crowd fraud detection in internet...
TRANSCRIPT
Crowd Fraud Detection in Internet Advertising
Tian Tian†, Jun Zhu†, Fen Xia‡, Xin Zhuang‡, Tong Zhang‡†State Key Lab of Intelligent Technology & Systems; Tsinghua National TNLIST Lab
Department of Computer Science & Technology, Tsinghua University, Beijing 100084, China‡Baidu Inc., No.10 Shangdi Street, Haidian, Beijing 100084, China
{tiant13@mails,dcszj@mail}.tsinghua.edu.cn, {xiafen,zhuangxin,tongzhang}@baidu.com
ABSTRACTThe rise of crowdsourcing brings new types of malpracticesin Internet advertising. One can easily hire web workersthrough malicious crowdsourcing platforms to attack otheradvertisers. Such human generated crowd frauds are hardto detect by conventional fraud detection methods. In thispaper, we carefully examine the characteristics of the groupbehaviors of crowd fraud and identify three persistent pat-terns, which are moderateness, synchronicity and dispersiv-ity. Then we propose an effective crowd fraud detectionmethod for search engine advertising based on these pat-terns, which consists of a constructing stage, a clusteringstage and a filtering stage. At the constructing stage, weremove irrelevant data and reorganize the click logs into asurfer-advertiser inverted list; At the clustering stage, wedefine the sync-similarity between surfers’ click historiesand transform the coalition detection to a clustering prob-lem, solved by a nonparametric algorithm; and finally webuild a dispersity filter to remove false alarm clusters. Thenonparametric nature of our method ensures that we canfind an unbounded number of coalitions with nearly no hu-man interaction. We also provide a parallel solution to makethe method scalable to Web data and conduct extensiveexperiments. The empirical results demonstrate that ourmethod is accurate and scalable.
Categories and Subject DescriptorsI.5.3 [Computing Methodologies]: Pattern Recogni-tion—Clustering ; K.4.4 [Computers and Society]: Elec-tronic Commerce—Payment schemes, Security
KeywordsFraud detection; Internet advertising; crowdsourcing
1. INTRODUCTIONAs a way to use the Internet to deliver promotional mar-
keting message to consumers, Internet advertising differs
Copyright is held by the International World Wide Web Conference Com-mittee (IW3C2). IW3C2 reserves the right to provide a hyperlink to theauthor’s site if the Material is used in electronic media.WWW 2015, May 18–22, 2015, Florence, Italy.ACM 978-1-4503-3469-3/15/05.http://dx.doi.org/10.1145/2736277.2741136.
from broadcast and television advertising by its ability tocarry out precision marketing. While at the same time itis exposed to greater risks of being influenced by preciselytargeted attacks. For search engine advertising, advertiserscan present their message to specific individual surfers se-lected according to their search queries or browsing histo-ries. These advertisements are usually charged by the vol-ume of clicks. However, this pay-per-click billing mechanismincreases the risk of fraud since malicious ones can easilyraise traffics on specific targets by technological means.
Conventional advertising frauds, such as malwares, autoclickers, etc, usually show specific characteristics on theirindividual behavior patterns, such as empty cookies, repeti-tive clicks or hit bursts. These phenomena can be effectivelydetected by well-studied anomaly detection methods [4, 16,17]. Unfortunately, when new detection rules are proposed,fraudulent means evolves. Recently, crowdsourcing plat-forms that can distribute enormous tasks to a large groupof web workers provide a more efficient way to handle vari-ous tasks including data collection and analysis [8, 10, 21].Meanwhile, a new type of fraud clicks in Internet adver-tising has appeared on malicious crowdsourcing platforms1,where attackers publish micro-tasks of searching and click-ing advertisements on a certain search engine, and thenweb workers accomplish these tasks and are paid per taskthrough the platform.
According to the statistics, expensive adwords onGoogle, such as insurance, loans, mortgage, etc, could costan advertiser more than 50 US Dollars per click [11], whilemalicious platforms only need to pay about 0.1 US Dollarsper click to the web workers. This big price gap has leadto a murky business of Internet advertising that attackerspublish crowdsourced attacking tasks against competitors toraise their advertising expenses. We refer to these maliciousbehaviors as crowd fraud.
Since simple fraudulent means is well-studied and canusually be filtered out by search engine’s anti-fraud mech-anisms, crowd fraud has became one of the main sourcesof customer complaints to search engines and has causedtremendous damage to the marketing environment. Thereare many differences between the human-generated crowdfraud and the fraudulent behaviors automatically generatedby machines, which pose new challenges to crowd fraud de-tection. For example, crowd fraud often arises from a vastnumber of attacking sources, but with low fraudulent trafficfrom each source. The fraudulent behaviors of web workers
1For example: http://www.adclickingjobs.com/;http://www.5iads.cn/ (in Chinese).
SourceIP AdvertiserId Query Hit time
121.*.*.215 758 lose weight 90541
121.*.*.215 749 red tea 90855
112.*.*.76 740 flight ticket 91783
111.*.*.46 720 green tea 92401
222.*.*.201 749 green tea 92401
117.*.*.135 720 web design 91123
121.*.*.215
112.*.*.76
117.*.*.135
111.*.*.46
222.*.*.201
<758,90541>,<749,90855>,...
<740,91783>,...
<720,91123>,...
<720,93346>,...
<740.92401>,...
758
749
740
720
"lose weight" 90541
121.*.*.215
112.*.*.76
117.*.*.135
111.*.*.46
222.*.*.201
Surfer-advertiser bipartite graphIP
Advertiser Id
Raw Data Surfer-advertiser inverted list
Figure 1: Example of the raw data, the constructed bipartite graph and the surfer-advertiser inverted list.
are noisy and have no distinct regularity, and the fraudulenttraffic induced by each worker is often buried in his nor-mal traffic. These differences mean that the short-term orindividual behaviors of crowd fraud are almost normal. Soconventional anti-fraud systems usually fail to detect crowdfraud. Current commercial crowd fraud detection strategiesrely heavily on human interventions, such as the prior knowl-edge of suspicious queries and complicated artificial filteringrules. Such methods are labor intensive and become invalidrapidly since web workers can easily change their behaviorpatterns to avoid being detected.
