RU2754967C1 - Method of transferring anonymous data to an untrusted party - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: invention relates to a method for providing anonymity when routing data in a client-server architecture. According to the method, the data structure is divided on the client side. The data structure is intended to be sent to the server. The data structure is divided into a substructure containing critical data (hereinafter referred to as CD); a substructure not containing CD. The primary transformation of the data substructure containing the CD is carried out on the client side without the possibility of reverse transformation of the data by an anonymization device. After that the data including a substructure that does not contain CD and the transformed substructure of data containing CD are sent to the node with the device of anonymization. The node with the device of anonymization is not on the same Intranet with the server or the client. Secondary transformation of each received substructure of data containing CD is carried out by the anonymization device without the possibility of reverse transformation on the server or the client side. The data substructures are transferred from the anonymization device to the server.EFFECT: invention ensures the anonymity of sending critical data to the server.10 cl, 1 tbl, 19 dwg

Description

Technology area

The invention relates to methods for providing anonymity when routing data in a client-server architecture.

State of the art

Changes in legislation in the world (for example, in the Russian Federation a law has been signed according to which the personal data of Russians used by online services must be stored on the territory of Russia, in Switzerland it is required for banks that user data also does not leave the territory of the jurisdiction of the federal government; data must not be stored in the clear) force information security professionals to look for new ways to manage data leaving personal electronic devices. At the same time, the developed solutions should not complicate the work of users of computer systems and work for users as transparently as possible.

With the introduction of the General Data Protection Regulation (GDPR), the amount of personal data stored in the network infrastructure on the side of various services and received from users becomes minimal. At the same time, it is necessary to provide distributed storage and processing of data received from the user without losing their uniqueness.

These reasons cause difficulties in the implementation of cloud infrastructure in the corporate and private sector, as a result, technical solutions appear on the market that allow taking into account the requirements of the legislation. For example, publications:

• US 20122866 describes a method of storing data in cloud storage, in which any file from the user's device goes to a proxy server, where it is encrypted and transferred to the cloud storage;

• US 8739265 describes a method for obfuscating and extracting data, where data containing confidential data sent from a device is intercepted, modified and transferred further to the cloud storage. At the same time, not all data is changed, but determined in accordance with the rules set in the network, and this data may not be transferred to the cloud, but extracted and stored locally, and pop sensitive data and a token will be transferred instead of the extracted data;

• US 8601598 describes a technology for secure storage of data in cloud storage, in which data entering the cloud storage from devices with an agent installed is encrypted with a public key, while the storage itself can be divided depending on the types of data and users using the storage.

Based on the analysis of the state of the art, it becomes clear that the described means require the installation of an additional agent on the user's device, which makes it difficult for the user to work with the remote server and makes the interaction opaque. In another case, where the agent is not installed, total encryption of outgoing data is performed without taking into account the content, which is also inconvenient and creates an additional load. The location of the client and server is also overlooked. A solution is required that will be able to solve the indicated disadvantages.

Disclosure of invention

The present invention is intended for sending data in a client-server architecture with ensuring the anonymity of the transmitted data and without losing the completeness and representativeness of the information required by the server for analyzing and building statistics.

The technical result of the present invention is to provide sending critical data to the server.

The object of the present invention is a method for sending critical data to a server, in which a data structure is divided on a client to be sent to a server on a substructure containing critical data (hereinafter DC) and a substructure that does not contain DC. The substructure containing the CD is additionally divided on the client into at least two substructures and the resulting substructures are sent sequentially to the server through the node with the transformation means, the substructure not containing the CD is sent directly to the server, bypassing the node with the transformation means. After receiving the substructures, they are combined on the server into a single data structure. Critical data is data in respect of which the law of the state in the jurisdiction of which the client is located or an authorized entity imposes restrictions on the collection, storage, access, distribution and processing. Critical data can be confidential data ~ any data protected by the law of the state in whose jurisdiction the client is located, in a particular case, such data are personal data or special categories in the terminology of the GDPR or the Federal Law of the Russian Federation No. 152 dated 27.07.2006.

