JP2009230524A - Dishonesty detection device and dishonesty detection method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect the presence/absence of dishonest user operation in a web page with high accuracy. <P>SOLUTION: A click detecting part 303 detects that a user has clicked a banner for advertisement in an advertisement carrying web page. An IP address extracting part 304 extracts an IP (Internet Protocol) address of a distribution destination of the advertisement carrying web page from distribution information. An area estimating part 305 estimates an area corresponding to the IP address of the distribution destination of the advertisement carrying web page with reference to area information stored in an area information storing part 302. A CTR (Click Through Rate) storing part 306 uses an area estimation result in the area estimating part 305 to calculate and store a CTR in each area. A deviation calculating part 307 calculates respective deviations about CTRs of each area. A threshold determining part 308 compares the CTR deviation with a prescribed threshold, and determines that a banner of the advertisement carrying web page is dishonestly clicked in an area where deviation is equal to or more than the prescribed threshold. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a fraud detection device and a fraud detection method, and more particularly to a fraud detection device and a fraud detection method that can accurately detect the presence or absence of an unauthorized user operation on a web page.

  In recent years, with the rapid spread of the Internet, advertisement distribution via the Internet has been actively performed. In such advertisement distribution, for example, an advertisement technique called an affiliate may be employed. Affiliates place a banner on their site that includes a link to the advertiser ’s site, and when the banner is clicked and the advertiser ’s site is viewed or a product is purchased after browsing, Rewards are paid to publishers.

  In such affiliates, the reward for each publisher may be determined according to the number of clicks on the banner, so if a malicious user or the publisher himself / herself repeatedly clicks the same banner, Advertisers may have to pay high rewards regardless of advertising effectiveness. Therefore, for example, in Patent Document 1, a user ID is given to a user who clicks an advertisement, and the number of clicks is counted for each user ID, for each distribution screen for distributing the advertisement, and for each advertisement, and an illegal click is detected. It is being considered.

JP 2007-286803 A

  However, the conventional method has a problem that there is a certain limit to the detection accuracy of illegal clicks. That is, for example, in the technique of the above-mentioned Patent Document 1, when a user requests a click of an advertisement from a related person such as a friend or a colleague, user IDs of users who click the advertisement are distributed to a plurality of user IDs, It may not be detected. In addition, since the user ID is assigned to the user terminal, fraud can be accurately detected even when the same user repeatedly clicks on advertisements from different user terminals at different locations such as home and work. Not.

  As described above, in the conventional method, when the number of clicks from the same user terminal is abnormally large, or when the number of clicks for the same advertisement is excessively large within a certain period of time, an illegal click is performed. Since it is common to make a determination, it is not possible to sufficiently cope with the diversified method of illegally charging advertising rewards.

  Further, the same problem is considered to occur in a web page where a predetermined reward is given to the user for various user operations such as answering a questionnaire, browsing, and purchasing a product. That is, for example, when a reward is given to a user who answers a questionnaire conducted on a web page, if the same user repeatedly answers the questionnaire from different user terminals, the same user is repeatedly paid It will be. Even in such a case, since the burden on the site operator who conducts the questionnaire is increased by an unauthorized user operation, it is strongly desired to detect fraud accurately.

  The present invention has been made in view of this point, and an object thereof is to provide a fraud detection apparatus and a fraud detection method that can accurately detect the presence or absence of an unauthorized user operation on a web page.

  In order to solve the above-described problem, the fraud detection device according to the present invention provides a distribution destination to which a web page including a reward generation area in which a reward is generated for the user or the web page creator in response to an operation by the user. An acquisition means for acquiring network address information, an estimation means for estimating an area corresponding to the network address information acquired by the acquisition means, and a frequency of user operations on the reward generation area for each area estimated by the estimation means And a generating unit that generates user operation information for the reward generation area based on the index value for each region calculated by the calculating unit.

  According to this configuration, an index value for each region is calculated for user operations on a reward generation area such as an advertising banner, and user operation information related to user operations for each region is generated from the index values, so it can be grasped from the user operation information It is possible to detect an unauthorized user operation by using an unnatural bias of the user operation between different regions as a determination material, and to accurately detect the presence or absence of an unauthorized user operation on a web page.

  In the fraud detection apparatus according to the present invention, in the configuration described above, the generation unit includes a comparison unit that compares an index value for each region calculated by the calculation unit with a predetermined threshold value. As a result, a configuration is adopted in which the user operation information is generated that distinguishes between regions having an index value equal to or greater than a predetermined threshold and regions having an index value less than the predetermined threshold.

