1. Technological Field
The present disclosure relates generally to the field of data (for example, Internet data or other content) delivery over a network. More particularly, the present disclosure is related in one exemplary aspect to apparatus and methods for modifying services provided to a user or subscriber of a managed network based on online activity associated therewith.
2. Description of Related Technology
Recent advances in digital information processing and technology have made a range of services and functions available for delivery to consumers at their premises for very reasonable prices or subscription fees. These services and functions include high-speed Internet access, provision of digital content or programming (movies, etc.), digital video-on-demand (VOD), Internet Protocol television (IPTV), and IP-based telephony (e.g., VoIP). Other services available to network users include access to, and recording of, digital music (e.g., MP3 files), as well as local area networking (including wire-line and wireless local area networks) for distributing these services throughout the user's premises, and beyond. Network-delivered or network-based gaming and applications (“apps”) have also each recently come to the forefront as popular content areas for users.
Currently, many of these services are provided and delivered to the users via a wide variety of different equipment environments including, inter alia, cable modems, Wi-Fi® hubs, Ethernet hubs, gateways, switches and routers, computers, servers, cable or satellite networks and associated set-top boxes.
In providing access to content over digital information sources, a breach in security of a single device may threaten to or may cause actual harm to other devices in the system. One particularly acute problem relates to surreptitious use of so-called “bots” (robots) on client systems throughout a network. Different types of bots exist in data networks such as the Internet, and are often characterized by (unknowing) implantation on a user's device (e.g., PC, laptop, etc.), and subsequent activity under the direction of a remote “command and control” bot. Once implanted on the user's computer or other device (such as via the user opening a Trojan or similar virus file or clicking on a link which causes the download of malicious code), the bot can be subsequently activated by the command and control bot (or even autonomously), and used for surreptitious activity such as advertising fraud, distributed denial of service (DDoS) attacks, etc., all without the user's knowledge. In effect, a “network of bots” distributed across numerous user platforms is created, and when implemented can cause any number of undesirable effects on the network, third party users of the network (e.g., advertisers), and even the users (subscribers) themselves. Such bots are often undetectable via standard anti-virus software, and hence remediation (rather than prevention) is often employed for mitigating the effects of such activity.
One type of bot often seen is the so-called ad bot (advertising bot) that fraudulently activates or clicks on advertising without host (e.g., user computer) knowledge. This activity can, inter alia, corrupt advertising revenue schemes put in place by the advertiser. For instance, if paying on a “per-click” basis for traffic from users of a given managed network or placement site, one or more bots repetitively clicking on an advertisement will not only skew the data regarding user interest or use in the advertisement, but also potentially cause the advertiser to pay more than they would otherwise due to the malicious activity. Such factors often give advertisers a negative opinion or rating of a given delivery platform (e.g., network), and hence they may avoid further use of that platform in the future. Advertisers need a level of assurance that customers of a given managed network (e.g., cable MSO network) and sites served by that network are free of fraud, since they are ostensibly spending significant sums to have their ads placed in various instances within content or sites operated by that network and accessed by the network's users. In that managed network operators generate significant revenue from third-party advertisers, losing such advertisers due to malicious bot or other infections can be devastating to revenue and profitability.
Likewise, users having computers or other devices connected to the network may experience degradation of performance (in that the bot, when running in the background, is consuming resources of the computer and communications bandwidth), as well as other undesirable effects such as frequent (false) pop-up windows, Internet browser “spoofing” or redirect attacks, and the like, all leading to greatly reduced customer satisfaction.
In that the level of sophistication of such malicious activity has increased over time, it is often not even the user's fault that their machine has become infected with a bot or other malicious code. The differences between legitimate and fraudulent websites, pop-ups, links, etc. are often (intentionally) quite subtle, and tend to spur the user into immediate action so as to ostensibly correct some “glaring” deficiency (e.g., “virus detected—click here to quarantine the virus!”).
Hence, it is a critical goal of service providers to defend themselves as well as their clients (both users and other third parties such as advertisers) against such harmful behavior.
As noted above, remediation of a given user's activity is often times required (e.g., electronically sequestration of their machine, removal of the malicious code, etc.), in that the infection or malicious activity is not detected until well after initial infection and implementation. Signature detection (e.g., classifying a PC or other device as having a bot infection based on evaluation of its activity) and remediation (e.g., communicating to customer that they have infection, and correction/prevention of security breach to enhance network security) are commonly used in such cases, and are known in the prior art. However, such mechanisms are largely reactive, and do little if anything to prevent or mitigate future infections.
Further, such remediation often consumes significant time and resources of the service provider, including potentially (human) technical support and even a “truck roll” (i.e., service call). Such consumption of resources necessarily reduces the service provider's profitability, especially when considered across the millions of users of a typical large managed (e.g., cable or satellite) content delivery network.
Moreover, any attempts at anticipatory or proactive remediation or corrective action under prior art “manual” processing would be so laborious as to make provision of the aforementioned functions practically impossible. Even if such analysis could be performed manually or semi-manually, speed of identification of fraudulent activity and processing (including remediation or implementation of other defensive or anticipatory corrective measures) is often critical, and hence any effective solution is necessarily incompatible with the long delays associated with the primarily manual processing used in the prior art.
Hence, what is needed is a complementary “proactive” approach to mitigating or preventing illicit online activity. Ideally, such methods would provide a dynamic mechanism that could be at least partly employed using computer and networking technologies, so as to enable substantially automated and real-time detection and pre-emptive/corrective action, as well as identification of repeat-offending users or computers (and treatment of such users in a manner commensurate with their potential for infection by malicious code).