The host with the transformer can be located in a regional network different from the regional network in which the server is located, and not be on the same Intranet with the server or client, and the regional network of the host with the transformer and the regional network of the server can be located in different jurisdictions. A regional network can simultaneously be a national network.

Each substructure of data passing through it is transformed by means of a node transformation, where the transformation can be carried out sequentially as the substructures are traversed; also, in a particular case, the original and transformed substructure are not saved on the node after transformation. In a particular case, the conversion tool is an anonymization tool; the conversion itself can be carried out by means of encryption.

In a particular case, the data of the substructure, which does not contain the CD, is transformed by a conversion means using asymmetric encryption methods, where the public key is transmitted to the client, and the private key is stored on the server.

In another particular case, the primary transformation of the data substructures is carried out on the client without the possibility of reverse transformation of the data by the transformation means, and the transformation means performs the secondary transformation of the passing data substructure without the possibility of the inverse transformation on the server or client.

Brief Description of Drawings

The accompanying drawings are included to provide a further understanding of the invention and form part of the description, show embodiments of the invention, and together with the description are necessary to explain the features of the invention.

FIG. 1 - depicts a data routing system in a client-server architecture.

FIG. 2 shows a variant of a method for routing data in a client-server architecture with dividing the data structure into substructures by the client.

FIG. 3 depicts a variant of the method for routing data in a client-server architecture when executing a request with the allocation of substructures in the data structure by means of anonymization.

FIG. 4 depicts a variant of the method for routing data in a client-server architecture with the allocation of substructures in the data structure by the client.

FIG. 5 shows a variant of a method for routing data in a client-server architecture when executing a request with dividing the data structure into substructures by the client.

FIG. 6a shows an example of an implementation of a method for routing data in a client-server architecture when sending data (for building statistics) with dividing the data structure into substructures by the client.

FIG. 6b shows an example of a method for routing data in a client-server architecture upon detection of a targeted attack on a client based on the collected information by the method of FIG. 6a.

FIG. 7 shows an example of an implementation of a method for routing data in a client-server architecture when executing a request with the allocation of substructures in the data structure by means of anonymization.

FIG. 8 depicts an example of an implementation of a method for routing data in a client-server architecture with the allocation of substructures in the data structure by the client.

FIG. 9 shows an example of an implementation of a method for routing data in a client-server architecture when executing a request with dividing a data structure into substructures by a client.

FIG. 10 depicts an anonymous data exchange system in a client-server architecture.

FIG. 11 depicts a variant of a data exchange method in a client-server architecture, which is used to receive data from clients for building statistics on the server side.

FIG. 12 depicts a variant of the data exchange method used when making a client request to a server.

FIG. 13 depicts an example of the implementation of the method of data exchange when performing a client request to the server.

FIG. 13a depicts an example of the implementation of the method of data exchange when executing a client request to the server in asynchronous mode.

FIG. 14 depicts an embodiment of a method for transmitting critical data in a client-server architecture.

14a shows an example of a method for transmitting critical data in a client-server architecture.

FIG. 15 depicts an example of a general purpose computer system.

Implementation of the invention

FIG. 1 depicts a data routing system between a client and a server. The system includes a client, a server, a network node with an anonymization tool. The server is part of the cloud infrastructure (not shown) and the client is the user's device. The node with the anonymization means located in the regional network ^{1 (1} geographically dispersed network, communication means integrates computers in different locations, a plurality of regional networks forming a global network.) Other than the regional network, wherein the server machine ^{2 (2} This allows the positioning elements systems in independent jurisdictions) and is not in the same Intranet ³ ( ³ GOST Ρ ISO 9241-151-2014) with a server or client. Moreover, within the framework of this invention, different regional networks are not only geographically dispersed, but also located in different jurisdictions, therefore, obviously, within the framework of this invention, different regional networks can be, among other things, networks that unite nodes of countries (national networks). For example, from FIG. 1:

• regional network 1 - US network;

• regional network 2 - Germany / EU network;

• regional network 3 - the network of the Russian Federation.

