and then use the graph mining or learning methods to identify the changing fraud behaviors [1517]. All these methods obtain useful insights into the learning mechanism to classify fraud behaviors from normal activities. Intuitively, if we could combine the complementary information from attributes of sample data and relationship between entities (e.g., users, apps, and ads), we will be able to improve the accuracy and robustness of fraud detection.

However, to unleash the power of attribute-based information and graph-based information, we have to address a series of challenges. First, to take advantage of the characteristic of graph, we should construct a suitable graph, which could potentially represent the interaction behaviors between information entities such as users, apps, and ads. Second, an efficient graph learning method should be developed to learn the useful structural and semantic representation information from constructed graph [18, 19], particularly learning from heterogeneous graph [20]. Third, fusing different kinds of information from sample attributes and node representation is difficult for their inherent heterogeneity and high-order characteristics.

To address the above challenges, in this paper, we propose a weighted heterogeneous graph embedding and deep learning-based fraud detection approach, namely, GFD, to identify fraudulent apps for mobile advertising. In the proposed GFD approach, (i) considering behavior patterns between users, mobile apps, and mobile ads, we construct a weighted heterogeneous graph to represent mobile app advertising behavior and propose a new weighted metapath to vector algorithm, namely, WMP2vec, to learn low-dimensional latent representation (graph-based features) for apps’ nodes in the weighted heterogeneous graph; (ii) we use a time window based statistical analysis method to extract intrinsic features (attribute-based features) from the tabular sample data; (iii) we present a hybrid convolutional neural network model to fuse graph-based features and attribute-based features for classifying the fraudulent apps from normal apps.

We evaluate GFD approach and WMP2vec algorithm on a real-world dataset from one of the mobile advertising platforms in China. Results show that WMP2vec reaches higher performance than three well-known graph embedding algorithms in the constructed weighted heterogeneous graph, and GFD approach achieves highest classification performance compared with Support Vector Machine (SVM), Random Forest (RF), and Fully Connected Neural Networks (FCNN).

The rest of the paper is organized as follows. We introduce GFD approach to detect fraudulent apps with deep neural networks and heterogeneous graph embedding algorithm WMP2vec in Section 2. We present the experimental results and discussion in Section 3. In Section 4, we introduce the related work. We conclude this paper in Section 5.

2. Proposed Approach

The flow chart of the proposed GFD approach is shown in Figure 1. First, we propose a weighted heterogeneous graph embedding method to learn the node representation, including constructing the weighted heterogeneous graph and the WMP2vec algorithm. Second, we use statistical analysis method to extract attribute-based features from the tabular sample data. Third, we introduce the deep neural networks to fuse the attribute-based features and graph-based features for identifying fraudulent apps from normal ones.

2.1. Data Description

We collect advertising log data of mobile apps from a mobile advertising platform. Our mobile advertisement dataset contains the following attributes: user ID, a code to identify a unique mobile user; app ID, a code to identify a unique mobile app; ad ID, a code to identify a unique mobile advertisement; geographical attributes, a series of user geographical attributes used to detect anomalies, including encrypted IP and city; action type, user behavior related to the ads, such as viewing, clicking, app downloading start, app downloading completion, and app installation completion; action time, the time-stamp when the action happened; and device attribute, user device related attributes, such as device ID, device system models, and screen size.

A seven-day mobile advertising log dataset in June 2015 was studied in this paper, and some examples of our raw data are shown in Table 1.


User IDApp IDAd IDAction

B360369103Viewing
B360369103Clicking
Xjnh370125Viewing
Xjnh370125Downloading
Lmsv412130Downloaded
Lmsv412130Installing
Lmsv412133Installed

2.2. Weighted Heterogeneous Graph Embedding

In this section, we firstly propose the problem definition and construct the weighted heterogeneous graph, and then we present WMP2vec algorithm to learn latent representation of nodes in weighted heterogeneous graph.

2.2.1. Problem Definition

(1). Given. An undirected weight heterogeneous graph is given, where V is a set of app nodes, ad nodes, and user nodes; E is a set of undirected weight edges between any two types of nodes: app nodes and user nodes, user nodes and ad nodes, and ad nodes and app nodes; W is the set of weight of edges.

(2). Task. The task is to learn the -dimensional latent representations (where ) for nodes, which could capture the structural and semantic relations among nodes in the graph G, and the representations could be used for classifying fraudulent apps.

