Data transfer for network interaction fraudulence detection

What is claimed is: 1. A system, comprising: a processor; and a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to perform operations comprising: processing information about a network interaction to generate metadata describing the network interaction; detecting a fraudulent interaction corresponding to the network interaction based on determining the metadata indicates at least one of: a source internet protocol (IP) address has been involved with spam; a source IP address is not available for tracing; a session user visited a predetermined number of sites without a conversion; a spacing between clicks has the same timing; a source IP address has recently sent a predetermined number of spam or phishing emails; a source IP address cannot be located with a probe within a predetermined amount of time; or a predetermined number of network interactions within a predetermined amount of time have the same source IP address; determining to transfer the metadata to an aggregator based on detecting the fraudulent interaction; and transferring the metadata to the aggregator. 2. The system of claim 1 , wherein the aggregator is a first aggregator in a first layer of a tiered set of aggregators. 3. The system of claim 2 , wherein the aggregator is one or more of a local aggregator, a regional aggregator, a country aggregator, an organizational aggregator, or a segment aggregator. 4. The system of claim 2 , wherein the aggregator aggregates metadata received from a plurality of user computer devices. 5. The system of claim 4 , wherein the aggregator transmits aggregated metadata to an aggregator in a second layer of the tiered set of aggregators. 6. The system of claim 5 , wherein the aggregator in the second layer is a centralized aggregator. 7. The system of claim 4 , wherein the aggregator transmits aggregated metadata to a peer aggregator in the first layer of the tiered set of aggregators. 8. The system of claim 1 , wherein the aggregator calculates a red alert based at least on the metadata that is transferred. 9. A method, comprising: processing information about a network interaction to generate metadata describing the network interaction; detecting a fraudulent interaction corresponding to the network interaction based on determining the metadata indicates at least one of: a source internet protocol (IP) address has been involved with spam; a source IP address is not available for tracing; a session user visited a predetermined number of sites without a conversion; a spacing between clicks has the same timing; a source IP address has recently sent a predetermined number of spam or phishing emails; a source IP address cannot be located with a probe within a predetermined amount of time; or a predetermined number of network interactions within a predetermined amount of time have the same source IP address; determining to transfer the metadata to an aggregator based on detecting the fraudulent interaction; and transferring the metadata to the aggregator. 10. The method of claim 9 , wherein the aggregator is a first aggregator in a first layer of a tiered set of aggregators. 11. The method of claim 10 , wherein the aggregator is one or more of a local aggregator, a regional aggregator, a country aggregator, an organizational aggregator, or a segment aggregator. 12. The method of claim 10 , wherein the aggregator aggregates metadata received from a plurality of user computer devices. 13. The method of claim 12 , wherein the aggregator transmits aggregated metadata to an aggregator in a second layer of the tiered set of aggregators. 14. The method of claim 13 , wherein the aggregator in the second layer is a centralized aggregator. 15. The method of claim 12 , wherein the aggregator transmits aggregated metadata to a peer aggregator in the first layer of the tiered set of aggregators. 16. The method of claim 9 , wherein the aggregator calculates a red alert based at least on the metadata that is transferred. 17. A non-transitory computer-readable medium storing instructions that, when executed by at least one processor of a computing system, cause the computing system to perform a method, comprising: processing information about a network interaction to generate metadata describing the network interaction; detecting a fraudulent interaction corresponding to the network interaction based on determining the metadata indicates at least one of: a source internet protocol (IP) address has been involved with spam; a source IP address is not available for tracing; a session user visited a predetermined number of sites without a conversion; a spacing between clicks has the same timing; a source IP address has recently sent a predetermined number of spam or phishing emails; a source IP address cannot be located with a probe within a predetermined amount of time; or a predetermined number of network interactions within a predetermined amount of time have the same source IP address; determining to transfer the metadata to an aggregator based on detecting the fraudulent interaction; and transferring the metadata to the aggregator. 18. The non-transitory computer-readable medium of claim 17 , wherein the aggregator is a first aggregator in a first layer of a tiered set of aggregators. 19. The non-transitory computer-readable medium of claim 18 , wherein the aggregator transmits aggregated metadata to a centralized aggregator in a second layer of the tiered set of aggregators. 20. The non-transitory computer-readable medium of claim 17 , wherein the aggregator calculates a red alert based at least on the metadata that is transferred.