To address the above challenges, we explore the groupbehaviors of crowd fraud. They are more persistent thanthe individual behaviors of each worker which may containsubstantial randomness. By carefully analyzing the fraudu-lent behaviors confirmed to be crowd fraud by a commer-cial detection system, we find some general characteristicsabout the feature distributions and the network structures ofcrowd fraud: (1) Moderateness: Crowd fraud often aimsat advertisers or queries that have moderate hit frequen-cies; (2) Synchronicity: Surfers involving in crowd fraudcan usually be grouped into coalitions; in each coalition theyusually attack a common set of advertisers; and most oftheir clicks toward a certain advertiser happen within acommon short time period; and (3) Dispersivity: Crowdfraud surfers may simultaneously search a series of unrelatedqueries and click advertisements from different professions.
Based on the above characteristics, we investigate a novelcrowd fraud detection method for search engine adver-tising. From the synchronicity characteristic we can seethat crowd fraud has similar properties with coalition at-tacks. The success of graph based anomaly detection meth-ods on detecting coalitions in many scenarios [13, 15] in-spired us to develop our detection method based on thefeature-enhanced graph structure of the click-through net-work. Our method consists of three major stages: (1) Con-structing: we first remove the logs whose queries have ex-tremely small or large hit frequencies based on the mod-erateness condition, and then construct a surfer-advertiserbipartite graph as in Fig. 1. Each edge of this graph rep-resents one unique click log, and it contains features suchas the hit time and searching query. We also generate thesurfer to advertiser inverted list of this bipartite graph forthe use of next stage. Each entry of this inverted list repre-sents the click history of one unique surfer. (2) Clustering:to find surfer coalitions which exhibit synchronicity, we de-fine a synchronization similarity between click histories andtransform the coalition detection problem to a clusteringproblem. The number of clusters is determined using a non-
parametric clustering algorithm, which is inspired by DP-means [12], a small-variance asymptotic version of Dirichletprocess (DP) mixtures. (3) Filtering: We will find threetypes of coalitions after clustering, namely, small irrelevantcoalitions, fraudulent coalitions, as well as some normal butlarge coalitions attracted by frequently-presented advertise-ments. The frequently-presented advertisements in one coali-tion come from similar business domains such as flight tick-ets or hospitals. So we examine all large coalitions and re-move those with domain centralized advertisers.
Each step of our detection method is scalable with ap-propriate approximation, and the total number of detectedfraudulent clusters is unbounded due to the nonparametricnature of our algorithm. We further implement a parallelversion of this method and conduct extensive experimentsto show its efficiency and accuracy.
To the best of our knowledge, this paper is the first toformulate the problem of crowd fraud detection in Internetadvertising and provides a solution. Our main contributionscan be summarized as follows:
1. We formally analyze the crowd fraud problem for Inter-net advertising, and identify three key characteristics,i.e., moderateness, synchronicity and dispersivity;
2. We present a solution to detect crowd fraud, in whichwe define a synchronization similarity between clickhistories and transform the coalition detection prob-lem into a clustering problem, solved by a nonpara-metric clustering algorithm that automatically decidesthe number of clusters;
3. We make the method scalable for large-scale searchengine advertising by parallelizing the nonparametricclustering algorithm. Extensive experiments are pro-vided to show its effectiveness.
The rest of the paper is organized as: Sec. 2 analyzes thecharacteristics of crowd fraud; Sec. 3 and Sec. 4 present thedetection system for search engine advertising and its par-allel implementation; Sec. 5 presents empirical results; Sec.6 discusses related work; and Sec. 7 provides concludingremarks.
2. CROWD FRAUD CHARACTERISTICSWe define crowd fraud as the phenomenon that a group of
people driven by economic benefits work together to increasefraudulent traffic on certain targets. Crowd fraud differsfrom automatically generated fraudulent behaviors in sev-eral aspects: (1) The number of web workers involved in anattacking event from crowdsourcing platforms can be verylarge, while most conventional ways start from much fewer
0 1 10 100 1000 100001000000%
10%
20%
30%
40%
50%
Hit frequency
NormalCrowd Fraud
(a) Traffic moderateness (b) Target synchronicity
50 100 1500
5
10
15
20
Hour
#Fra
ud C
licks
(c) Temporal synchronicity
Figure 2: Characteristics of crowd fraud: (a) The histogram of the hit frequencies of various queries forboth normal traffics and crowd fraud traffics; (b) A corner of the surfer-advertiser bipartite graph built fromcrowd fraud click relations, where different colors show different hit times and the white color means no clickoccurred; and (c) A snapshot of the fraudulent click number on one advertiser changes through time.
number of sources; (2) The total fraudulent traffic generatedby each web worker in crowd fraud is limited, while othermalpractices usually induce hit bursts; (3) Since crowd fraudclicks are generated by real humans, their behaviors have nodistinct regularity, while the auto generated traffic usuallyhas detectable repeatability; and (4) Besides the fraudulenttraffic, each web worker may also have normal click behav-iors, which is also different from automatic clicks. All thesedifferences make the set of conventional features used to de-tect automatic fraudulent behaviors invalid for crowd frauddetection, which calls for a careful investigation to identifymore distinctive and stable characteristics.
This paper focuses on the crowd fraud detection problemin search engine advertising. A main purpose of attackersis to raise fraudulent traffic on competitors to increase theirpromotional expenses. Thus the attacks usually aim at cer-tain advertisers rather than advertisements.
To compare the differences between normal traffic andcrowd fraud traffic, we collect a click dataset from a ma-jor Chinese search engine company. The raw click logs onthe search engine maintain a history of all click actions thathappened within a time period. We investigated the follow-ing attributes in the click logs. Log Id: We use log Id toidentify a unique click log. IP: though both cookie Id and IPaddress can identify different surfers, cookie changes morefrequently than IP. So we use the latter in our method, de-spite the network address translation. Advertiser Id: sincemalpractices mostly aim at certain advertisers, we use ad-vertiser Id to identify their targets. Hit time: the timewhen the click happened. Query: the phrase that a surfersearched before his or her click action. We studied a subsetof the click logs. After carefully examining the datasets wecollected, we find similarities among the crowd fraud trafficon the moderateness, synchronicity and dispersivity charac-teristics, which provide strong hints to detect crowd fraudeffectively. Below, we describe these characteristics in detail.
2.1 ModeratenessIn a common search engine session, a surfer searches a
query and the engine returns the most relevant results as wellas advertisements in search engine results pages (SERPs).Then the surfer may click some links or advertisementswhich satisfy their requirements or preference. Advertiserscan buy keywords from the search engine so that the sys-tem will display their message once a surfer’s search querymatches their keywords. As a result, the advertisers’ inten-
tions as well as their advertisement contents are expressedby the corresponding searching queries. We separately countthe hit frequencies on each unique query appeared in thecrowd fraud dataset and the full dataset, then plot the his-togram of hit frequencies in Fig. 2(a).
