fraud0 Detection Methodology – How We Identify Invalid Traffic (IVT)
This article explains the methodology behind fraud0’s detection system.
It describes how every website visit is analyzed in real time and how multiple layers of checks work together to identify invalid traffic (IVT).
It is part of the fraud0 Academy and forms the technical foundation for On-Site vs. In-Ad Measurement.
Why detecting IVT matters
Invalid traffic (IVT) includes visits that do not originate from real human users — from simple bots to advanced automation that imitates human behavior.
Separating these sessions is essential because IVT:
Distorts metrics like conversion rate and engagement.
Inflates campaign performance and wastes budget.
Pollutes audience and remarketing segments.
fraud0’s detection methodology is designed to uncover both General Invalid Traffic (GIVT) and Sophisticated Invalid Traffic (SIVT) as defined by the Media Rating Council (MRC).
Real-time detection
fraud0 analyzes each visit as it happens.
No sampling. No delay.
The tag running on your website (and, where active, in-ad environments) sends behavioral and technical signals to our analysis engine.
All checks execute in parallel to ensure decisions are made within the active session.
Multi-layer detection process
fraud0 combines several independent detection layers.
Each layer produces its own score.
The system then aggregates these scores in real time to classify the session.
1. Browser and Device Validation
Checks whether the reported hardware and software environment is technically possible.
Examples:
Impossible hardware profiles – e.g. Android device reporting 119 CPU cores.
Tampered browser objects – missing or falsified APIs like window.chrome.
Software-based rendering – SwiftShader instead of GPU → typical for virtual machines.
System font anomalies – missing baseline fonts (e.g. Calibri, Helvetica Neue) on desktop → automation; Android font differences (HarmonyOS Sans, MiSans, vivo Sans) accepted as normal.
Data-centre traffic – IPs linked to known hosting providers are flagged as invalid.
fraud0 uses hundreds of hidden honey-pot elements and over 2 000 cybersecurity challenges to verify browser integrity (fraud0.com/technology).
2. Behavioral and Interaction Analysis
Observes how a visitor interacts with the site.
Human behavior shows variation; bots are too consistent or too precise.
Signals include:
Mouse movement speed and irregularity.
Scroll rhythm and timing.
Touch gestures on mobile devices.
Interaction entropy — for example, identical timing intervals or missing visual feedback.
These signals feed into an entropy-based anomaly score, which raises the probability of bot classification when movements look synthetic.
3. Network and TLS Fingerprinting
Every secure connection leaves a TLS fingerprint — the digital handshake pattern between browser and server.
Real browsers create a limited, predictable set of fingerprints.
A high number of unique or inconsistent fingerprints (high cardinality) indicates emulation or automation.
Scoring and classification logic
Each detection layer contributes a numeric score.
fraud0’s algorithm combines these scores to produce a session-level confidence result.
The outcome is one of three states:
Classification | Description |
|---|---|
Human | All signals align with normal user behavior. |
Bot | Clear automation or impossible device configuration. |
Suspicious | Insufficient or inconsistent data to decide confidently. |
Bot Rate = (Bot Sessions ÷ Total Sessions) × 100
This scoring ensures that decisions are never based on a single signal but on the total picture across all layers.
Rule stability and adaptation
fraud0 does not manually adjust thresholds or maintain static blacklists.
Changes in bot rates reflect real shifts in observed traffic patterns.
Detection logic adapts automatically through continuous learning — without changing the underlying methodology.
Relation to measurement layers
This methodology powers both on-site and in-ad measurement.
The detection principles remain the same; only the data source differs.
To understand where detection happens and what each layer uncovers, see:
→ [On-Site vs. In-Ad Measurement]
Key takeaway
fraud0’s detection methodology uses a multi-layer, real-time approach to verify every visit.
It evaluates the browser, device, behavior, and network environment to classify traffic accurately while minimizing false positives.
This ensures a balanced system that protects your analytics integrity and advertising efficiency.