The global network of FIG. 1 is a collection of all regional networks - the world network - the Internet. In GDPR terminology, for example, the regional network of the Russian Federation in which the server is located will be considered the regional network of a third country.

In a particular case, the regional network of the node with the means of anonymization is also different from the regional network of the client. The arrows in FIG. 1 depart from the network, and not from the client, since in the general case the external IP address is visible due to the functioning of technologies for hiding internal addresses, in particular: Proxy, NAT.

The client contains a modification tool designed to divide the data structures (which are formed to be sent from the client to the server) into substructures and select a route for the received substructures. The criteria for dividing the data structure into substructures can be different, one of these criteria is the presence of personal data (Personal Identification Information) or their special categories (in GDPR terminology), in which the data structure is divided in such a way that one substructure contains personal data ( hereinafter PD, English PII) or their special categories, another substructure includes data that is not personal. The relationship of data to personal is determined, for example, by the legislation of the country in the jurisdiction of which the user is using the device, which is the client in the described system. In other words, by the location of the data source. Another more general criterion is the availability of critical data. Critical data refers to data in respect of which the law or an authorized entity imposes restrictions on the collection, storage, access, distribution and processing. These data, as a rule, are sensitive to disclosure, distribution, leakage, since the occurrence of these events leads to a violation of the rights and legally protected interests of subjects and provides for liability for subjects who have violated the rules for collecting, storing, accessing, processing such data. A special case of critical data is confidential data ⁴ ( ⁴ or confidential information, within the framework of this application, confidential data and confidential information are synonyms) (English sensitive data). Confidential data means data that is protected in accordance with the legislation of the country in the jurisdiction of which the user is using the device, which is the client in the described system. In a particular case, confidential data includes personal data (PD) and data containing:

• commercial secrets;

• tax secrets;

• bank secrecy;

• medical confidentiality;

• notarial secret;

• attorney-client privilege;

• audit secrecy;

• communication secrecy;

• secrecy of insurance;

• secret of the will;

• secret of adoption;

• the secret of confession;

• secrecy of the investigation;

• secrecy of legal proceedings;

• information about protected persons

• state secrets.

The anonymizer is designed to transform and reverse transform substructures that route through the node with the anonymizer. In a special case, transformation of substructures is understood as the transformation of data that contains a substructure. In a particular case, the methods for transforming these substructures are:

• quantization;

• sorting;

• merging (gluing);

• grouping;

• setting up a dataset;

• table substitution of values;

• calculated values;

• data coding;

• encryption;

• normalization (scaling).

Some types of transformations can be applied not only to individual data in the substructure, but also to the substructure as a whole, for example, tokenization and / or encryption. In this case, the transformation in a particular case is carried out without the possibility of the inverse transformation ⁵ ( ⁵ under the inverse transformation is understood the transformation that allows you to restore the original form of the transformation object (data, substructure) before transformation) by any means other than the means of anonymizing the node. In the general case, a transformation means a mapping (function) of a set into itself, or in other words, transformations are called mappings that transfer a set to another set ⁶ ( ⁶ Mathematical Encyclopedic Dictionary. - M., 1988. - P.487).

A substructure from the same client can be transformed by the anonymization tool in the same way or in different ways. If the transformation is carried out in the same way, then the transformed substructure or substructure data from the same client will look identical, otherwise they will be different and it will be impossible to build statistics for one client (profiling).

The server contains a federator for combining a client-partitioned data structure. The union can be carried out, for example, on the basis of unique identifiers that are assigned to each substructure during division and are identical for substructures of one structure. The combiner receives substructures coming to the server via different network routes and combines them into a structure. The structure, obviously, will be different from the original, split on the client, because the substructures passing through the node with the anonymizer will be transformed by the said tool. The resulting structure can be stored in a database (not shown in the figures).