2.2.2. Weighted Heterogeneous Graph Construction

Let be the set of user nodes, let be the set of app nodes, and let be the set of advertisement nodes. If there exists an action from user to advertisement through app , we form edges from to , from to , and from to , respectively, such that , , and are the edges set of heterogeneous graph G. The set of weight is , where the weights , , and are defined proportional to the behavioral centrality of to , to , and to , respectively. The calculation formula of is shown in equation (1) and so on for and .where is the times of user u operating on advertisement p and is the set of operations of user u on all the advertisements.

2.2.3. Graph Embedding Algorithm

In this section, based on the sequence generation method from metapath based random walk in heterogeneous graph [20], we propose WMP2vec algorithm to generate random walk sequence in weighted heterogeneous graph and embed sequence to representation vector with Skip-Gram [21] for nodes.

(1). Weighted Metapath Based Random Walk. We predefined number of walks per node , the number of walk sequences , and a metapath M The metapath is defined as a path in the heterogeneous graph G with its metatemplate , where and . Each node and each edge are associated with mapping functions and , respectively.

Supposing that current node is , the relationship between and next node is Ri; that is, .

For walk sequences generation, we go through the metapath scheme times, and each time generates one corresponding walk sequence. In the first time, we use two different selecting methods (first phase and second phase), because there are no limits to edge weight in the beginning. After first time, we use the method in the second phase to select next node.

For the first phase, when the length of walk sequence is less than 2, the next node in the sequence is randomly selected from the neighbors set of current nodes, which meet the requirements of metapath M [20]. The transition probability from to is defined as follows:

For the second phase, when the length of walk sequence is between 2 and , the transition probability is restricted by a weight bias . Supposing that the latest weight of edge of relationship Ri is , the weight should be in the range of . The transition probability from to is defined as follows:where is the set of neighbors meeting the requirement.

(2). Embedding Sequence to Vector with Skip-Gram. Based on the weighted metapath random walk sequences, we use Skip-Gram model [21] and negative sampling [22] to learn low-dimensional representation of nodes.

A description of our proposed WMP2vec algorithm method is shown in Algorithm 1.

(1)Input: The weighted heterogeneous information graph , a meta-path scheme M, walks per node , longest walk length per walk , embedding dimension , neighborhood size
(2)Output: The latent node embedding
(3)Initialize , random walk sequence
(4)fordo
(5)fordo
(6) = WeightedMetaPathRandomWalk
(7)
(8)end
(9)end
(10) = HeterogeneousSkipGram
(11)return
(12)WeightedMetaPathRandomWalk
(13)initialize random walk array , weight array ,
(14)relationship array
(15)fordo
(16)fordo
(17)ifthen
(18) draw and according to equation (2) with relationship
(19)
(20)else
(21) draw and according to equation (3) with relationship
(22)if does not exist then return
(23)else
(24)end
(25)fordo
(26)  draw and according to equation (3) with relationship
(27)if does not exist then return
(28)else,
(29)end
(30)end
(31)return
2.3. Attribute-Based Feature Extracting

From the raw log data (tabular data) of mobile advertising, we defined a time window ( hours) and divide original data into data block for one day (24 hours). Then, a plain statistical analysis is performed on each field in each data block. The ratio of the unique value of the field to the total number of records in the specified time window is computed. The attribute-based feature corresponding to one mobile app could be represented as a feature matrix with rows.

2.4. Hybrid Neural Network for Classification

To take advantage of the graph-based features and attribute-based features, we propose a hybrid convolutional neural networks (HNN) model to fuse and learn both information in GFD approach. The overview of the hybrid neural networks is shown in Figure 2.

In HNN model, the first layer (input layer) contains attribute-based feature matrix and graph-based feature, where is the number of samples, is the number of time windows by one day (24 hours), is the dimension of attribute-based feature in a time window, and is the dimension of node embedding.

A convolutional part includes two convolutional layers, and the output of the first convolutional layer iswhere and are the convolution kernel and bias, respectively, is the size of the kernel, indicates the convolution operation, and the function is .

The second convolutional layer is constructed as follows:where and are the convolution kernel and bias, respectively. is the size of the kernel.

is flattened to , where is the number of elements in .

We concatenate and into a single metric to be the input of the first fully connected layer . is constructed as follows:where and are weight and bias, respectively, and is the number of neurons in the first fully connected layer.

The second fully connected layer is constructed as follows:where and are weight and bias, respectively, and is the number of neurons in the second fully connected layer.