  According to this configuration, since the user operation information for distinguishing the magnitude of the index value of the frequency of user operations for each region is generated, it is possible to easily specify a region where there are unnaturally many user operations for the reward generation region.

  In the fraud detection apparatus according to the present invention, in the above configuration, the generation unit is calculated by a determination unit that determines a threshold value for each region in accordance with a relationship between the reward generation region and the region, and the calculation unit. Comparing means for comparing the index value for each area with the threshold value for each area determined by the determining means, and as a result of the comparison by the comparing means, the area where the index value is greater than or equal to the threshold value and the area where the index value is less than the threshold value The user operation information that distinguishes the user operation information is generated.

  According to this configuration, in order to determine the magnitude of the index value of the frequency of user operations for each region by comparison with a threshold value according to the characteristics for each region, user operations in some regions are determined based on the relevance to the reward generation region. It is possible to more accurately detect the presence or absence of an unauthorized user operation while considering the possibility of increase / decrease.

  Further, the fraud detection device according to the present invention may be configured such that, in the above configuration, the determining means makes a threshold value of a region related to a web page creator who created a web page including a reward generation region smaller than a threshold value of another region. Take.

  According to this configuration, in order to reduce the threshold value of the area related to the web page creator, for example, in the area where the web page creator's home address or work address is located, the user may operate relatively less frequently. Since the index value of the operation frequency is equal to or greater than the threshold value, it is determined that the frequency of the user operation is high, and thus it is possible to detect an unauthorized user operation more strictly.

  In addition, the fraud detection apparatus according to the present invention employs a configuration in which, in the above-described configuration, the determination unit makes a threshold value of a region related to contents displayed in the reward generation region larger than a threshold value of another region.

  According to this configuration, in order to increase the threshold value of the area related to the content displayed in the reward generation area, for example, the area where the frequency of user operations is considered to increase naturally, such as the area where there is a store advertised by the reward generation area This means that even if the frequency of user operations is relatively large, the index value of the user operations is less than the threshold value, and it is determined that the frequency of user operations is small, and thus erroneous detection of unauthorized user operations can be prevented. it can.

  Further, the fraud detection device according to the present invention is the above configuration, wherein the calculation means includes detection means for detecting the number of times of user operations on the reward generation area from the distribution information indicating the distribution status of the web page. The ratio of the number of user operations detected by the detection means to the number of times the web page is included is calculated for each region, and a deviation value for each calculated ratio for each region is calculated.

  According to this configuration, the number of user operations is detected from the distribution information, and the deviation value of the ratio of the number of user operations to the number of web page displays is calculated for each region. And can be expressed accurately.

  In the fraud detection device according to the present invention, in the configuration described above, the generation unit is fraudulent in an area where the number of user operations on the reward generation area is greater than other areas based on the deviation value calculated by the calculation means. A configuration is employed in which user operation information indicating that there is a user operation is generated.

  According to this configuration, the presence or absence of an unauthorized user operation is determined based on the deviation value for each region, and user operation information indicating the determination result is generated. Therefore, the unauthorized user operation that can be determined from the unevenness of the number of user operations between regions The presence or absence of this can be directly grasped from the user operation information.

  In the fraud detection apparatus according to the present invention, in the above configuration, the estimation means includes storage means for storing area information in which network address information is associated with an area corresponding to the network address information, and the storage means The region corresponding to the network address information is estimated by referring to the region information accumulated by the above.

  According to this configuration, since the region corresponding to the network address information is estimated by referring to the accumulated region information, the web page distribution destination can be determined from the correspondence between the network address information and the region that are always kept up-to-date. The region can be estimated, and the index value of the frequency of user operations for each region can be accurately calculated. As a result, the presence or absence of an unauthorized user operation can be detected more accurately.

  In addition, the fraud detection method according to the present invention obtains network address information of a distribution destination to which a web page including a reward generation area in which a reward for the user or the web page creator is generated in response to an operation by the user. An acquisition step, an estimation step for estimating a region corresponding to the network address information acquired in the acquisition step, and an index value of the frequency of user operations on the reward generation region for each region estimated in the estimation step A calculation step for calculating, and a generation step for generating user operation information for the reward generation region based on the index value for each region calculated in the calculation step.

  According to this method, an index value for each region is calculated for user operations on a reward generation area such as an advertising banner, and user operation information related to the user operation for each region is generated from the index value. It is possible to detect an unauthorized user operation by using an unnatural bias of the user operation between different regions as a determination material, and to accurately detect the presence or absence of an unauthorized user operation on a web page.

  According to the present invention, it is possible to accurately detect the presence or absence of an unauthorized user operation on a web page.