We can see that most crowd fraud queries are clicked from50 to 20,000 times during one week, while 50% queries of thefull dataset lay outside this range. Thus, crowd fraud trafficdiffers from normal traffic in that the hit frequencies of itstarget queries will neither be too small nor too large. It isnot too small may be because fraud practices always intendto raise click traffic, so they must click advertisements withconsiderable frequencies. It is not too large may be becausenormal traffics on frequently hit queries are very large, whilecrowd fraud traffics are usually relatively less since the hu-man click efficiency is limited. So the effects of fraudulenttraffics will be buried under the normal traffics.
2.2 SynchronicityWe characterize two types of crowd fraud’s synchronic-
ity. The first is the target synchronicity. Since crowd fraudstarts from malicious crowdsourcing platforms, their behav-iors can usually be grouped into sets. Workers on the sameplatform tend to accomplish similar tasks published on thatplatform, so their target advertisers are also likely to be sim-ilar. The click records can be viewed as a bipartite graph,with surfer vertices and advertiser vertices at two sides, as inFig. 1, where each edge represents one unique click log, andit contains features such as the hit time and searchingquery. Then from the view of graph structure, although theclick relation between surfers and advertisers forms a verysparse bipartite graph, the links between these crowd fraudworkers from the same coalitions to the tasks on the sameplatform will be dense. To show this phenomenon, we selecta dense corner of the bipartite graph built from the crowdfraud dataset, and plot the adjacency matrix of this sub-graph in Fig. 2(b), where each cell represents one click fromthe surfer of the column to the advertiser of the row, and dif-ferent colors represent different hit times. Our experimentalresults on real data also verify that these dense structuresare common among fraudulent traffics.
The second is the temporal synchronicity. The differentcolors of cells in Fig. 2(b) show different hit times of thecorresponding clicks. We can see that cells in the same rowusually have similar colors, which means that the hit times ofcrowd fraud clicks on a same advertiser usually concentrate
Table 1: Example queries, where each row repre-sents the queries from one surfer.
Queries from normal surfers # Domains
eye cream, cleansing milk, skin care 1
electronic game, card game, game platform 1
headache, dizzy, light-headed 1
Queries from crowd fraud surfers # Domains
franchised outlet, excavator, royal jelly 3
beach BBQ, hospital, calligraphy training 3
toy bear, stainless steel, gym 3
on a short period. We show this phenomenon more clearlyby snapshotting the hit times of fraudulent clicks on oneadvertiser in Fig. 2(c). We can see that most clicks occurredwithin short time periods of several hours. This phenomenonalso appears on other advertisers, We think this time periodmay be related to the task’s publishing time on maliciouscrowdsourcing platforms, while their normal traffics usuallyshow periodicity.
2.3 DispersivityAs a more in-depth examination, we expand the click logs
of some frequently appeared individual surfers of both thecrowd fraud dataset and the full dataset. After compari-son, we find differences between their target business do-mains. For normal surfers, their click targets during a shortperiod usually focus on one certain business field or a fewhighly related fields, such as eye cream, cleansing milk, andskin care. However, crowd fraud surfers may click advertise-ments from many unrelated domains in a short period, suchas franchised outlet, excavator and royal jelly. We think thisis because web workers do not have real information de-mand, so if they do many tasks from different advertisers oncrowdsourcing platforms, their searching queries as well astheir target business domains show dispersivity. Some exam-ple searching queries and the number of domains are shownin Table 1.
In summary, the group behaviors of crowd fraud showstrong regularities, including moderateness, synchronicityand dispersivity. These regularities differ crowd fraud trafficfrom normal traffic. Based on these observations, we developan effective crowd fraud detection system in next section.
3. CROWD FRAUD DETECTIONOur method consists of three major stages: construct-
ing, clustering and filtering, as outlined in Fig. 3.
3.1 Constructing StageThis stage removes irrelevant data and reorganizes the
logs into a surfer-advertiser inverted list.We first filter out irrelevant logs based on their
queries. According to the moderateness condition, click logswith queries whose hit frequency is extremely small or largeare barely crowd fraud. So we choose a lower threshold SLand an upper threshold SU , and remove the logs with querieswhose hit frequency falling outside the range [SL, SU ]. Theappropriate threshold values can be found from statistics offraudulent traffic. Smaller Interval means less data left. Thispre-filtering can significantly reduce the data volume. In ourexperiments, it removes more than 70% click logs.
Constructing
Clustering
Filtering
Input raw click logs
Remove logs with extreme queries
Build surfer-advertiser bipartite graph
Seeking for coalitions by clustering
Query dispersity filter
Recall relevant clicks
Output
Figure 3: Workflow for crowd fraud detection.
Then, we reorganize the remaining data as a surfer-advertiser inverted list. As shown in Fig. 1, the click logsrepresent a surfer-advertiser bipartite graph. The structureof this bipartite graph can be stored as a surfer-advertiserinverted list, which can express the surfers’ behaviors moreexplicitly. In the sequel, we use G to denote an invertedlist; xi ∈ G is the ith entry of G, representing the clickhistory of the ith surfer; each click history xi consists of anundetermined number of click events; an event xij ∈ xi con-sists of a target advertiser Id xIij and a hit time xTij , meaning
that surfer i clicked an advertisement at time xTij , and this
advertisement belongs to an advertiser with Id xIij . If surferclicked advertisements belong to the same advertiser morethan one time, we only record one click with the earliest hittime, which is sufficient to represent the intention of all thiskind of clicks. A click history is of the form:
{{Id : 74, time : 456}, {Id : 64, time : 93}, ...}.
Suppose we have N unique IPs, M unique advertisers Idsand D click logs after pre-filtering, there will be N lines inG, and each line will contains D/N events on average.
3.2 Clustering StageAfter pre-filtering the logs using the moderateness con-
dition, we proceed to consider the synchronicity condition,which states that surfers involving in crowd fraud usuallygroup into coalitions; in each coalition they usually attack acommon set of advertisers; and most of their clicks toward acertain advertiser happen within a common short time pe-riod. We formulate the coalition detection as a clusteringproblem, and solve it by a nonparametric method that canautomatically learn the unknown number of coalitions.
3.2.1 Problem FormulationBy the synchronicity property, we need to detect malicious
surfer coalitions in which all surfers have similar behaviorpatterns. We define the synchronization similarity (sync-similarity for short) between each pair of click histories andthe coalition center for every surfers coalition in order toformulize these coalitions.