In a particular case, the anonymization tool receives from the client a structure that is not divided into substructures by the client modification tool (for example, the structure of a request to the server), in this case, for transmission to the server, the anonymization tool selects substructures containing PD in the received structure and converts the substructures data, examples are listed below.

The described system is used to anonymize requests sent to the server and responses to these requests sent to the client, as well as to receive data from clients that are used to build statistics. FIG. 2 shows a method for routing data in a client-server architecture, which in a particular case is used to receive data from clients to build statistics. At step 200, the modifier separates the structure to be sent to the server in accordance with the criteria, one of such criteria may be the presence of PD in the structure, as a result of the separation, a substructure is obtained containing PD (in Fig. 2, for example, this is a substructure 1) and not containing PD (in Fig. 2, this is, respectively, substructure 2). Hereinafter, for example, the presence of PD will be used as a criterion, and not the presence of critical or confidential data, although what is true for PD is also true for critical or confidential data in general in the examples of the invention, within the framework of this application. In a particular case, there can be more than one substructures of the first and second types, as well as the criteria by which the separation is carried out. At step 210, the modifier sends the received substructures to the server, while sending is carried out along different routes (route A and route B), where one of the routes includes a network node with an anonymization means (route A) located in a regional network different from the network that is located a server that is not on the same Intranet as a server or client. When one of the substructures intended to be sent to the server contains PD, it is sent to the server through a node with an anonymization tool (route A). Next, at step 220, the substructures passing through the node with the anonymization means are transformed by the specified means and transmitted further to the server (step 221) in the transformed form. In general, substructures from the same client at different times are transformed differently (for example, Client ID -> AnonymizedID1 ≠ AnonymizedID2 ≠ AnonymizedID3, etc.), this applies to all examples, but in a particular case, when for some security systems it is necessary to accumulate information (build statistics) on a specific client for a substructure from the same client, the conversion will be identical (for example, Client ID -> AnonymizedID1 = AnonymizedID2 = AnonymizedID3, etc.). Finally, at step 230, the sub-structures received from the client are combined into a structure (Structure '). Obviously, the final structure (Structure ') is different from the original one, since at least one substructure has been transformed by the anonymization tool. The resulting structure is in the database and will be used by infrastructure ⁷ ( ⁷ Tools and database are not shown in this figure. Individual infrastructure elements such as request processing and attack detection are shown in other figures) on the server side. Transformation of substructures and / or data of substructures by means of anonymization is performed in a way that excludes the possibility of reverse transformation of substructures and / or data of substructures by any means other than means of a host with an anonymization means.

FIG. 3 shows the routing method, which is used in a particular case when making a request from a client to a server. At step 300, the request generated on the client is sent by the modifier from the client to the server, and the route includes a network node with an anonymization tool located in a regional network different from the network that the server is located on and not on the same Intranet with the server or client. In a particular case, a part of the request data (not containing confidential data) can be transformed by a modification means on the client, and the transformation can be performed in such a way that the anonymizing means cannot perform the inverse transformation (step 311 in Fig. 4) and the inverse transformation can be performed only by means of the server (step 325 in Fig. 4) ⁸ ( ⁸ such a possibility can be provided in particular by asymmetric encryption, when the client has a public key, and the server has a private key). Next, at step 310, the anonymization means in the request data structure intended to be sent to the server, the substructures, in accordance with the criteria, one of such criteria may be the presence of PD, as a result of the selection, a substructure containing PD is obtained (in Fig. 3, by analogy with the previous example, this is a substructure 1) and does not contain PD (in Fig. 3 it is a substructure 2). At step 320, the anonymization means transform ⁹ ( ⁹ unless otherwise indicated when using the concept of transformation, it is the direct transformation that is understood) (direct transformation from the original to the transformed) data substructure (and / or data in the substructure) containing PD, the anonymization means and the resulting structure request data with the transformed substructure containing the PD is sent to the server (step 321). To the received request by the server at step 330, a response is generated by the request processing means. In this case, with respect to those request data that in a particular case could be transformed by the client, the server performs a preliminary reverse transformation (step 325 in Fig. 4). The data structure of the response to the request, in our example with PD, contains substructures:

• containing PD converted by means of anonymization (substructure 1 ', extracted from the request structure);

• not containing PD (substructure 3, containing the body of the response to the request or the payload of the response ¹⁰ ( ¹⁰ from the English Payload).