  The gist of the present invention is that region information in which an IP (Internet Protocol) address and a region to which the IP address belongs is used, and the frequency of user operations on the same web page from a specific region is different from other regions. It is determined that an unauthorized user operation is being performed when the frequency is extremely higher than the frequency of user operations from Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the following, the frequency of user operations will be described by taking the number of clicks in a banner area such as an affiliate as an example.

(Embodiment 1)
FIG. 1 is a block diagram showing a schematic configuration of a network according to Embodiment 1 of the present invention. As shown in the figure, in the network according to the present embodiment, a plurality of user terminals 100-1 to 100-m (m is an integer of 1 or more) are connected to the web server device 200 via the Internet N. In addition, the web server device 200 and the unauthorized click detection device 300 are connected.

  The user terminals 100-1 to 100-m are terminal devices such as personal computers operated by the user, and display web pages distributed from the web server device 200 according to user operations. Each of the user terminals 100-1 to 100-m includes a pointing device such as a mouse. When the user clicks on an advertisement banner arranged in a web page using the pointing device, the user's site Display the web page. In the following, the web page on which the banner for advertising is placed is called the “advertisement web page”, and the web page of the advertiser's site to which the banner is linked is called the “advertising web page”. To do.

  When an advertisement banner is clicked on the user terminals 100-1 to 100-m, the number of clicks is counted, for example, by the web server device 200 or the like, and the number of clicks is given to the publisher of the advertising web page. The corresponding reward will be paid by the advertiser. When these user terminals 100-1 to 100-m are connected to the Internet N, unique IP addresses are assigned to them.

  The web server device 200 distributes the advertisement posting web page and the advertisement web page according to the operation from the user terminals 100-1 to 100-m. Further, the web server device 200 counts, for example, the number of clicks on a banner on an advertising web page or member information including the name and address of a user input on a web page for joining a specific membership system site. The process according to the operation of the user who browsed the web page delivered to the user terminals 100-1 to 100-m, such as accepting, is executed. Although not shown in FIG. 1, the web server device 200 is connected to a database that stores the content of each web page. The web server device 200 collects necessary content from the database to generate a web page, and each user terminal 100 You may make it deliver to -1-100-m.

  The unauthorized click detection device 300 accumulates regional information indicating the correspondence between the IP addresses assigned to the user terminals 100-1 to 100-m and the regions to which the respective IP addresses belong, and uses the regional information for advertisement. The number of clicks on the banner is totaled for each region, and when there are regions where the number of clicks is prominent, it is detected that an illegal click is being executed.

  FIG. 2 is a block diagram showing a main configuration of the unauthorized click detection device 300 according to the present embodiment. An unauthorized click detection device 300 shown in FIG. 2 includes a region information receiving unit 301, a region information storage unit 302, a click detection unit 303, an IP address extraction unit 304, a region estimation unit 305, and a CTR (Click Through Rate) storage. A unit 306, a deviation value calculation unit 307, a threshold determination unit 308, and an unauthorized information output unit 309.

  The area information receiving unit 301 receives area information indicating the correspondence between the IP address and the area to which the IP address belongs from an external device such as the web server apparatus 200. Specifically, the area information receiving unit 301 obtains area information that can be used to link an IP address and an area to which the IP address is assigned, such as information on an assigned IP address for each area determined by an Internet service provider. Receive. The regional information received by the regional information receiving unit 301 includes, for example, member information input by the user when joining the membership system site as shown in FIG. 3 in addition to the information at the service provider. In addition, for example, when a user enters an area code or zip code on a web page that can check whether a communication line can be laid from the area code or zip code of a telephone number, It may be information. In this case, it is possible to associate the area estimated from the area code or zip code with the IP address of the user terminal used by the user.

  The region information storage unit 302 stores the region information received by the region information receiving unit 301. That is, the area information storage unit 302 stores an area information table in which an IP address is associated with an area to which the IP address is assigned, for example, as illustrated in FIG. In the example of the area information table shown in FIG. 4, for example, the IP address “PPP” is assigned to the user terminal in “Tokyo KKK Ward”. Therefore, when there is a request for distribution of an advertising web page or a click on an advertising banner from the user terminal with the IP address “PPP”, these operations are performed in the user terminal in “Tokyo KKK Ward”. It will be. The regional information storage unit 302 updates the correspondence relationship between the IP address and the region each time new regional information is received by the regional information reception unit 301, and always keeps this correspondence relationship in the latest state.