A 4
A
1
2
3
A
1
2
3
4
5
A
1
2
3
A
1
2
3
4
I. II.
III. IV.
5/B
NewCluster!Too far..
Figure 4: The nonparametric clustering procedure.
Definition 1. [Sync-Similarity] Given two click histo-ries xi,xj and a time window radius τ , the sync-similaritybetween them is given by
Sτ (xi,xj) =∑
xis∈xixjt∈xj
1(xIis = xIjt, |xTis − xTjt| < τ), (1)
where 1(·) is the indicator function.
Numerically, the sync-similarity equals to the number of tar-gets shared by two click histories. Here a common target notonly requires a same advertiser Id appearing in both clickhistories, but also requires the hit times on this advertiserId in the two click histories fall into a same time period.
Definition 2. [Coalition Center] The center µk of coali-tion k has the same form as the click history. It consists ofmany click events, and each event µks consists of two at-tributes, i.e., µks = {µIks, µTks}, where the advertiser Id µIksdenotes a common attacking target of the coalition and theintrinsic hit time µTks denotes the average hit time of clickson this advertiser induced by surfers in this coalition.
For all surfers in coalition k, if the sync-similarities betweentheir click histories and the center µk are larger than a sim-ilarity threshold T , their behaviors will be regarded as syn-chronized. Suppose there are K malicious coalitions, zi de-notes the coalition to which the ith surfer belongs, thesecoalitions should satisfy the following condition:
Condition 1. [Synchronicity Condition]
Sτ (xi,µk) > T, ∀k, i, s.t. zi = k, (2)
where T is a similarity threshold.
Now our problem is to find coalitions that satisfyEq. (2), as well as to find their centers. If we consider surferswho reside outside all coalitions as coalitions with only onesurfer in it, the original detection problem will became aclustering problem. Each point for clustering represents theclick history of one surfer; each cluster represents one coali-tion; and the cluster center represents the coalition cen-ter. For convenient calculation, we assume that all coalitionstarget on exact w advertisers. This assumption may lead toomit some coalitions which target on less than w advertis-ers, the reduction of flexibility brought by this assumptioncan be compensated by a propagation step in the final stage.
3.2.2 Clustering AlgorithmThere are two main differences between our problem and
an ordinary clustering problem. Firstly, the number of clus-ters is very hard to decide in advance, and it increases aboutlinearly as the number of surfers increases. This is becausemost surfers behave normally, and then each of them belongsto one new cluster. Secondly, for each surfer in a cluster, thesync-similarity between it and the cluster center should belarger than a radius threshold. So we can not use classicclustering algorithms (e.g., K-means) directly. Inspired byDP-means [9, 12, 23], which is a small variance asymptoticsof Dirichlet process mixtures [2], we present a nonparametricmethod, which solves the following problem:
maxC,{lc}kc=1
k∑c=1
∑i∈lc
Sτ (xi,µc)− λwk, (3)
where C = {µc} denotes all cluster centers, lc = {i|zi = c}denotes all indexes of the surfers in cluster c, λw = (1− ρ)wis a similarity threshold, and ρ ∈ [0, 1] is a relaxing factor.
Problem (3) admits two properties: (1) The final clusternumber is potentially unbounded and automatically deter-mined by the data, and (2) The sync-similarity between eachpoint to its most similar cluster center must be larger thanρw. To see the first property, since the cluster number k isalso a variable in this objective, we need to learn the clusternumber in real time. So the cluster number will increaseswhen data grows, which is potentially unbounded. To seethe second property, once the similarity between a point xito its most similar center µc is smaller than ρw, we cancreate a new cluster whose center is composed by w eventsin xi, then the similarity between xi and this new clustercenter will be w, and the total change on the objective isw − Sτ (xi,µc)− λw = ρw − Sτ (xi,µc) > 0.
These two properties provide us an iterative way to finda local optimum of problem (3). The final algorithm is simi-lar as K-means’ two-step update. For each iteration, we firstassign each point into its nearest cluster, then update thecluster centers based on the assignments. The main differ-ence between our algorithm and K-means is the assignmentstep. When a new point xi comes, we find its most similarcluster center. If the similarity between xi and this center issmaller than ρw, we generate a new cluster whose center iscomposed by w events in xi. Then we assign xi to this newcluster. Fig. 4 illustrates this procedure. When converge, wemaintain the remaining clusters whose size larger than athreshold n for the use of the next stage.
The algorithm is outlined in Alg. 1, which consists of aUpdateCenter subroutine that solves the subproblem
maxµc
∑i∈lc
Sτ (xi,µc). (4)
Though the problem can be solved by enumerating all thepossible combinations of w events, the time complexity isO(mw), where m is the average number of unique eventsin points of this cluster, which is very large. Here we in-troduce an greedy algorithm, which is approximate but effi-cient. We sort all advertisers by their occurrence frequenciesin all surfers’ click histories in this coalition, then use the topw advertisers as the cluster center. The intrinsic hit timesare the averages of click times on these advertisers.
As we shall see in experiments, the algorithm with greedyapproximation still converges well and finds good solu-
Algorithm 1: Serial solution for coalition detection
Input: ρ, w, τInput: surfer-advertiser inverted list Gk = 0, C = ∅while not converged do
for xi ∈ G doc = arg maxc∈{1,··· ,k} Sτ (xi, µc)
if Sτ (xi, µc) < ρw thenµ′ = {Select w events in xi}C = C ∪ {µ′}, k = k + 1zi = k
else zi = c;
for c ∈ {1, · · · , k} do µc =UpdateCenter(c);
Output: Accepted cluster centers C
Procedure UpdateCenter(c)
n = t = ∅for xi ∈ G and zi = c do
for j ∈ {1, · · · , |xi|} dor = xIijif nr /∈ n then
Update n and rnr = nr + 1tr = tr + xTij
for nr ∈ n do tr = tr/nr;y = {the indexes of largest w elements in n}Output: {events formed by y and times in t}
tions. By this approximation, the time complexity of Up-dateCenter is reduced to O(m log(m)), and it can be furtherreduced to O(m log(w)). If m ≈ D/k, the overall time com-plexity for one iteration of Alg. 1 is O((k + log(w))D). Asanalyzed above, most items belong to a cluster with size 1, sok ≈ N . This causes the algorithm still very time consum-ing. We will describe an approximate and parallel algorithmthat we use in practice in the next section.