In the output of HNN, is the probability of an application to be a fraudulent application.where and are weight and bias, respectively, and is the sigmoid function.

The cross-entropy function with l2-regularization is used to calculate the loss of the hybrid convolutional neural network model.

3. Experiments

3.1. Data Description and Preprocessing

A real-world dataset was collected from a mobile advertising platform in China. The dataset consists of seven days with around 2 M users, 3.5 K apps, and 1 K advertisements per day. We partition our log data into seven subsets with one-day period and conduct experiments on each subset to evaluate our model. The proportion of fraudulent apps is about 2–4 percent in the total 3,500 apps each day. More details of the dataset are described in Section 2.1.

3.2. Evaluation Metric

In this paper, we define the fraudulent apps by positive samples and the other apps by negative samples. The Average Precision (AP) and the Area Under ROC Curve (AUC) are used to evaluate proposed algorithm and approach.

The AP criterion summarizes the Precision-Recall performances at different threshold levels and corresponds to area under the Precision-Recall curve. The ROC curve is created by plotting the true positive rate against the false positive rate at various threshold settings. The AUC is the total area under the ROC curve.

3.3. Evaluation of WMP2vec Algorithm

In this section, we use WMP2vec algorithm to learn the embedding vector of the nodes (apps) from the constructed weighted heterogeneous graph and then take their embedding vectors as the input of Random Forest (RF) model to classify fraudulent apps.

Based on Section 2.2.2, we construct a weighted heterogeneous graph and define a metapath: app-user-ad-user-app (PUAUP); that is, , which represents the heterogeneous semantic of fraud publishers (apps) that mimic legitimate users to act on the ads from the apps.

3.3.1. Comparison Models and Parameters

We compare the AP and AUC of the WMP2vec model with three well-known graph embedding models: DeepWalk [23], Node2vec [24], and Metapath2vec [20]. The compared algorithms and their parameters are as follows:(1)DeepWalk: DeepWalk [23] is the first graph embedding model based on Word2vec. We use Skip-Gram model [21] and hierarchical softmax [25] with gradient descent to learn the node representation. Negative sampling technique [22] is used to accelerate the Skip-Gram model. The count of random walk is 30, and the walk length is 40.(2)Node2vec: Node2vec [24] extends DeepWalk algorithm through introducing backward probability and forward probability q. The same random walk parameters (count = 30 and length = 40) are used with DeepWalk, and the negative sampling technique is also used. In addition, we use and q = 0.2 for backward probability and forward probability, respectively.(3)Metapath2vec: Metapath2vec [20] uses the metapath based random walk to construct node sequences and then leverages Skip-Gram to perform node embedding. The metapath in this study is PUAUP. The count of random walk is 30, and the walk length is 10.(4)WMP2vec: We use the same parameters (count = 30, length = 10, and metapath = PUAUP) with Metapath2vec, and the weighted bias β is 0.1 additionally.

In all the compared models, we train Skip-Gram model with window size of 5, and the negative samples is 5 in negative-sampling. The graph-based feature of each node is a 32-dimensional vector. The parameters of the RF model are as follows: the number of weak learners is 150, max. deep is 5, and min. sample leaf is 5.

3.3.2. Experimental Results

Tables 2 and 3 show the experimental results by comparing the AP and AUC over 10-fold cross-validation for seven days. The WMP2vec model reached highest AP value in six days and highest AUC value in three days over all seven days. The Metapath2vec model reached highest AP value in one day and highest AUC value in two days over seven days. Thus, WMP2vec outperforms all other models, such that WMP2vec > Metapath2vec > Node2vec > DeepWalk.


DateDeepWalkNode2vecMetapath2vecWMP2vec

1st June0.168 ± 0.0820.343 ± 0.0570.344 ± 0.0650.384 ± 0.055
2nd June0.318 ± 0.1370.384 ± 0.0790.342 ± 0.0670.421 ± 0.084
3rd June0.281 ± 0.0750.439 ± 0.1220.401 ± 0.1100.459 ± 0.114
4th June0.313 ± 0.0730.335 ± 0.0850.360 ± 0.0960.409 ± 0.099
5th June0.308 ± 0.1210.379 ± 0.1020.387 ± 0.0740.411 ± 0.091
6th June0.199 ± 0.1130.230 ± 0.0890.369 ± 0.0970.404 ± 0.102
7th June0.244 ± 0.0540.297 ± 0.0750.371 ± 0.0940.353 ± 0.075


