ClickGuard analyzes many aspects of an IP address in order to assess if an IP address is a known threat. This includes fetching IP information from various anti-fraud, geo-location, and blacklist services. That means ClickGuard is able to learn if an IP address is:

• an anonymous proxy (exit address for anonymizing services such as HTTP/Socks proxies, VPNs, or Tor)
• a fake crawler (Suspicious web scraper impersonating popular and legitimate crawlers)
  
• a port scanner (port scanning as in a common way to search for exploitable security vulnerabilities in running network services)
  
• an attack source (a known source of various cyber attacks), including the type of the attack (web, mail, SSH, FTP, SIP, etc.)
  
• hosting a bot (part of a malicious botnet), including botnet type (bad, brute force, scan, spam, referrer spam, etc.)
  
• blacklisted for any other fraud or abuse-related reason
  
  

By cross-referencing the information about an IP address across multiple services ClickGuard is able to determine the threat level and classify it as:

• low - the default for IP addresses not associated with bad behavior
  
• medium - high probability for unwanted ad clicks
  
• high - high probability for abusive, disruptive, and fraudulent ad clicks