  The click detection unit 303 acquires distribution information including information on a web page distributed to each of the user terminals 100-1 to 100-m from the web server device 200, and the user uses an advertisement banner in the advertisement posting web page. Detects clicking. That is, when the advertisement detection web page is distributed to the user terminals 100-1 to 100-m after the advertisement insertion web page is distributed, the click detection unit 303 distributes the advertisement web page linked to the banner arranged in the advertisement insertion web page. Detects clicks on banners in advertising web pages. Then, the click detection unit 303 outputs the distribution information to the IP address extraction unit 304 and notifies the IP address extraction unit 304 of whether or not the advertisement banner is clicked.

  The IP address extraction unit 304 extracts the IP address assigned to the user terminals 100-1 to 100-m that are the distribution destinations of the advertisement posting web pages from the distribution information. Then, the IP address extraction unit 304 notifies the region estimation unit 305 of the IP address to which the advertisement posting web page is distributed and whether or not a banner is clicked from the user terminal to which this IP address is assigned.

  The region estimation unit 305 refers to the region information stored in the region information storage unit 302 and estimates a region corresponding to the IP address of the delivery destination of the advertising web page. In other words, the region estimation unit 305 estimates in which region the user terminal in which the advertisement posting web page distributed from the web server device 200 is viewed. In addition, when a banner in the advertisement posting web page is clicked, the region estimation unit 305 estimates in which region the user terminal is clicked on the banner.

  The CTR storage unit 306 calculates a click-through rate (hereinafter referred to as “CTR”) for each advertising web page and each region, using the result of the region estimation in the region estimation unit 305, and calculates the calculated CTR for each region. Remember. That is, the CTR storage unit 306 divides the number of times the banner in the advertising web page is clicked on the user terminal in the same region by the number of times the advertising web page is browsed on the user terminal in this region. The CTR is calculated and stored in a format as shown in FIG. 5, for example. In the example shown in FIG. 5, the CTR at 20 o'clock in the banner for advertisement placed on the advertisement posting web page “http: // XXX” is “36.88%” in “Tokyo KKK Ward”. Yes, it is “0.03%” in “Tokyo LLL Ward” and “0.06%” in “Tokyo MMM Ward”.

  The deviation value calculation unit 307 calculates a deviation value for each region's CTR stored in the CTR storage unit 306. That is, the deviation value calculation unit 307 calculates a deviation value as an index indicating whether or not the CTR of each region is extremely large compared to the average value.

  The threshold value determination unit 308 compares the deviation value calculated by the deviation value calculation unit 307 with a predetermined threshold value, and in regions where the deviation value is equal to or greater than the predetermined threshold value, the CTR is extremely large. Is determined to have been clicked illegally. In other words, if the CTR in a specific area is extremely large, there is a possibility that one or a few users, such as malicious users and website publishers, repeatedly click on the banner from the same area. The threshold determination unit 308 determines an area where the CTR deviation value is extremely large as an area where an illegal click has occurred.

  The unauthorized information output unit 309 outputs the determination result by the threshold determination unit 308 as unauthorized information. Specifically, the unauthorized information output unit 309 displays a map that is colored so as to be able to identify, for example, an area where it is determined that an unauthorized click has occurred. In this embodiment, the unauthorized information output unit 309 outputs the determination result by the threshold determination unit 308 as unauthorized information. However, the unauthorized information output unit 309 outputs the CTR deviation value itself for each region as unauthorized information. It can also be provided as a material for determining whether or not a click has occurred.

  Next, an unauthorized click detection method by the unauthorized click detection apparatus 300 configured as described above will be described with reference to the flowchart shown in FIG. Here, it is assumed that when the regional information is received by the regional information receiving unit 301, the regional information stored in the regional information storage unit 302 is updated at any time and is kept in the latest state.

  When browsing a web page, the user operates the user terminals 100-1 to 100-m to request delivery of a desired web page. That is, for example, when a user operates the user terminal 100-1 to request delivery of a web page, this request is processed by the web server device 200, and an advertisement posting web page or an advertisement web page is delivered to the user terminal 100-1. Is done. At this time, when the advertisement posting web page is distributed from the web server device 200, distribution information including information on the advertisement posting web page is acquired by the click detection unit 303 (step S101). This distribution information includes information related to the link destination (that is, the advertisement web page) of the banner for advertisement placed on the advertisement insertion page, the IP address assigned to the user terminal 100-1 as the distribution destination, and the like. .

  Then, the click detection unit 303 detects a click on a banner placed on the advertisement posting web page (step S102). That is, when the distribution information indicates that the advertisement web page is distributed to the same user terminal 100-1 immediately after the advertisement insertion web page is distributed, the banner of the advertisement insertion web page is clicked by the click detection unit 303. Is detected. Further, when a web page unrelated to the banner is delivered to the user terminal 100-1 immediately after the delivery of the advertisement posting web page, the banner of the advertisement posting web page has not been clicked.

