By using the Server Intelligence (server to server or s2s) integration, Opticks can analyse traffic without executing client side Javascript or redirecting traffic. Instead, you send Opticks basic information like IP address and HTTP headers so that Opticks can provide an analysis. This integration allows you to analyse bid requests before bidding when working with RTB.
NOTE: any Server Intelligence analysis is much more basic than the Opticks Firewall or OpticksJS integrations and can provide limited levels of protection. It is best to combine Server Intelligence along with Opticks Firewall or OpticksJS for complete pre-bid and post-bid protection.
Quick start
If you already have an Opticks API key, follow the steps below. If you don’t yet have an API token, see the Get an API token section.
Create one server-to-server endpoint and extract the trackingLink
Create a server-to-server link using the HTTP method described below:
Endpoint: | https://api.optickssecurity.com/campaigns |
Method: | POST |
Headers: | Content-Type: application/json Authorization: {{api_key}} |
Body: |
{ "name": "My server to server link", "type": "s2s" } |
Example request: |
curl --request POST \ --url https://api.optickssecurity.com/campaigns \ --header 'Authorization: {{api_key}}' \ --header 'Content-Type: application/json' \ --data '{"name": "My server to server link","type": "s2s"}' |
🔴 From the response, extract the trackingLink
value. It can take up to 5 minutes for the new URL to become active.
Send traffic data to the server-to-server link
Once you have retrieved the server-to-server link from the trackingLink property above and waited 5 minutes, you are ready to start analyzing traffic. Use the HTTP method described below. Pay special attention to the $.analysis.level
field in the response JSON. Reject any high risk traffic and depending on business requirements, medium risk as well.
Endpoint: | {{trackingLink}} (from step above) |
Method: | POST |
Headers: | Content-Type: application/json |
Body: |
{ "ip":{{visitors_ip_address}}, "headers": { {{header-key}}:{{header-value}}, ... }, "pubId": {{publisherId}}, "subId": {{sourceId}}, "requestId": {{clickId}}, "var2": {{other-data}}, "var3": {{more-data}} } |
Example request: |
curl --request POST \ --url https://track.domain.com/s/247b8?auth=92d4ca7f \ --header 'Content-Type: application/json' \ --data '{"ip":"172.28.0.1", "headers":{"X-Requested-With":"com.test.app", "Accept-Language":"en-US,en", "Accept-Encoding":"none", "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) |
Notes: | pubId, subId, var2, and var3 will be visible on the Opticks dashboard. |
Example response: |
{ "analysis": { "level": "high", "detections": [ { "group": { "id": 5, "name": "Proxy/VPN/Datacenter Traffic", "triggers": [ { "id": 27, "trigger": "Hosting/CDN proxy" } ] } }, { "group": { "id": 2, "name": "Header Injections", "triggers": [ { "id": 11, "trigger": "MSISDN Injection" } ] } } ] }, "invalidClickReasons":[], "inTarget": true, "id": "track_20190823065828_e3e76092_2057_4ed1_be59_397f3d898f23" } |
s2s Response
Field | Description |
---|---|
$.analysis.level |
whether the visit is low, medium or high risk. We recommend rejecting any high risk visits. |
$.analysis.detections |
array containing anything detected about the visit. |
$.invalidClickReasons |
array of optional detections the campaign may have been configured to refuse. |
$.inTarget |
boolean indicating whether the visit is within optional targeting contraints (country, OS, etc.). |
Detections
The details below are purely informational.
Groups
Opticks uses the concept of Detection Groups to categorise different suspicious or fraudulent behaviours found in the traffic.
Id | Name | Description |
---|---|---|
2 | Header Injections | Header alteration detected |
3 | Harmful applications | Detected as Malware |
4 | Non-reputable IP addresses | IP is in a Non-reputable list |
5 | Proxy Traffic | IP is in a Proxy list |
7 | Suspicious acquisition | App is not from a trusted source |
8 | Adult acquisition | Detected Adult content |
9 | Suspicious conversion patterns* | Conversion has unusual pattern |
*Only available when sending Opticks conversion information.
Triggers
Triggers are the detailed detections.
Id | Name | Description | Group |
---|---|---|---|
11 | MSISDN Injection | Header contains fake MSISDN | Header Injections |
13 | WASPA List | Comes from an App known for being malware | Harmful applications |
16 | IP flagged as Unrouteable | IP is known for being Unrouteable | Non-reputable IP addresses |
17 | IP flagged as Organization | IP is known for being from an Organization | Non-reputable IP addresses |
18 | IP flagged for low reputation | IP is known for having a low reputation | Non-reputable IP addresses |
19 | IP flagged for Spam | IP is known for being a source of spam | Non-reputable IP addresses |
20 | IP flagged for Abuse | IP is known for abusing | Non-reputable IP addresses |
21 | IP flagged for Attacks | IP is known for doing attacks | Non-reputable IP addresses |
22 | IP flagged as Anonymizer | IP is known for being an anonymizer | Non-reputable IP addresses |
23 | IP flagged as Malware | IP is known for being malware | Non-reputable IP addresses |
25 | VPN proxy | IP is known for being a vpn or tor proxy | Proxy Traffic |
26 | Web proxy | IP is known for being a web or public proxy | Proxy Traffic |
27 | Hosting/CDN proxy | IP is known for being a hosting proxy | Proxy Traffic |
31 | Non-PlayStore APK | Comes from an App that is not in the Play Store | Suspicious acquisition |
32 | Adult keywords in headers | Referer URL contains adult keywords | Adult acquisition |
34 | CR above low threshold | Conversion rate of subpublisher for that offer and traffic source is bigger than the low threshold (default 5%) in the last 2 hours | Suspicious conversion patterns |
35 | CR above high threshold | Conversion rate of subpublisher for that offer and traffic source is bigger than the high threshold (default 15%) in the last 2 hours | Suspicious conversion patterns |
36 | Subpublisher CR Anomaly | Conversion rate of subpublisher for that offer and traffic source compared with the subpublisher general distribution in the last 2 hours has too much difference | Suspicious conversion patterns |
69 | Google Proxy | IP is known for being a Google proxy | Proxy Traffic |
70 | Opera Mini Proxy | IP is known for being an Opera Mini proxy | Proxy Traffic |
87 | Invalid App Name | The App name has been manually modified | Header Injections |
Comments
0 comments
Please sign in to leave a comment.