DateDeepWalkNode2vecMetapath2vecWMP2vec

1st June0.788 ± 0.0270.801 ± 0.0380.837 ± 0.0380.877 ± 0.030
2nd June0.828 ± 0.0320.848 ± 0.0250.864 ± 0.0280.893 ± 0.027
3rd June0.935 ± 0.0230.950 ± 0.0240.912 ± 0.0280.921 ± 0.024
4th June0.824 ± 0.0320.824 ± 0.0400.849 ± 0.0450.879 ± 0.045
5th June0.799 ± 0.0600.835 ± 0.0550.853 ± 0.0520.849 ± 0.038
6th June0.757 ± 0.0760.891 ± 0.0420.844 ± 0.0460.856 ± 0.041
7th June0.804 ± 0.0310.820 ± 0.0270.844 ± 0.0380.825 ± 0.049

3.3.3. Impacts of Parameters

In this subsection, we evaluate the impacts of parameters over the classification task: (i) count of random walk, walk length, and window size of Skip-Gram in WMP2vec and Metapath2vec model; (ii) weighted bias β of WMP2vec. We compare the AP and AUC values in the dataset from one day.

(1). Count of Random Walk. Figure 3 shows the experimental results by comparing the AP and AUC with different count of random walk, with fixed walk length of 5. When the count of random walk is larger than 30, WMP2vec and Metapath2vec models have better performance than count = 10, respectively. In addition, the values of AP and AUC have slight changes when the count of random walk is 30, 50, or 70.

(2). Walk Length. Figure 4 shows the experimental results by comparing the AP and AUC with different walk length (length = 5, 10, 20, 50, and 80), with fixed count of random walk of 10. WMP2vec and Metapath2vec models reach better performance when the walk length ≥10. In addition, when the length changes from 10, 20, and 50 to 80, the AP values change very little and the AUC values have some fluctuations.

(3). Window Size of Skip-Gram. Figure 5 shows the experimental results by comparing the AP and AUC with different window size (size = 3, 4, 5, 6, and 7) over the classification task. The best performance of models is reached when the window size is 5.

(4). Weighted Bias of WMP2vec. Figure 6 shows the experimental results by comparing the AP and AUC with different weighted bias β of WMP2vec (β = 0.1, 0.3, 0.5, 0.7, and 1.0) over the classification task. As the weighted bias β increases, the performance of WMP2vec gets closer to the performance when β = 1.0. The values of AP and AUC change very little when β ≥ 0.5.

3.4. Evaluation of Hybrid Neural Network

In this section, we evaluate the classification performance of HNN model for fusing graph-based features and attribute-based features in GFD approach. As the flow of GFD approach in Figure 1, we extract the attribute-based features and the graph-based features and then use HNN model to fuse two kinds of features to identify fraudulent apps.

3.4.1. Features Extraction

Based on Section 2.3, we divide the log data for each app into 24 parts per day; that is, the time window is one hour. We calculate the ratio of records whose attributes take a certain value to all records in each time window, and we calculate them for each of 22 attributes in total, such as anonymized user id, advertisement id, country id, and device operating system. In addition, we calculate the ratio for browsing behavior and other actions on ads of users, respectively. Finally, we get 24 features for a time window (one hour), and the dimension of attribute-based features of each app is 24 × 24 for one day.

Based on Section 2.2.2 and Section 3.3, for the graph-based feature extraction, we construct the weighted heterogeneous graph of user-app-ad and then extract the graph-based feature through training by using WMP2vec. The dimension of graph-based features for each app is 32.

3.4.2. Comparison Models and Experiment Setup

We compare the proposed HNN with Support Vector Machine (SVM), Random Forests (RF), and Fully Connected Neural Networks (FCNN).(i)SVM : SVM is an effective widely used two-class classification model. The RBF kernel is used and penalty parameter C is 0.9.RF : RF is a well-known ensemble learning method that operates by constructing a multitude of decision trees at training time. The number of decision trees is 200 with depth of 5. Minimum samples split and minimum samples leaf are set to 5, respectively.FCNN : FCNN is a fully connected neural network. The number of hidden layers is 4, with 100 neurons in each layer. The learning rate is 0.001 and the keep probability of dropout is 0.9.HNN : HNN is the fusing model proposed in this study. The number of convolutional layers is 2, and the kernel size is 3 × 3. The number of fully connected layers is 2 with 100 neurons, using activation function “ReLU,” and the keep probability of dropout is 0.9. The learning rate is 0.0001, the weight decay factor of learning rate is 0.98, and the batch size is 100.