  The result of detecting the presence or absence of a click by the click detection unit 303 is output to the IP address extraction unit 304 together with the distribution information of the advertisement posting web page. Then, the IP address extraction unit 304 extracts the IP address of the user terminal 100-1 that is the distribution destination of the advertisement posting web page (step S103). The IP address assigned to the user terminal 100-1 is associated with a specific area by the area information stored in the area information storage unit 302.

  Therefore, the region estimation unit 305 refers to the region information stored in the region information storage unit 302 and estimates the region corresponding to the IP address of the user terminal 100-1 (step S104). As described above, since the area information accumulated in the area information accumulation unit 302 is always kept up-to-date, the position of the user terminal 100-1 is accurately estimated as a result of estimation by the area estimation unit 305. It will be. Further, the detection of the presence or absence of a click by the click detection unit 303 reveals whether or not the advertisement banner arranged on the advertisement posting web page has been clicked on the user terminal 100-1 that is the distribution destination of the advertisement insertion web page. ing.

  Therefore, the CTR of the advertising web page in the area to which the user terminal 100-1 belongs can be calculated, and the CTR of the area to which the user terminal 100-1 belongs is calculated by the CTR storage unit 306 (step S105). Specifically, the CTR storage unit 306 calculates the ratio of the number of times the banner is clicked with respect to the number of times the advertisement insertion page is viewed within a predetermined time with respect to the area to which the user terminal 100-1 belongs. The calculated CTR for each region is stored in the CTR storage unit 306.

  The CTR stored by the CTR storage unit 306 often falls within the range of about 0.05 to 0.1% under the condition that no illegal click occurs. However, if the banner of the advertisement web page is repeatedly clicked by a malicious user or the like, it is considered that the CTR of the region to which the user terminal used for this illegal click belongs becomes extremely large. Therefore, in order to determine whether or not the CTR of each region is extremely large, the deviation value calculation unit 307 calculates the CTR deviation value for each region (step S106). In regions where the CTR deviation value is large, the CTR is extremely large compared to other regions, and it can be said that there is a possibility that an illegal click has occurred.

  The deviation value for each area calculated by the deviation value calculation unit 307 is output to the threshold value determination unit 308 and compared with a predetermined threshold value (step S107). As a result of this comparison, for areas where the deviation value is equal to or greater than the predetermined threshold (Yes in step S107), the threshold determination unit 308 determines that an illegal click has occurred (step S108). On the other hand, for an area where the deviation value is less than the predetermined threshold value (No in step S107), the threshold value determination unit 308 determines that an illegal click has not occurred (step S109).

  Thereby, it is possible to detect an area where there is a high possibility that the banner of the advertisement posting web page is illegally clicked. At this time, since the number of users who perform unauthorized clicks is considered to be one or a small number, the range of action is also considered to be limited, so the user terminal used by the user was changed to change the IP address. Even if an illegal click is made above, the region where the illegal click occurs is considered to be biased to a specific region. Similarly, even if one or a small number of users repeat illegal clicks while using a large number of user IDs, the CTR only in a specific region is considered to increase. Therefore, by estimating the area from the IP address of the user terminal 100-1 and paying attention to the size of the CTR for each area, it is possible to accurately determine the presence or absence of unauthorized clicks.

  The presence / absence of unauthorized clicks for each region determined in this way is notified from the threshold determination unit 308 to the unauthorized information output unit 309, and the unauthorized information output unit 309 can visually grasp the presence / absence of unauthorized clicks for each region. (Step S110). Specifically, for example, as schematically illustrated in FIG. 7, the unauthorized information output unit 309 displays the unauthorized information in which the area where the unauthorized click is detected and the area where the unauthorized click is not detected are colored. The Also, instead of the illegal information colored so that the presence or absence of unauthorized click detection can be identified, the unauthorized information output unit 309 displays unauthorized information in which each region is color-coded by the CTR value or the CTR deviation value for each region. You may do it. In this case, the displayed illegal information is used as a determination material, and it is determined whether or not an illegal click has occurred in each region.

  In FIG. 7, the entire region is composed of 36 regions from the upper left A1 region to the lower right F6 region on the page, and among these, the C1 region, B2 region, and B3 region indicated by hatching in the figure , E4 area, and D5 area, it is shown that unauthorized clicks were detected. Then, when viewing the CTR for each of these 36 regions, for example, as shown in FIG. 8, the CTR of the region where the illegal click is detected (for example, the C1 region) becomes extremely larger than the CTR of the other regions. There is a high possibility that a malicious user or the like repeatedly clicks on the banner of the same advertising web page using the user terminal in the C1 region.

