Always Be Clicking

NS8 uses many different detection methods to determine whether the user is valid or not.

Some of these methods are algorithmic, and others are learned over time by detecting patterns in the data. Not all methods will be listed to protect our intellectual property and to prevent reverse-engineering but we look at several different indicators to determine user validity, including their IP, geo-location, device usage and so on.


Much like a credit score, we employ an EQ8 scoring system from 0-1000 to determine if a user is valid. A low score below 100 will denote a known bot or other suspicious user, such as somebody proxying through a data center’s IP or appearing on a known black list. An EQ8 score above 800 will be those who are determined to be real users, and the few rare cases in the middle are those with possible warning flags that an application or service can subject to verification or manual review.


A large and growing percentage of web traffic is generated by bots, spiders, extensions, headless browsers, toolbars and other means (collectively called “bots”). These bots have become increasingly sophisticated in how they disguise themselves, which means that fraud detection systems must continuously evolve their detection methods to be able to block malicious traffic.

Here are some of the indicators that we check to assess a potential bot:

Block ListWe check every I.P. address against our database of known infected machines. This tool detects machines that have been hijacked as spambots, as well as machines that are infected with viruses and generate large amounts of automated traffic or clicks. This database is maintained in real-time to detect emerging sources and keep up to date on the latest trends.
Data Center OriginWe maintain a database of data center I.P. address ranges, since many bot networks will use data centers to create or proxy traffic. For example, a session from within Amazon’s AWS data center address block is unlikely to be valid.
Public Web ProxiesPublic web proxies are also used to hide a user’s location by their IP appearing to come from somewhere other than their real location, much like proxying through a data center above. We maintain a real-time database of public web proxies so we can detect sessions from them and score users accordingly.
TORTOR is a free to use software that enables anonymous online communication. TOR has legitimate uses, but as it hides the origin of the user, it is inherently suspicious and can be used to generate random sessions.
Spoofed User AgentsBots often rotate their user agents to appear to be multiple devices and generate realistic looking traffic. We have developed technology to match the user agent to the browser’s capabilities and detect sessions that have altered their user agent.
Invalid SearchesBots often create fake referrer headers to appear to be from a search engine. In many cases, these headers differ from real search engine referrer structures.
CollusionThis method detects the coincidence of a set of I.P. addresses and a set of publisher sites.
Other Proprietary MethodsWe currently have developed several other methods for detecting fraudulent sessions and this continues to be a primary focus of our research efforts.

Hidden Users

Hidden users are from sessions where no page is ever visible on the screen. Whether they are a bot or just a human user that never looks at their display, a hidden session will receive an EQ8 score of 0 because no page content was ever looked at by a real person.

Here are some of the primary reasons that a user may be categorized as a hidden session:

PreloadingSearch engines will preload pages in the background while a user types in a search query. The search engine attempts to predict which link or links the user will click on and then loads the pages from those links. This is a way to improve the performance of web browsing; however, many of the preloaded pages are never made visible and should not be counted as evidence of real site activity.
Browser Window HiddenThis occurs when a browser window is behind another window, so web content can’t be seen by the human user.
Background Browser TabsA browser tab can be launched in the background and load pages. These pages are never visible unless the user opens the tab.
BotsThe session is detected as a bot and not a real person. This is usually the default reason unless the user falls under one of the categories above.

Our technology tracks whether a session is ever viewed and updates the visibility based on that. For example, if a page is hidden during a pre-load, it is initially recorded as hidden and given a score of zero. If the user clicks on the link to view the preloaded page, that is detected and the session is updated with a new score. All data is available in real-time through NS8 Data Services and historically through NS8 TrueStats and NS8 Protect.

Get Started

NS8 Data Services is currently only available through NS8 sales representatives.

Get Started