In this case, data that does not contain PD (substructure 3) can be transformed (direct transformation) without the possibility of reverse transformation by means of anonymization (substructure 3 '), this is done at step 340. The reverse transformation of this data can be performed only by means of modification of the client ¹¹ ( ¹¹ such a possibility can be provided, in particular, by asymmetric encryption, where the server has a public key, and the client has a private key), at step 350, the received data structure of the response to a request from the server is sent to a network node with an anonymization means. By means of anonymization, at step 360, the inverse transformation of the substructures of the response data containing PDs (substructure 1 ') is performed. The inverse transformation is performed on the data that was transformed in step 320 (inverse transformation from the transformed data to the original data contained in the request from the client initially). The resulting data structure is redirected to the client (step 370), and the client modification means, in step 380, inversely transforms the substructures of the request response data that do not contain PDs converted by the server in step 340.

FIG. 4 depicts a variant of the method shown in FIG. 3, but in this embodiment, the step 310 for extracting the substructures is performed not by the anonymization means, but by the client modification means, followed by the transformation of the substructure in step 311. Where, by analogy with the embodiment in FIG. 3, a substructure that does not contain PD is subjected to transformation (substructure 2). Therefore, step 300 'in FIG. 4 differs from the analogous step 300 of the method in FIG. 3 in that they transfer not the original request data structure to the node with the anonymization means, but the transformed one, after executing steps 310 and 311. Accordingly, in this embodiment, step 325 is added, where a preliminary inverse transformation of the substructure is performed (in our example, this is a substructure 2 'that does not contain PD) converted in step 311 before performing step 330.

FIG. 5 depicts an embodiment of a method for routing data in a client-server architecture in which steps 200 through 230 are similar to the steps of the method shown in FIG. 2, and steps 300 through 380 are similar to the steps of the method shown in FIG. 3. In a particular case, the substructure 2 can be pre-transformed before being sent directly to the server, by analogy with step 311 in FIG. 4, then step 325 is added in the method image in addition to step 311.

In a particular case, in all implementations of the method shown in FIG. 3 to FIG. 5, the data structure sent to the client by the node with the anonymization tool at block 370 does not contain a substructure of data with PD (in our examples, this is substructure 1). This substructure must be saved up to this stage in order to determine the addressee of the response, then, in a particular case, it is not necessary.

FIG. 6a shows an example of the operation of the method shown in FIG. 2. The device with the client is connected to a remote detection system for targeted attacks located on the server side, so the client must: receive information about files with malicious code (malicious files) detected at different times and build statistics based on the information received (often in accordance with national legislation about personal data, this still needs to be done anonymously). Upon detection of several specific malicious files ¹² ( ¹² information about which was received from the client), the server concludes that a targeted attack on the client has been detected.

To send information about the detected malicious file to the server (in this example, the information about the file is the MD5 file), a data structure is formed that includes the client ID and MD5 of the detected malicious file. At step 200, the modifier divides the generated structure to be sent to the server into substructures, as a result of the division, a substructure containing the client ID and a substructure containing the MD5 of the file is obtained in order to understand which structure the substructures are part of, they are assigned an identifier (in the figure, the identifier is marked as StructureID ). At step 210, the client modifier sends the received substructures to the server, while sending is carried out along different routes (route A and route B), where one of the routes (route A) includes a network node with an anonymization means located in a regional network different from the network, which the server is located and is not on the same Intranet with the server or client. The substructure containing the client ID is routed to the server via the anonymizer node (route A). At step 220, the anonymization means transforms the client ID, where the client ID is stored on the node, and the AnonymizedID token replaces it in the substructure (in the particular case, the Client ID can be encrypted). The resulting substructure is sent to the server (step 221). Finally, at step 230, the sub-structures received from the client are merged into a structure. Obviously, the resulting structure is different from the original, since at least one substructure has been transformed by the anonymization tool. The resulting structure is stored on the server (or in any database of the infrastructure to which the server belongs) and will be used by the server to accumulate information (in the figure it is designated as STATISTICS) about the client from which the structure was received. At step 240, the accumulated information will be used by the attack detection tool, and if the tool detects an attack, then at step 250, the tool will form a structure containing a substructure with AnonymizedID and a substructure containing information about the attack (denoted as AttackID in the figure), the resulting structure will be sent to the client for notification about the attack.