  As described above, according to the present embodiment, the area information indicating the correspondence relationship between the IP address and the area to which the IP address is assigned is accumulated, and the area to which the user terminal belongs is determined from the IP address by referring to the area information. The CTR deviation value for each area related to the click of the advertisement banner using the user terminal is calculated, and the area having the large deviation value is determined as the area where the illegal click has occurred. For this reason, even if one or a few users click the same banner many times while changing the user terminal or using multiple user IDs, the specific actions that reflect the limited action range of these users An increase in the number of clicks only in the region can be detected, and the presence or absence of an illegal click on the advertisement can be detected with high accuracy.

(Embodiment 2)
A feature of the second embodiment of the present invention is that, for an area where the CTR tends to be large, such as an area targeted by the advertisement web page, the threshold value compared with the deviation value of the CTR is increased. For areas where there is a tendency for unauthorized clicks to occur, such as the user's living area, the unauthorized click is detected more strictly by reducing the threshold value compared with the CTR deviation value.

  Since the schematic configuration of the network according to the present embodiment is the same as that of the first embodiment (FIG. 1), description thereof is omitted. However, in the present embodiment, the main configuration of the unauthorized click detection device 300 is different from that of the first embodiment (FIG. 2).

  FIG. 9 is a block diagram showing a main configuration of the unauthorized click detection device 300 according to the present embodiment. In this figure, the same parts as those in FIG. The unauthorized click detection device 300 illustrated in FIG. 9 has a configuration in which a page information acquisition unit 401 and a threshold determination unit 402 are added to the unauthorized click detection device 300 illustrated in FIG. 2 and the threshold determination unit 308 is replaced with a threshold determination unit 403. is doing.

  The page information acquisition unit 401 acquires information on various regions related to the advertisement posting web page from the distribution information as page information. Specifically, the page information acquisition unit 401 is arranged on information on an area (hereinafter referred to as “advertiser related area”) such as a home address and a work address of the user who created the advertisement posting web page and on the advertisement posting web page. Information on the advertisement target area of the banner (hereinafter referred to as “advertisement related area”) is acquired as page information.

  The advertisement publisher related area is an area related to a user whose reward increases due to an increase in the number of clicks of a banner placed on the advertisement posting web page. In other words, the advertiser-related area is an area where unauthorized clicks are likely to occur, and it is possible to obtain page information including the advertiser-related area from the member information of the user who created the advertising web page. is there. Advertiser-related areas include areas where there are home addresses and work addresses of the user who created the advertising web page, as well as areas where there are Internet cafes near home addresses, home addresses and work addresses Commute routes in between, areas where users 'friends and colleagues' home and work addresses are located.

  On the other hand, the advertising target related area is an area where the banner placed on the advertising web page exhibits high appeal as an advertisement, such as an area where an advertiser's store is newly opened. In other words, the advertising target related area is an area where many users are likely to click on the banner, and it is possible to obtain page information including the advertising target related area from the contents of the advertising web page and keywords associated with the banner. is there.

  Based on the advertisement publisher related area and the advertisement target related area included in the page information, the threshold determination unit 402 increases or decreases a constant value for each area, and determines a threshold for each area to be compared with the CTR deviation value. Specifically, the threshold value determination unit 402 sets a threshold value as a threshold value for an advertisement publisher-related region in order to more accurately detect the occurrence of unauthorized clicks. In addition, the threshold determination unit 402 naturally increases the constant value as the threshold because the CTR is relatively large for the advertising target related area.

  The threshold value determination unit 403 compares the CTR deviation value for each region with the threshold value determined by the threshold value determination unit 402, and in an area where the deviation value is equal to or greater than the threshold value, the banner of the advertising web page is illegally clicked. Is determined. At this time, in the present embodiment, since the threshold value for each region is determined by the threshold value determination unit 402, the threshold value determination unit 403 has an illegal click on two regions having the same CTR deviation value. It may be determined that there is no unauthorized click on the other side.

  Next, a threshold value determination method for each region in the unauthorized click detection device 300 according to the present embodiment will be described with reference to the flowchart shown in FIG.

  First, when an advertisement posting web page is distributed from the web server device 200, distribution information including information on the advertisement posting web page is acquired by the click detection unit 303 (step S201). The acquired distribution information is also used for extracting an IP address for region estimation, and the page information acquisition unit 401 acquires page information including the advertisement publisher related area and the advertisement target related area from the distribution information. (Step S202).