In order to make sure that all models could learn the same knowledge from the dataset, when training the comparison models, we flatten the attribute-based features into a 576-dimensional vector. Furthermore, the vector is concatenated with graph-based features, and the dimension of total input vector is 576 + 32 = 608.

We randomly divide the negative samples and positive samples of the dataset into three subsets 8 : 1 : 1, respectively, and combine the corresponding positive and negative example subsets into training (80%), validation (10%), and test (10%) sets. In order to handle the imbalanced category problem between fraudulent and nonfraudulent apps, we adopt upsampling technique during training.

3.4.3. Experimental Results

The experimental results are shown in Tables 4 and 5. The HNN model proposed in this study reaches the highest AP value in six days and the highest AUC value in four days over all seven days. The FCNN, RF, and SVM models have similar performance to AUC measure, and Table 4 shows that HNN > FCNN > RF > SVM with AP measure. Thus, HNN outperforms all other models in terms of AP and AUC measures.


Model1st June2nd June3rd June4th June5th June6th June7th June

SVM0.4430.5520.5660.3210.3940.2610.353
RF0.5470.3290.6450.5050.4280.6360.489
FCNN0.5840.6780.6380.5410.5740.5380.541
HNN0.6320.6890.7520.5670.5860.5920.592


Model1st June2nd June3rd June4th June5th June6th June7th June

SVM0.9410.9600.9700.9420.9610.9160.937
RF0.9190.9420.9490.9370.9440.9380.945
FCNN0.8760.9560.9360.9650.9570.9400.958
HNN0.9190.9520.9810.9620.9650.9540.963

3.4.4. Comparative Experiments without Graph-Based Features

To show the contribution of graph-based feature extraction in proposed GFD approach, we remove the graph-based features in our dataset. When the proposed HNN model has only attribute-based features as input and no graph-based features as input, the HNN model leaves only the fully connected part to work, since the convolution part of HNN model has no input. This also means that the working HNN model would change to a fully connected neural network, that is, FCNN model, in this setting. So we use the SVM, RF, and FCNN models in this comparative experiment. The results are shown in Tables 6 and 7. Comparing the performances of models with/without graph-based features in Tables 4 and 5 and Tables 6 and 7, we could find that the FCNN model with graph-based features reaches better performance than the model without the graph-based features in both AP and AUC measures, while the performance improvement of SVM and RF models is not obvious with graph-based features.


Model1st June2nd June3rd June4th June5th June6th June7th June

SVM0.3890.5470.4490.3930.3040.3570.366
RF0.5260.4900.6390.5120.5070.6280.536
FCNN0.4330.6050.6360.5280.5470.5260.517


Model1st June2nd June3rd June4th June5th June6th June7th June

SVM0.8890.9440.9470.9500.9510.9300.938
RF0.9080.9400.9450.9320.9500.9320.948
FCNN0.9070.9500.9310.9400.9330.9130.951

3.4.5. Impacts of Parameters

(1). Time Windows. Time window in attribute-based feature extraction of GFD approach decides the dimension of attribute-based features. We designed experiments to show the impact of time window, and the result is shown in Table 8. The size of time window is set to be 1, 3, and 6 hours. The continuous increase in size of time window makes HNN perform worse AP values. The other models seem to be not sensitive to the size of time window.


ModelAUCAP
1 hour3 hours6 hours1 hour3 hours6 hours

HNN0.950.910.910.630.560.44
FCNN0.880.890.870.580.560.54
RF0.920.920.920.550.480.55
SVM0.940.950.950.440.450.45

(2). Number of Convolutional Layers in HNN Model. We compare the effect of the number of convolutional layers of 1, 2, and 3 in HNN model and show the results in Table 9. The AUC and AP values achieve a high level when the number of convolutional layers is 2.


ModelAUCAP
12312T3

HNN0.9220.9420.9500.6050.6300.405

(3). Number of Fully Connected Layers in HNN Model. We set the number of fully connected layers to be from 1 to 4, and the experiment result is shown in Table 10. When the number of fully connected layers is 2, the HNN model reaches the highest performance.