An example of a sending method is shown in FIG. 6b, steps 340 through 380 are similar to steps from the example shown in FIG. 8. In a special case, the information about the attack may not be transformed, but sent in the clear, then in the example steps 340 and 380 will be absent.

FIG. 7 depicts another example of the operation of the described invention. A new file has been found on the device with the client, which must be scanned for malicious code by means of the server. To do this, it is necessary to send the server information about the file, in this example it is the MD5 file, for this the client forms the request structure. In order for the server to know who to send the response to, the client ID is inserted into the request data structure, so the request data structure includes the client ID and the MD5 file. At step 300, the request generated on the client is sent by the modifier to the server, and the route includes a network node with an anonymization tool located in a regional network different from the network on which the server is located and not on the same Intranet with the server or client. Next, at step 310, the anonymizing means extracts substructures in the structure to be sent to the server, and as a result of the selection, a substructure containing the client ID and a substructure containing the MD5 of the file are obtained. At step 320, the anonymization means transforms the client ID, where the client ID is stored on the node, and the AnonymizedID token replaces it in the substructure (in the particular case, the client ID can be encrypted). The resulting query data structure with the transformed substructure is sent to the server (step 321). To the received request, at step 330, a response is generated by the server request processing means. The request processing tool extracts the MD5 file from the structure and issues a verdict, for example, BAD (file malicious). The request response data structure contains substructures:

• containing the AnonymizedID token (or the client's ID encrypted by means of anonymization);

• containing the verdict for the file (MD5-BAD).

In this case, the verdict at step 340 is transformed by the server's means without the possibility of reverse transformation by means of anonymization, for example, by encrypting it with the public key (in the figure, the transformed verdict is marked as EncryptedVer), the private key is stored on the client and the reverse transformation can only be performed by the client modification means. At step 350, the received data structure of the response to the request from the server is sent to the network node with the anonymization tool. By means of anonymization, at step 360, the substructure of the response to the request containing the AnonymizedID token is reversely transformed by the means of anonymization, where, in the case of a token, the token is replaced with the previously stored client ID; if the client ID was encrypted, it is decrypted. Thus, the transformation is performed with respect to the data that was transformed at step 320. The resulting data structure is redirected to the client (step 370) and the client modification means at step 380 reverse-transform the verdict converted by the server at step 340, in our case, decrypt using a private key. In a particular case, AnonymizedID for the same Client ID, but in different shipments will be different.

FIG. 8 depicts a variant of the example shown in FIG. 7, in this embodiment, the step 310 for extracting substructures is performed not by means of anonymization, but by means of modification of the client, followed by transformation of the substructure storing information about the file (MD5 of the file) by encryption with the public key (in the figure, the transformed information about the file is marked as EncryptedMD5), the private key is stored on the server and the reverse conversion can only be done on the server. Thus, step 300 'of the example in FIG. 8 differs from the analogous step of the example in FIG. 7 in that not the original structure of the request is transmitted to the node with the anonymization means, but the transformed one after the execution of steps 310 and 311. Accordingly, therefore, step 325 is added, where the reverse is performed before converting encrypted file information by decrypting it using a private key.