  The acquired page information is output to the threshold value determination unit 402. The threshold value determination unit 402 refers to the advertisement publisher related area and the advertisement target related area included in the page information, and compares each area with the CTR deviation value. Is determined. That is, the threshold value determination unit 402 determines the threshold value for the advertisement publisher-related area by reducing a certain value (step S203). As described above, by setting the threshold value relatively small for the publisher-related area, it is determined that there is an unauthorized click even if the deviation value of the CTR is small for an area that is likely to generate an unauthorized click. , It is possible to determine the presence or absence of unauthorized clicks more strictly.

  On the other hand, the threshold value determination unit 402 determines a threshold value for the advertising target related area by increasing a certain value (step S204). As described above, by setting a relatively large threshold for the advertising target related area, it is determined that there is no fraudulent click even if the CTR deviation value is increased for an area where the CTR is naturally increased. Thus, it is possible to prevent a determination that there is an unauthorized click even though no unauthorized click has occurred.

  When the threshold value for each region is determined in this way, the threshold value determination unit 403 uses this threshold value to determine the CTR deviation value for each region. Except for the threshold used by the threshold determination unit 403, the unauthorized click detection method according to the present embodiment is the same as the unauthorized click detection method according to the first embodiment (FIG. 6), and thus the description thereof is omitted. .

  In the present embodiment, since the threshold value for each region is determined based on the page information, for example, as shown in FIG. 11, the threshold value to be compared with the CTR deviation value varies depending on the region. In FIG. 11, the threshold value in the advertisement publisher related area indicated by the thick frame in the figure is relatively small, and the threshold value in the advertisement target related area indicated by the double line frame in the figure is relatively large. Therefore, for example, even if the CTR deviation value in the D1 area is equal to the CTR deviation value in the B6 area, it is determined that there is an unauthorized click in the D1 area, and it is determined that there is no unauthorized click in the B6 area. is there.

  As described above, according to the present embodiment, when determining the threshold value to be compared with the CTR deviation value for each region, the threshold value is relatively small for the advertising publisher related region, and the advertising target related region is Make the threshold relatively large. For this reason, if there is a fraudulent click in an area where fraudulent clicks are likely to occur, the fraudulent click is determined more strictly in areas where it is natural that the CTR should increase. It is possible to prevent the determination. As a result, the presence or absence of an illegal click on the advertisement can be detected with higher accuracy.

  In the second embodiment, the page information including the advertisement publisher related area and the advertising target related area is used for determining the threshold value for each area. Can be used. That is, for example, as in the first embodiment, an area where an illegal click has occurred is detected, and it is determined that there is an actual fraud when an area determined to have an illegal click matches an advertiser related area. I think that. Since malicious users are considered to perform unauthorized clicks within a limited range of actions, if an area with an extremely high CTR matches an advertiser-related area, Since there is a high possibility that an increase in CTR due to the above will occur, the accuracy of unauthorized click detection can be further improved by making the above determination.

  Similarly, in the same manner as in the first embodiment, an area where an illegal click has occurred is detected, and when the area determined to have an illegal click matches the advertisement target related area, it is determined that there is no actual fraud. Is also possible. This is because in the advertisement target related area, it is natural that the CTR becomes extremely large, and it cannot always be said that the CTR has increased due to unauthorized clicks.

  Further, in each of the above embodiments, the unauthorized click detection device 300 receives and accumulates the area information. However, when the area information is accumulated outside the unauthorized click detection device 300, the unauthorized click detection is performed. The apparatus 300 may estimate the area from the IP address using the area information accumulated outside.

  Further, in each of the above embodiments, the deviation value is used as an index indicating whether or not the CTR for each region is extremely large compared to the CTR of other regions, but the present invention is not limited to this. It is also possible to identify an extremely large CTR by performing statistical processing on the CTR for each region, and determine that an illegal click has occurred in the region corresponding to the identified CTR.

  In each of the above embodiments, it is assumed that the advertising banner in the advertisement posting web page is clicked by the pointing device. However, the present invention is not limited to this, and the advertisement is performed by an operation from a keyboard, for example. The present invention can also be applied to detecting fraud related to an operation equivalent to a click by a pointing device, such as when a linked banner web page is specified and a linked advertisement web page is distributed.

  Further, in each of the above embodiments, the unauthorized click on the advertising banner in the advertising web page is detected, but the reward generation area other than the advertising banner that generates the reward according to the number of clicks is the web page. Even in the case of being placed inside, it is possible to detect unauthorized user operations by applying the present invention in the same manner.