3.3 Filtering StageUsually we can find many large coalitions after cluster-
ing, which may contain false alarms. For example, for hotbusinesses such as games or healthcare, normal surfers withsimilar information demands may also click a lot of commonadvertisers that provide similar services. Since the numberof these kinds of surfers can be large, it is possible to appeargroups of normal surfers which exhibit both the target syn-chronicity and the temporal synchronicity. This will causefalse alarm detections. In order to distinguish these falsealarms from real fraud coalitions, we build a query disper-sity filter for clusters based on the dispersivity condition.
From our observations, although normal coalitions mayexhibit synchronicity, their targets usually focus on one busi-ness domain or a few highly related domains, which invalidthe dispersivity condition. To evaluate how dispersive a clus-ter is, we define the domain coherence coefficient (DCC) ofa set of advertisers.
Definition 3. [Domain Coherence Coefficient] Givena set of advertisers A. Let A′ be its largest subset in which
Algorithm 2: Query dispersity filter
Input: Q, λ, wInput: candidate cluster centers CF = ∅;for µi ∈ C do
di = maxqj∈Q |µIi ∩ qj |;if di ≤ λw thenF = F ∪ {µi};
Output: fraudulent cluster centers F
all advertisers belong to a same business domain. The do-main coherence coefficient of this set is
Rdcc(A) =|A′||A| . (5)
Collecting domain information for all advertisers to cal-culate each cluster’s DCC relies on a lot of external inter-ventions. In our method, we choose a more straight-forwardway. We first build a query-advertiser inverted list Q fromraw click logs. Each entry qi ∈ Q corresponds to a uniquequery, and the elements qij ∈ qi represent advertisers thathave displayed together with query qi. Since these advertis-ers are related to a common query, their business domainsshould be related. For cluster i, we use µIi = {µIis|µis ∈ µi}to represent all advertisers targeted by surfers in this clus-ter, then if we find an entry qj that satisfies |µIi ∩ qj | =pij , we can say at least pij advertisers in µi are related. Soby the definition of DCC, we can find a relation that
Rdcc(µIi ) ≥ max
qj∈Q
|µIi ∩ qj ||µIi |
, (6)
where |µIi | always equal to w in our setting. Since largerRdcc means less dispersity, we can choose a threshold λ forRdcc and remove clusters that invalid the dispersivity con-dition. Alg. 2 outlines the query dispersity filter.
After filtering, the remaining clusters represent the de-tected fraudulent coalitions. As a final step, we recall clicklogs that relate to them. For each coalition, the clicks hap-pened between its surfers and the advertisers within its coali-tion center are recalled as crowd fraud clicks. Here we canalso use our fraudulent centers as seeds of a bipartite graphpropagation algorithm [14], then iteratively expand the setof suspicious surfers and the set of suspicious advertisers, aswell as their intrinsic hit times. The propagation can com-pensate the reduction of flexibility brought by the assump-tion that every coalition center consists of w events, and ithelps to increase the recall rate of the method.
4. PARALLELIZATIONThe real world click logs can be very large, easily render-
ing a serial algorithm as above inapplicable. So we develop aparallel implementation to make it practical in real scenar-ios. The constructing stage and filtering stage are easy toparallelize under a distributed computing framework, suchas MapReduce [6]. Our discussion will focus on the difficultnonparametric clustering step. We also provide some imple-mentation details of our system.
4.1 Parallel Nonparametric Clustering
...
Disco
vere
d C
lusters
Data
Assign
me
nts
Newlygeneratedclusters
3
Assign Assign Assign
2
Assign Assign
Validate
4
1 2
Newlygeneratedclusters
7
Assign Assign Assign
6
Assign Assign
Validate
8
5 6
Figure 5: Parallel diagram for the assignment step.
The nonparametric nature of our clustering algorithmcauses difficulties in its parallelization. The main difficultylies in the assignment step, in which newly generated clus-ters are immediately used by other data points. So we can-not simply divide the assignment tasks to different com-puting nodes. Here, we use the optimistic concurrency con-trol (OCC) technique [18] to make parallelization possible.
Fig. 4 shows a diagram of parallel assignment step. Usingthe OOC technique, we divide the assignment step into Tepoches and equally partition the whole inverted list G intoT parts denoted by B(t), t ∈ {1, · · · , T}.
Each epoch only processes one data portion. The newlygenerated clusters in an epoch are recorded for furtheruse, but not used immediately. That is, each data point pro-cessed in this epoch only needs to be compared with clustersgenerated by the end of the last epoch. Since these clusters’information is known before the start of this epoch, the as-signment tasks in one epoch can be distributed without com-munication. After each epoch, the new clusters generated bydifferent nodes may overlap as they are not compared witheach other. So a serial validation step is needed betweeneach two epoches. During validation, running on a masternode, every pair of the newly generated clusters are com-pared; and if their similarity is larger than the similaritythreshold, we merge them as well as their associated datapoints. Pan, et al. [18] has proved this OOC algorithm forDP-means is equivalent to the serial algorithm. Their proofis also suitable for our algorithm.
For our problem, the total number of clusters approxi-mately equals to the number of surfers. So both comparinga point with all cluster centers and delivering cluster cen-ter files from slave nodes to master nodes are very expen-sive. However, since most clusters are induced by normalsurfers, they only contain one surfer per cluster and will beremoved after clustering. So if the data points are randomlyarranged, we can remove smaller clusters and maintain nomore than K clusters after each epoch to speed up clus-tering. This reduction approximation may lead to removesome small fraudulent coalitions, but the algorithm can bespeed up significantly. With OCC parallelization and reduc-
Algorithm 3: Parallel solution for coalition detection
Input: T, ρ, w,K, τInput: B(t), t ∈ {1 · · ·T}C = ∅while not converged do
k = |C|,Z = ∅;for epoch t = 1 to T doC′ = ∅for xi ∈ B(t) do in parallel
c = arg maxc∈{1,··· ,k} Sτ (xi, µc)
if Sτ (xi, µc) < ρw thenµ′ = {Select w events in xi}C′ = C′ ∪ {µ′}zi =Ref(xi) //Ref() is the referencefunction to the coalition center;
else zi = c;
Validate(C′, ρw)C ={K largest clusters in C ∪ C′}
for c ∈ {1, · · · , |C|} do in parallelµc =UpdateCenter(c)
Output: Accepted cluster centers C
Procedure Validate(C, λ)
for µi ∈ C doc = arg maxc∈{1,··· ,|C||c6=i} Sτ (µi,µc)
if Sτ (µi,µc) > λ thenRef(µi)=cµi = ∅
tion approximation, our final parallel solution for coalitiondetection is described in Alg. 3.