ModelAUCAP
12341234

HNN0.9260.9350.9030.8630.5750.6600.6490.632

(4). Activation Functions in HNN Model. We compare three well-known activation functions, ReLU, tanh, and Sigmoid, in HNN model, and the experiment results are shown in Table 11. The AUC values of the models with different activation functions are similar, and ReLU is slightly better than others. In terms of AP, ReLU is obviously better than the other two activation functions.


ModelAUCAP
ReLUtanhSigmoidReLUtanhSigmoid

HNN0.9260.9230.9210.6340.6250.623

Our work is related to existing studies on attribute-based fraud detection and graph-based fraud detection with machine learning. The challenges of fraud detection problem in mobile advertising system are summarized as accuracy requirement, throughput requirement, and the ability to combat the latest fraud methods [1].

Attribute-based fraud detection approaches have been used in fraud detection domain. Crussell et al. [26] built decision trees based on the features extracted from their dataset for classification. Liu et al. [27] proposed a binary SVM classifier to determine whether two UIs are likely to lead to equivalent states. This classification is used to simulate user interaction in the context of ad clicking. In order to classify malicious publishers, Mouawi et al. [11] evaluated KNN, SVM, and ANN based on features extracted from dataset, and the experimental results show that all three classifiers give very promising result. Haider et al. [2] proposed an ensemble-based method to classify each individual ad display as fraudulent or nonfraudulent. Gabriel et al. [28] evaluated the performance of logistic regression, gradient trees, and deep learning method in credit card fraud detection and proved that deep learning method outperforms the other compared methods.

Graph-based fraud detection approaches have been studied recently. Hu et al. [15] proposed a weighted graph propagation algorithm to identify the fraudulent apps in the user-app bipartite graphs. Vasumati et al. [29] applied decision trees to classify spam publishers based on constructed feature vector and computed spam score for each of the spam publishers by constructing a bipartite graph between users and publishers to find fraud publishers. What is more, the natural language processing (NLP) models known as Word2vec [23] have been applied to graph embedding, such as DeepWalk [10], Node2vec [21], and Metapath2vec [22]. Zheng et al. [30] proposed an unsupervised method to detect abnormal users and items through deep joint network embedding. Yu et al. [16] proposed a deep embedding approach for anomaly detection in dynamic networks by learning network representations which can be updated dynamically as the network evolves.

Mobile advertising fraud detection is still challenging; however, ensemble learning methods were usually the winner algorithms in fraud detection competition [10], and deep learning and graph learning are recently the most promising methods in this area.

There are two key differences between our proposed approach and existing works. First, we used app id, ad id, and user id from the real-world dataset to construct a weighted heterogeneous graph with these three types of nodes and proposed the graph embedding algorithm for mobile advertising fraud detection. The popular existing datasets, such as TalkingData dataset [31], usually have one or two types of entities (e.g., app id), so there are not enough entities to construct a heterogeneous graph as we did in this paper. Second, we proposed a fusing model to combine attribute-based and graph-based information for mobile advertising fraud detection by graph embedding and deep learning methods.

5. Conclusion

In this paper, we focus on the fraud detection problem in mobile advertising to detect fraudulent publishers. We propose a novel weighted heterogeneous graph and deep learning-based fraud detection approach, namely, GFD, to identify fraudulent apps for mobile advertising. Based on the relationship of users, publishers, and advertisement in mobile ad system, we construct a weighted heterogeneous graph and proposed a weighted metapath based graph embedding approach, named WMP2vec, to learn structural features of publishers in the graph. Furthermore, we construct a hybrid convolutional neural network to learn high-order features from attribute-based features and graph-based features. The experimental results in a real-world dataset show that our method is effective in classifying fraudulent apps for mobile advertising system.

There are two limitations in the work presented here. First, the dataset is limited to one mobile advertising dataset. In order to be more generalizable, it would be important to see whether the proposed GFD approach excels in more fraud detection datasets. Second, the dataset is limited to seven days. In the complex and dynamic online advertising environment, more time is still needed to evaluate the proposed approach.

Despite being focused on mobile advertising fraud detection in this presentation, the proposed GFD approach could be generalized to benefit many other online applications (e.g., e-commerce) that involve relationship between several types of entities. Future work should focus on the robustness and accuracy of our proposed model for other large-scale online datasets.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This work was supported in part by the Natural Science Foundation of Guangdong Province of China (Grant no. 2018A030313309), the Innovation Fund of Introduced High-End Scientific Research Institutions of Zhongshan (Grant no. 2019AG031), and the Fundamental Research Funds for the Central Universities, SCUT (Grant no. 2019KZ20).