  Further, in addition to advertisements, for example, on a web page that conducts a questionnaire or a web page that sells products, a reward generation area in which a reward is generated when the user answers a questionnaire or purchases a product. In the case where the URL is arranged in the web page, the present invention can be similarly applied to detect an unauthorized user operation. That is, according to the present invention, the frequency of user operations is aggregated for each region, and by detecting that the aggregation results are biased, generally unauthorized user operations can be detected.

  The present invention can be applied to accurately detecting the presence or absence of an unauthorized user operation on a web page.

1 is a block diagram showing a network configuration according to Embodiment 1. FIG. It is a block diagram which shows the principal part structure of the unauthorized click detection apparatus which concerns on Embodiment 1. FIG. 6 is a diagram showing an example of regional information according to Embodiment 1. FIG. It is a figure which shows an example of the area information table which concerns on Embodiment 1. FIG. 3 is a diagram illustrating a configuration example of a CTR storage unit according to Embodiment 1. FIG. FIG. 3 is a flowchart showing an unauthorized click detection method according to the first embodiment. 6 is a diagram showing an example of unauthorized information according to Embodiment 1. FIG. It is a figure which shows the example of the difference of CTR for every area which concerns on Embodiment 1. FIG. It is a block diagram which shows the principal part structure of the unauthorized click detection apparatus which concerns on Embodiment 2. FIG. FIG. 10 is a flowchart showing a threshold value determining method according to the second embodiment. It is a figure which shows the example of the difference of the threshold value for every area which concerns on Embodiment 2. FIG.

Explanation of symbols

100-1 to 100-m User terminal 200 Web server device 300 Unauthorized click detection device 301 Regional information receiving unit 302 Regional information storage unit 303 Click detecting unit 304 IP address extracting unit 305 Regional estimation unit 306 CTR storage unit 307 Deviation value calculating unit 308, 403 Threshold determination unit 309 Unauthorized information output unit 401 Page information acquisition unit 402 Threshold determination unit

Claims (9)

An acquisition means for acquiring network address information of a distribution destination to which a web page including a reward generation area in which a reward to the user or the web page creator is generated according to an operation by the user;
Estimating means for estimating a region corresponding to the network address information acquired by the acquiring means;
Calculating means for calculating an index value of the frequency of user operations on the reward generation area for each area estimated by the estimating means;
Generating means for generating user operation information for the reward generation area based on an index value for each area calculated by the calculating means;
A fraud detection device characterized by comprising: The generating means includes
Comparing means for comparing the index value for each area calculated by the calculating means with a predetermined threshold value,
The fraud detection according to claim 1, wherein as a result of the comparison by the comparison means, the user operation information for distinguishing between an area having an index value greater than or equal to a predetermined threshold and an area having an index value less than the predetermined threshold is generated. apparatus. The generating means includes
A determination means for determining a threshold for each region according to the relationship between the reward generation region and the region;
Comparing means for comparing the index value for each area calculated by the calculating means with a threshold value for each area determined by the determining means,
The fraud detection apparatus according to claim 1, wherein as a result of the comparison by the comparison means, the user operation information for distinguishing between an area having an index value greater than or equal to a threshold and an area having an index value less than the threshold is generated. The determining means includes
The fraud detection apparatus according to claim 3, wherein a threshold value of an area related to a web page creator who created a web page including a reward generation area is made smaller than a threshold value of another area. The determining means includes
4. The fraud detection apparatus according to claim 3, wherein a threshold value of an area related to contents displayed in the reward generation area is set larger than a threshold value of another area. The calculating means includes
Including detection means for detecting the number of user operations for the reward generation area from the distribution information indicating the distribution status of the web page,
A ratio of the number of times of user operation detected by the detection means to the number of times a web page including a reward generation area is distributed is obtained for each area, and a deviation value of each ratio for each obtained area is calculated. The fraud detection apparatus according to claim 1. The generating means includes
The user operation information indicating that there is an unauthorized user operation in an area where the number of user operations for the reward generation area is greater than other areas based on the deviation value calculated by the calculation means. Item 6. The fraud detection device according to item 6. The estimation means includes
Storing means for storing area information in which network address information and an area corresponding to the network address information are associated with each other;
2. The fraud detection apparatus according to claim 1, wherein a region corresponding to the network address information is estimated by referring to the region information stored by the storage unit. An acquisition step of acquiring network address information of a distribution destination to which a web page including a reward generation area in which a reward to the user or the web page creator is generated according to an operation by the user;
An estimation step for estimating a region corresponding to the network address information acquired in the acquisition step;
A calculation step of calculating an index value of the frequency of user operations for the reward generation region for each region estimated in the estimation step;
A generating step for generating user operation information for the reward generation area based on the index value for each area calculated in the calculating step;
A fraud detection method characterized by comprising:

Images