Remark 1. Intuitively, the majority of people behave nor-mally, so almost all clusters in our problem are small clus-ters with only one data point in it, and the mistake inducedby the reduction approximation will not be very high. Infact, under a relatively ideal setting that each point comesfrom an i.i.d. distribution, the false negative rate can be es-
timated as niT
(1− TKN
)(e− 1)−niT , where ni is the size of a
suspicious large cluster i with more than one point in it. Wedefer the derivation details to Appendix. This result showsthat a larger N leads to a larger false negative rate. Sincethe function xa−x is monotonically decreasing when x > 0, alarge cluster is less likely to be removed. Moreover, the largerK will lead to a smaller false negative rate, and if K = N/T(i.e., no reduction), the false negative rate is 0.
4.2 Implementation DetailsBoth the clustering and filtering stages involve a lot of
calculations on sync-similarity. To make this computationefficient, we sort every click history when constructing thesurfer-advertiser inverted list. The events in a click historyare ordered by their target advertiser Ids. When clusters arenewly generated or updated, we maintain their orders. Sowhen comparing two click histories, we can array in orderall events belonging to them within linear time, and computetheir sync-similarity by counting the number of adjacent andsimilar event pairs. The time complexity for this calculation
0 100 250 500 750 10000
200
400
600
800
1000
# Malicious coalitions
# co
aliti
ons
reca
lled
OptimalWithValidationWithout Validation
(a) Recall
100 250 500 750 10000
10
20
30
40
50
# Malicious coalitions
Tim
es p
er it
erat
ion
(min
)
With ValidationWithout Validation
(b) Running speed
Figure 6: Performance on synthetic data: (a) the relation between the number of generated coalitions andthe number of discovered coalitions; (b) the per iteration running time for the two clustering settings.
is O(d1 + d2), where d1 and d2 are the sizes of two clickhistories.
The validation procedure of OCC compares every pair ofthe newly generated clusters. This is a very time consum-ing bottleneck of the clustering algorithm. Meanwhile, weempirically found that only very few clusters can be mergedduring validation. So we can skip the validating procedure tofurther speed up the algorithm. Through evaluation in thenext section, we can see this trick brings significant speedup and still holds an acceptable accuracy.
5. EXPERIMENTSTo verify the effectiveness of our crowd fraud detection
system, we conduct a series of experiments on both syntheticand real click data and carefully evaluate its sensitivity, con-vergence, scalability and accuracy. Most of our algorithmsare written in C++ ran under the streaming mode of a mod-ified Hadoop [1] system. All the experiments are conductedon a Hadoop cluster with more than 4,000 nodes, and we use1,000 mappers and 400 reducers. Raw click logs are storedon the HDFS.
5.1 Synthetic DataMalpractices for Internet advertising is often hard to dis-
tinguish. To judge whether a single click log is malicious ornot, an evaluator often needs to expand a lot of logs thatcorrespond to the source IP or target advertiser Id of thislog. Even an experienced researcher can only label about50 logs per hour, so it is too labor intensive to label all thelogs in a real large dataset. Thus, it is hard to evaluate theperformance of our system, especially its recall rate.
In concern about this issue, we first provide results onsynthetic data, where the truth is known, to check the san-ity of our algorithms as well as evaluate the recall. Here,we generate several datasets, each of which consists of twoparts: normal part and fraudulent part. For the normalpart, we simulate 1 million surfers and 100 thousand ad-vertisers. Each normal surfer randomly clicks 10 advertis-ers, and the hit times for these events are uniformly sam-pled from [1, 240], which represents a time period of 240hours. Since advertiser Ids and hit times are randomly sam-pled, it is unlikely to appear coalitions within this part ofclick logs. As for the fraudulent part, we generate L coali-tions, each of which consists of 200 surfers and 5 adver-
tisers and assigns each advertiser a random intrinsic hittime. Each surfer in a coalition clicks all the advertisersin that coalition, and the clicks target on each advertiserhappen within a 6 hours time period centered at the ad-vertiser’s intrinsic hit time. In the experiment, we set L at100, 250, 500, 750 and 1,000, leading to 5 different datasets.
The synthetic experiments only use the clustering stageof the system to evaluate recall rate, and due to the datagenerating mechanism, the coalition detection precision onthis synthetic dataset should be near 100%. So we do nottest the result precision on this dataset, and the evalua-tion on the system’s precision is left to the real data ex-periments. As stated in Sec. 4.2, the validation procedureis the computational bottleneck, and only very few clusterscan be merged in this procedure. So we test two types ofclustering methods, one with the validation procedure andone without it. The parameters are set as: T = 4, n =50, w = 5, τ = 8, K = 10, 000, that is, each iteration isdivided into 4 epoch, the minimum number of surfers in onemalicious coalition is 50, the minimum number of advertis-ers is 5, the time window radius is 8 hours, and the upperbound for the number of clusters maintained during learningis 10,000. Other small clusters are discarded on the fly. Thediscovered cluster numbers and the per-iteration runningtimes for the 5 synthetic datasets with different numbers offraudulent coalitions are shown in Fig. 6(a) and Fig. 6(b).
Sensitivity Fig. 6(a) shows the relation between the truenumber of coalitions and the number of coalitions discoveredby the algorithm, where the diagonal line shows the optimalperformance (i.e., the number of discovered coalitions equalsto the true number of coalitions). We can see the numberof discovered coalitions for both settings with/without thevalidation procedure increase about linearly when the num-ber of true coalitions increase. The algorithm with validationachieves a recall rate of nearly 100% on average. This resultshows the ability of our algorithm on detecting unknowncrowd frauds. The recall rates of the algorithm without val-idation are relatively lower, e.g., it is about 82% on thedataset with 100 coalitions and 65% on the dataset with1,000 coalitions. Since the occurrences of coalitions in realclick logs are much rarer than the occurrences we definedin the synthetic datasets, the performance of the algorithmwithout validation is also acceptable.
0 10 20 30 40 500
2000
4000
6000
8000
# Iterations
# M
alici
ous
IPs
(a) Convergence
0 17 33 50 67 83 1000
15
30
45
60
70
Percentage of data processed (%)
Tim
e (
min
)
(b) Scalability
Figure 7: Performance on real click data: (a) shows the number of malicious IPs we found during iterat-ing. (b) shows the the overall running time after each epoch.
Efficiency Fig. 6(b) shows the per iteration running timefor the two types of clustering algorithms. We can see theaverage running time for the algorithm with validation isabout 3 times larger than that of the algorithm withoutvalidation. Considering the overhead time cost induced bythe MapReduce implementation, the efficiency gap broughtby the different algorithm strategies could be much larger. Sowhen testing on the real click dataset, we use the clusteringalgorithm without validation for the clustering stage.