References

  1. A. Zarras, A. Kapravelos, G. Stringhini, T. Holz, C. Kruegel, and G. Vigna, “The dark alleys of madison avenue: understanding malicious advertisements,” in Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 373–380, Vancouver, BC, Canada, November 2014. View at: Publisher Site | Google Scholar
  2. C. M. R. Haider, A. Iqbal, A. H. Rahman, and M. S. Rahman, “An ensemble learning based approach for impression fraud detection in mobile advertising,” Journal of Network and Computer Applications, vol. 112, pp. 126–141, 2018. View at: Publisher Site | Google Scholar
  3. V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting click-spam in ad networks,” in Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 175–186, ACM, New York, NY, USA, August 2012. View at: Publisher Site | Google Scholar
  4. H. Haddadi, “Fighting online click-fraud using bluff ads,” ACM SIGCOMM Computer Communication Review, vol. 40, no. 2, pp. 21–25, 2010. View at: Publisher Site | Google Scholar
  5. A. RodrigoR. JGB de Queiroz and E. R. Cavalcanti, “A proposal to prevent click-fraud using clickable captchas,” in Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability Companion, pp. 62–67, IEEE, Gaithersburg, MD, USA, June 2012. View at: Publisher Site | Google Scholar
  6. D. Antoniou, M. Paschou, E. Sakkopoulos et al., “Exposing click-fraud using a burst detection algorithm,” in Proceedings of the 2011 IEEE Symposium on Computers and Communications (ISCC), pp. 1111–1116, IEEE, Kerkyra, Greece, June 2011. View at: Publisher Site | Google Scholar
  7. W. Li, H. Li, H. Chen, and Y. Xia, “Adattester: secure online mobile advertisement attestation using trustzone,” in Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, pp. 75–88, Florence Italy, May 2015. View at: Publisher Site | Google Scholar
  8. J. Kwon, J. Kim, J. Lee, H. Lee, and P. Adrian, “PsyBoG: power spectral density analysis for detecting botnet groups,” in Proceedings of the 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), pp. 85–92, IEEE, Fajardo, PR, USA, October 2014. View at: Publisher Site | Google Scholar
  9. M. Faou, L. Antoine, D. Décary-Hétu et al., “Follow the traffic: stopping click fraud by disrupting the value chain,” in Proceedings of 2016 14th Annual Conference on Privacy, Security and Trust (PST), pp. 464–476, IEEE, Auckland, New Zealand, December 2016. View at: Publisher Site | Google Scholar
  10. R. Oentaryo, Ee-P. Lim, M. Finegold et al., “Detecting click fraud in online advertising: a data mining approach,” The Journal of Machine Learning Research, vol. 15, no. 1, pp. 99–140, 2014. View at: Google Scholar
  11. R. Mouawi, M. Awad, C. Ali, H. Imad, H. El, and A. Kayssi, “Towards a machine learning approach for detecting click fraud in mobile advertizing,” in Proceedings of 2018 International Conference on Innovations in Information Technology (IIT), pp. 88–92, IEEE, Al Ain, United Arab Emirates, November 2018. View at: Publisher Site | Google Scholar
  12. G. S. Thejas, K. G. Boroojeni, K. Chandna, I. Bhatia, S. S. Iyengar, and N. R. Sunitha, “Deep learning-based model to fight against ad click fraud,” in Proceedings of the 2019 ACM Southeast Conference, pp. 176–181, ACM, Kennesaw, GA, USA, April 2019. View at: Publisher Site | Google Scholar
  13. R. Wang, B. Fu, G. Fu, and M. Wang, “Deep & cross network for ad click predictions,” in Proceedings of the ADKDD’17, pp. 1–7, ACM, Halifax, NS, Canada, August 2017. View at: Google Scholar
  14. G. S. Thejas, J. Soni, K. G. Boroojeni et al., “A multi-time-scale time series analysis for click fraud forecasting using binary labeled imbalanced dataset,” in Proceedings of 2019 4th International Conference on Computational Systems and Information Technology for Sustainable Solution (CSITSS), vol. 4, pp. 1–8, IEEE, Bengaluru, India, December 2019. View at: Publisher Site | Google Scholar
  15. J. Hu, J. Liang, and S. Dong, “iBGP: a bipartite graph propagation approach for mobile advertising fraud detection,” Mobile Information Systems, vol. 2017, Article ID 6412521, 2017. View at: Publisher Site | Google Scholar
