AmbireTech / adex-protocol

AdEx Protocol: docs
45 stars 21 forks source link

PoC for resource-bound bot prevention (fraud resistance) #52

Closed Ivshti closed 4 years ago

Ivshti commented 4 years ago

Prize title

PoC for resource-bound bot prevention (fraud resistance)

Prize Bounty

777 DAI

Challenge Description

Problem

Online advertising is plagued by all types of fraud. One of the most prominent types is bot traffic and/or click fraud.

Simple methods of estimating user uniquiness such as using an IP do work, but are ultimately unsound because (1) users can share a single IP and (2) multiple IPs can be bought/rented through proxy networks.

The main problem we want to address here is that: despite the validator limits, if you have a sufficiently large pool of IPs, you can keep POST-ing IMPRESSION/CLICK events, and they will be recorded.

For background on AdEx, see AdEx protocol. Please read this before starting work, it will give you essential context on how to build the solution.

Solution

It's fundamentally impossible to distinct bot traffic from human traffic (without methods that compromise privacy, such as KYC), but it is possible to make bot attacks more expensive without impacting UX for end users.

Initially, a property in campaignSpec will be added to enable the mechanism. When enabled, the validators would check for a PoW solution upon each postEvents (implemented in Sentry's access lib). It should work alongside the limiting mechanisms already present in the access lib (IP rate limiting).

What will be submitted is a salt and a hash. The hash must be a solution to some configurable difficulty, and the preimage must be (salt, publisherAddr, eventType, timeFrame, IP). This way, you can't reuse solutions for different IPs/timeframes./publishers.

The solution would be computed in the AdView using WebGL, leveraging GPU parallelism as much as possible, to prevent CPU-only servers being efficient.

Furthermore, there could be a minimum size for the salt parameter because most residential IP proxy services are priced by data (e.g. 15$ per GB that's 50k impressions, so 20KB per impression.

The ultimate goal is to make bot-based fake traffic much more expensive, therefore rendering them economically unviable.

PoW algorithm

It has to be decided what PoW algorithm will be used.

Essentially it boils down to: identify a hash/PoW algo that would be efficient on a GPU but inefficient on CPUs and can be implemented in WebGL, and then implement it.

ProgPOW or RandomX may be a good fit for this.

Submission Requirements

Develop a proof-of-work library that is more efficient to run on the GPU through WebGL than on a single DigitalOcean CPU core (General Purpose droplet).

Apply it in the AdEx stack by submitting relevant PRs to the AdView and the Validator. Make in an optional feature triggered by a flag in campaignSpec and verified in the validator's access library.

A PR must be made to the following repositories:

Submission Deadline

30/03/2020

Judging Criteria

Because of the complexity of the task, each submitted solution will be looked at individually to judge it's potential to prevent bot-based ad fraud.

The solution must be more efficient on a GPU through WebGL than on a CPU natively, and must be able to be computed in the browser without blocking the page.

Winner Announcement Date

15/04/2020

gitcoinbot commented 4 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 777.0 DAI (777.0 USD @ $1.0/DAI) attached to it as part of the AdExNetwork fund.

cankisagun commented 4 years ago

Would something like this be interesting to do KYC in a privacy preserving manner? https://blog.enigma.co/bot-or-not-f7108200738d

We can create a system where the user downloads it's FB data to associate an address with a "human identity" - say based on the growth of number of friends over time. Based on this we can mint NFTs.

We had considered this usecase with DataWallet for ad fraud, but I don't think anyone is currently working on this

Ivshti commented 4 years ago

Not really applicable cause asking users to KYC just to see ads is unrealistic.

If the publisher website KYCs them anyway and reports that the user is real, it's still problematic because the publisher has the biggest incentive to claim this user is real cause that's how they get their numbers up.

gitcoinbot commented 4 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work has been started.

These users each claimed they can complete the work by 2 weeks, 2 days ago. Please review their action plans below:

1) julesdesmit has started work.

First step will be to identify a proper hash function which satisfies the requirements. I am heavily looking into ProgPOW but still searching if others might be a better fit (and possibly, less complex implementation-wise). Question: Will the hash function need to be ASIC-resistant specifically?

Afterwards, it will be a question of implementing said algorithm in the correct places, on the AdEx codebase. 2) rahmanunjan has started work.

I will outline a plan, look at how to monetize it, validate it with a small customer base, build an application, test and reiterate.

Learn more on the Gitcoin Issue Details page.

vs77bb commented 4 years ago

Hey @julesdesmit how is this one going? Curious how progress has been -- it definitely has to be ASIC resistant, per @Ivshti.

jules commented 4 years ago

@vs77bb going alright! I've got the general idea of it lined up (starting with the algorithms needed for Ethash, and then adjusting for ProgPoW). I'm a little busy with my current work but I'm going to pick it right back up by the end of the week, and I hope to finish the PoW implementation at least by the end of the weekend.

Do you guys have a strong preference for WebGL 1? If not, I will probably implement it in WebGL 2, as it might prove a bit easier (though may be less compatible).

Ivshti commented 4 years ago

Looking at the browser support, I'd say webgl 2 is acceptable if it can be justified (higher perf, easier development)

jules commented 4 years ago

Small update on my progress here, haven't been able to work as much as I wanted to this weekend, but I will be able to finish the PoW library in the next couple days, as I have a bit more room this week to work on side projects. Afterwards, some simple testing and then I'll be looking to opening the needed PRs.

gitcoinbot commented 4 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work for 777.0 DAI (777.0 USD @ $1.0/DAI) has been submitted by:

  1. @zoek1

@Ivshti please take a look at the submitted work:


gitcoinbot commented 4 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This Bounty has been completed.