5.2 Real World DataWe applied our method to advertisement click logs of a
major Chinese commercial search engine. We use the datasetin Sec. 2, which consists of around 400 million logs, and eachlog is composed by log Id, source IP, target advertiser Id, hittime and searching query.
At the constructing stage, we set SL = 50 and SU =10, 000 to remove queries whose hit frequencies are ex-tremely small or large, these parameters are decided bythe statistics of traffic moderateness on the collected crowdfraud dataset, such as in Fig. 2(a). Then we generate asurfer-advertiser inverted list for further use. At the clus-tering stage, we set parameters as n = 3, w = 8, ρ =0.8, τ = 9, that is, each malicious coalition needs to containat least 3 surfers and 8 advertisers, and each surfer needs toclick at least 80% of these advertisers during a time periodof radius 9 hours. These parameters are selected to maxi-mize the recall rate of coalitions on the given crowd frauddataset. In the experiment, we run 50 iterations at the clus-tering stage. Each iteration is divided into 6 epoches andall validation procedures are skipped. As for the reductionapproximation, we maintain 10,000 largest clusters at mostduring clustering, other small clusters are discarded in realtime. So T = 6, K = 10, 000. These parameters are de-cided by our computing resources, which make sure that theprogram stops running within a reasonable time period. Forthe filtering stage, we choose domain coherence coefficientthreshold λ = 3
8. For the ease of evaluating, the results are
not expanded by propagation.The experimental results are shown as following.Convergence Fig. 7(a) shows the number of malicious
IPs we found after each iteration. Since the numbers of tar-get advertisers in each coalition are the same, this curve ac-tually reflects the objective value of the problem. We can see
λ=3/8
Amount = 29.3K
New discovered
Crowd Fraud
Simple Fraudλ=1/8
Amount = 18.2K
12.4 K
4.8 K1.0K
61%18.0 K
6.7 K
4.6 K
Figure 8: Diagram for the results on real data.
this curve converges after about 30 iterations, which showsthe convergence of our clustering algorithm.
Scalability To show the running time of our system scalesup linearly when data size scales up, we record the overallrunning time after each epoch among 50 iterations. Fig. 7(b)shows the average running times. We can see that the run-ning time increases about linearly when the percentage ofprocessed data increases. This result shows our detectionsystem is scalable when data grows.
Accuracy To evaluate the accuracy of detected frauds, wecompare our results with a rule-based system, which can dis-tinguish simple automatically generated fraud and the crowdfraud in the full traffics. After the clustering stage, we found231 malicious coalitions; after filtering stage, 210 coalitionsare removed by query dispersity filter. The remaining 21coalitions contain 29.3 thousand click logs in total. Throughour observation, 20 of them satisfy the dispersivity condi-tion, which correspond to 98.7% of click logs. The test resultsof these click logs are shown in Fig. 8.
24700 logs meet the results of the baseline system, whichaccount for 83% of our results. 18000 of them are confirmedto be simple fraudulent clicks, they are caused automati-cally by malwares or spywares; 6700 of them are confirmedto be more hidden fraudulent clicks, they are very likely tobe caused by crowd fraud behaviors. The rest 4600 logs arenot found by the baseline methods. Since manual evaluatingis very expensive, we randomly sampled 200 clicks amongthem to judge whether they are fraudulent clicks. The fi-nal manual evaluating result, provided by several domain
experts, confirms that the accuracy on this subset is about90%.
During manual evaluating, we find that all bad cases ofprevious trial are induced by one false alarm coalition. Sowe use a tighter query dispersity filter with λ = 1
8, then
all result coalitions satisfy the dispersivity condition. Theevaluation of this result is also shown in Fig. 8. It showsthat the overall accuracy of this trial is even higher thanthat of the last one.
6. RELATED WORKCrowdsourcing is rising field that includes a series of prob-
lem solving strategies, business models or activities [7, 8,20]. Online working platforms, such as Amazon MechanicalTurk (MTurk) 2, provide a new way to distribute enormoustasks to a crowd of workers, and each worker only needsto finish a small part of the entire task, resulting in fasterand cheaper solutions. This mode is particularly suitablefor large but repetitive tasks like labeling, evaluating, etc.However, the popularisation of crowdsourcing also gives riseto new types of security problems on the web. Crowdturf-ing [22] is the way to hire web workers through maliciouscrowdsourcing platforms to initiate fake campaigns. Thisphenomenon has brought serious problems to social net-works and electronic commerce. In this paper, we focus onthe fraudulent click problem for Internet advertising whichalso starts from malicious crowdsourcing platforms.
Anomaly Detection [4] is a well studied topic in variousapplication domains. It aims to find patterns in data whichdo not conform to the expected behavior. Many methodshave been developed for different applications such as frauddetection for credit cards, insurance, health care, intrusiondetection for cyber-security, etc. Fraud detection for In-ternet advertising is an important application of anomalydetection. Rule-based methods such as detecting emptycookie and hit inflations [17] are useful to find simple at-tacks. Graph-based detection methods are also tried, e.g.,people use co-clustering or prorogation methods [13] to findsuspicious dense connections between surfers and targets.As for other related areas, CopyCatch [3] is a successful ap-proach which focuses on detecting fake likes on Facebook.They provided a way to find coalitions who demonstratesteplock behavior. In our work, we build a detection sys-tem aimed at crowd fraud detection for Internet advertisingwhich is unbounded and scalable.
Clustering is one fundamental problem in data mining. Itgroups a set of objects so that objects in the same group aremore similar to each other than to those in other groups. K-means is one of the most popular clustering methods, butit needs to pre-specify the number of clusters. Many non-parametric methods has been studied to overcome this limi-tation, such as Dirichlet process mixtures (DPM) [2], whichis the nonparametric version of the Gaussian mixture modeland can learn the cluster number. Mean-shift clustering is anapproach which merges clusters on the fly [5], with wide usein computer vision. DP means [12] is another nonparametricclustering method derived by a small variance asymptoticsof DPM. It reserves the nonparametric essence and dramat-ically increases running speed compared to DPM. Similarsmall variance techniques have been extended to many othernonparametric Bayesian models [19, 23]. Inspired by DP-
2http://www.mturk.com/.
means, our work converts crowd fraud detection to cluster-ing by defining the sync-similarity, and proposes a fast andparallel algorithm for real Internet advertising.