  16. W. Yu, W. Cheng, C. C. Aggarwal, K. Zhang, H. Chen, and W. Wang, “Netwalk: a flexible deep embedding approach for anomaly detection in dynamic networks,” in Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 2672–2681, London, UK, July 2018. View at: Google Scholar
  17. L. Bertrand, F. Braun, C. Olivier, and M. Saerens, A Graph-based, Semi-supervised, Credit Card Fraud Detection System: International Workshop on Complex Networks and Their Applications, Springer, Cham, Switzerland, 2016.
  18. P. Goyal and E. Ferrara, “Graph embedding techniques, applications, and performance: a survey,” Knowledge-Based Systems, vol. 151, pp. 78–94, 2018. View at: Publisher Site | Google Scholar
  19. D. Zhang, J. Yin, X. Zhu, and C. Zhang, “Network representation learning: a survey,” IEEE transactions on Big Data, vol. 6, no. 1, pp. 3–8, 2018. View at: Publisher Site | Google Scholar
  20. Y. Dong, N. V. Chawla, and A. Swami, “Metapath2vec: scalable representation learning for heterogeneous networks,” in Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 135–144, ACM, Halifax, NS, Canada, August 2017. View at: Publisher Site | Google Scholar
  21. T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word representations in vector space,” 2013, https://arxiv.org/abs/1301.3781. View at: Google Scholar
  22. A. Mnih and K. Kavukcuoglu, “Learning word embeddings efficiently with noise-contrastive estimation,” in Proceedings of Advances in Neural Information Processing Systems, pp. 2265–2273, NIPS, Lake Tahoe, Nevada, January 2013. View at: Google Scholar
  23. P. Bryan, R. Al-Rfou, and S. Skiena, “Deepwalk: online learning of social representations,” in Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 701–710, ACM, New York, NY, USA, August 2014. View at: Google Scholar
  24. A. Grover and J. Leskovec, “node2vec: scalable feature learning for networks,” in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 855–864, ACM, New York, NY, USA, August 2016. View at: Google Scholar
  25. F. Morin and Y. Bengio, “Hierarchical probabilistic neural network language model,” Aistats, vol. 5, pp. 246–252, 2005. View at: Google Scholar
  26. J. Crussell, R. Stevens, and H. Chen, “Madfraud: investigating ad fraud in android applications,” in Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, pp. 123–134, Bretton Woods, NH, USA, June 2014. View at: Google Scholar
  27. B. Liu, S. Nath, R. Govindan, and J. Liu, “DECAF: detecting and characterizing ad fraud in mobile apps,” in Proceedings of 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pp. 57–70, Renton, WA, USA, April 2014. View at: Google Scholar
  28. R. Gabriel, C. Stancil, M. Sun, S. Adams, and B. Peter, “Horse race analysis in credit card fraud—deep learning, logistic regression, and gradient boosted tree,” in Proceedings of 2017 Systems and Information Engineering Design Symposium (SIEDS), pp. 117–121, IEEE, Charlottesville, VA, USA, April 2017. View at: Publisher Site | Google Scholar
  29. D. Vasumati, M. Sree Vani, R. Bhramaramba, and O. Yaswanth Babu, “Data mining approach to filter click-spam in mobile ad networks,” in Proceedings of Int’l Conference on Computer Science, Data Mining & Mechanical Engg.(ICCDMME’2015), Bangkok, Thailand, April 2015. View at: Google Scholar
  30. M. Zheng, C. Zhou, J. Wu, S. Pan, J. Shi, and Li Guo, “Fraudne: a joint embedding approach for fraud detection,” in Proceedings of 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8, IEEE, Rio de Janeiro, Brazil, July 2018. View at: Publisher Site | Google Scholar
  31. Kaggle Inc, “Talking data adtracking fraud detection challenge can you detect fraudulent click traffic for mobile app ads?” 2018, https://www.kaggle.com/c/talkingdata-adtracking-fraud-detection/data. View at: Google Scholar

Copyright © 2020 Jinlong Hu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


More related articles

 PDF Download Citation Citation
 Download other formatsMore
 Order printed copiesOrder
Views141
Downloads48
Citations

Related articles

We are committed to sharing findings related to COVID-19 as quickly as possible. We will be providing unlimited waivers of publication charges for accepted research articles as well as case reports and case series related to COVID-19. Review articles are excluded from this waiver policy. Sign up here as a reviewer to help fast-track new submissions.