7. CONCLUSIONSWe formalize the crowd fraud detection problem in Inter-
net advertising, and carefully analyze the behaviors of crowdfraud to identify three important characteristics, includingmoderateness, synchronicity and dispersivity. Based on thefindings, we further develop an effective detection system,which consists of three major steps, data constructing, clus-tering and filtering. One key step is convert the originalcoalition detection problem to a clustering problem. Ournonparametric clustering method ensures to learn the un-known number of coalitions, which is important for real-world applications. Finally, we build a parallel detectionsystem for search engine advertising, and conduct extensiveexperiments to evaluate its performance on both syntheticand real click data. Results show that our system can findfraudulent clicks with a high accuracy, and it can be scaledup to large datasets.
In the future, we would like to do more analytical workon crowd fraud, and test the performance of our system ondatasets of shorter time period. We’d also like to extendcurrent algorithms to other fraud detection problems suchas click fraud or social network spams.
AcknowledgmentsThe work was supported by the National Basic ResearchProgram (973 Program) of China (No. 2013CB329403), Na-tional Natural Science Foundation of China (Nos. 61322308,61332007), and the Tsinghua National Laboratory for Infor-mation Science and Technology Big Data Initiative.
APPENDIXA. FALSE-NEGATIVE RATE ANALYSIS
Let s be the number of large clusters with size largerthan 1, d be the number of small clusters with only onepoint in each cluster, and ni be the size of the ith clus-ter. Assume that the N data points are i.i.d. sampledfrom a multinomial distribution with s + d parametersε1, ε2, · · · , εs, ε0, · · · , ε0, where εi = ni
Ndenotes the proba-
bility that a point is sampled from cluster i, and∑si=1 εi +
dε0=1. Since the number of clusters is large, each εi is small.After the tth epoch, we maintain only K largest clusters
and remove about NT−K small clusters, so the probability
that a small cluster will be removed is 1 − TKN
. For the ithcluster, the probability that its current size equals to one isNTεi(1−εi)t
NT−1 ≈ N
Tεi exp (−tN
Tεi) = ni
Texp (−tni
T), where
we use the fact that the binomial distribution converges to-wards the Poisson distribution as the number of trials goesto infinity while the product Nεi remains fixed. Thus theprobability that this cluster will be removed after this epochis (1 − TK
N)niT
exp (−tniT
). Considering all T epoches, theprobability that the ith cluster will be removed is (1 −TKN
)niT
∑Tt=1 exp (−tni
T) ≤ (1 − TK
N)niT
(e− 1)(−niT
). There-fore, the false negative rate is the one as sated in Remark1.
B. REFERENCES[1] Apache hadoop. http://hadoop.apache.org/.
[2] C. E. Antoniak. Mixtures of Dirichlet processes withapplications to Bayesian nonparametric problems. TheAnnals of Statistics, pages 1152–1174, 1974.
[3] A. Beutel, W. Xu, V. Guruswami, C. Palow, andC. Faloutsos. CopyCatch: stopping group attacks byspotting lockstep behavior in social networks. InWWW, 2013.
[4] V. Chandola, A. Banerjee, and V. Kumar. Anomalydetection: A survey. ACM Computing Surveys(CSUR), 41(3):15, 2009.
[5] Y. Cheng. Mean shift, mode seeking, and clustering.IEEE Trans. on PAMI, 17(8):790–799, 1995.
[6] J. Dean and S. Ghemawat. MapReduce: simplifieddata processing on large clusters. Communications ofthe ACM, 51(1):107–113, 2008.
[7] A. Doan, R. Ramakrishnan, and A. Y. Halevy.Crowdsourcing systems on the world-wide web.Communications of the ACM, 54(4):86–96, 2011.
[8] J. Howe. The rise of crowdsourcing. Wired magazine,14(6):1–4, 2006.
[9] K. Jiang, B. Kulis, and M. I. Jordan. Small-varianceasymptotics for exponential family Dirichlet processmixture models. In NIPS, 2012.
[10] E. Kamar, S. Hacker, and E. Horvitz. Combininghuman and machine intelligence in large-scalecrowdsourcing. In AAMAS, 2012.
[11] L. Kim. The most expensive keywords in Googleadwords.http://www.wordstream.com/blog/ws/2011/07/18/
most-expensive-google-adwords-keywords, 2011.
[12] B. Kulis and M. I. Jordan. Revisiting k-means: Newalgorithms via Bayesian nonparametrics. In ICML,2012.
[13] X. Li, Y. Liu, M. Zhang, and S. Ma. Fraudulentsupport telephone number identification based onco-occurrence information on the web. In AAAI, 2014.
[14] X. Li, M. Zhang, Y. Liu, S. Ma, Y. Jin, and L. Ru.Search engine click spam detection based on bipartitegraph propagation. In WSDM, 2014.
[15] A. Metwally, D. Agrawal, and A. El Abbadi.Detectives: detecting coalition hit inflation attacks inadvertising networks streams. In WWW, 2007.
[16] A. Metwally, D. A. A. El Abbadi, and Q. Zheng. Hideand seek: Detecting hit inflation fraud in streams ofweb advertising networks. Technical Report,University of California at Santa Barbara, 2006.
[17] R. Oentaryo, E.-P. Lim, M. Finegold, D. Lo, F. Zhu,C. Phua, E.-Y. Cheu, G.-E. Yap, K. Sim, M. N.Nguyen, et al. Detecting click fraud in onlineadvertising: a data mining approach. JMLR,15(1):99–140, 2014.
[18] X. Pan, J. E. Gonzalez, S. Jegelka, T. Broderick, andM. Jordan. Optimistic concurrency control fordistributed unsupervised learning. In NIPS, 2013.
[19] A. Roychowdhury, K. Jiang, and B. Kulis.Small-variance asymptotics for hidden Markov models.In NIPS, 2013.
[20] R. Snow, B. O’Connor, D. Jurafsky, and A. Y. Ng.Cheap and fast—but is it good?: evaluatingnon-expert annotations for natural language tasks. InEMNLP, 2008.
[21] Y. Tian and J. Zhu. Learning from crowds in thepresence of schools of thought. In SIGKDD, 2012.
[22] G. Wang, C. Wilson, X. Zhao, Y. Zhu, M. Mohanlal,H. Zheng, and B. Y. Zhao. Serf and turf: crowdturfingfor fun and profit. In WWW, 2012.
[23] Y. Wang and J. Zhu. Small-variance asymptotics forDirichlet process mixtures of SVMs. In AAAI, 2014.