FIG. 9 depicts an example of routing data in a client-server architecture in which steps 200 through 230 are similar to those of the example depicted in FIG. 6a, and steps 330 through 380 are similar to those of the example shown in FIG. 7. In a particular case, the information about the file can be pre-transformed before being sent directly to the server, by analogy with step 311 in the example of FIG. 8, then in the example block 325 is added in addition to block 311.

The client modification tool intercepts the structures intended to be sent to the server, separates these structures in accordance with the established rules, and selects routes for these substructures also in accordance with the rules. The rules according to which the modification tool works are established in a particular case by the current legislation of the state in whose jurisdiction the device with the client operates (source). Therefore, to apply the rules, the client modification tool determines the location of the device (source), the type of data in the generated structure, the purpose of the structure (transmission type: request or statistics ¹³ ) ( ¹³ sending data to the server for building statistics on the server side), the location of the data receiver and based on This, in accordance with the rules, selects the route for the data, the splitting option and the conversion method on the client. A variant of formalized rules is presented in Table 1, where the method:

• 1 - division of the structure on the client (see Fig. 2);

• 2 - selection of a structure on a node with an anonymization tool (see Fig. 3);

• 3 - selection of the structure on the client (see Fig. 4).

The rules, as mentioned above, can be set by legal requirements (for example, GDPR) and, like any legal norm, includes a hypothesis and disposition, which in algorithmic language corresponds to the if-then construction. Thus, the above table formalizes a rule of the form

IF [type, source, destination, personal data (yes / no)] THEN [method, location of the anonymization node, conversion method for data].

For example, the type of transmission is request, source (client) Germany, receiver (server) RF, the structure contains personal data. In accordance with the rules, the modifier needs to select the substructure with PD on the client (as in step 310 of Fig. 4 - method 2) and send via the USA, encrypt the substructure without PD with a public key (as in step 311 in Fig. 4), transform the personal data by means of anonymization through encryption

In another implementation, the system depicted in FIG. 1, a network node with storage means is added, the system with this node is shown in FIG. 10. The host with the storage medium is located in a regional network different from the regional network in which the server is located and is not on the same Intranet with the server or client. In a particular case, a network node with a storage means can be located in the same regional network with a network node with an anonymization tool, such a network in FIG. 10 is indicated as a regional network N. The purpose of the network node with the storage facility is to hide the client's external IP address from the server and take the load off the node where the anonymization facility is located, since the volume of traffic going through the node with the anonymization facility is reduced. A network node with a storage facility is an intermediate storage for data exchanged between a client and a server; the household analogue of this node is a post office box.

The system depicted in FIG. 10 is used for anonymous data exchange between a client and a server, including for sending data from clients, which are used to build statistics and for client-server interaction of the "request-response" type. FIG. 11 depicts a method of anonymous data exchange between a client and a server, which in a particular case is used to receive data from clients for building statistics on the server side. Steps 200, 221, 220, 230 are similar to those shown in FIG. 2. Step 210 'differs from analogous and step 222 is added. In FIG. 2 route B lay directly from the client to the server, in the described implementation this route is broken, and the client sends substructure 2 not to the server, but to the node with the storage means. Next, at step 222, this substructure will be received by the server. The initiator of sending this substructure to the server at step 222 can be either the node with the storage medium itself, or the server, which will load the substructure 2 on demand when it receives the substructure 1 'along the route A with the identifier of the substructure 2 stored by the network node with the storage medium.

FIG. 12 shows a method of data exchange, which is used in a particular case when making a request from a client to a server. Steps 200, 221, 220, 230 are similar to those shown in FIG. 2, steps 210% 222 are similar to those shown in FIG. 11, step 330 is similar to the same step in FIG. 3. Thus, sending a request to the server is similar to sending data to the server to build statistics shown in FIG. 11, the difference from everything previously described is how the response prepared in step 330 is sent. The structure of the response to the request generated in step 330 is split into at least two sub-structures in step 331:

• containing PD converted by means of anonymization (substructure Г, extracted from the request structure);

• not containing PD (substructure 3, containing the body of the response to the request or the payload of the response).

At step 350a, the substructure containing PD is sent from the server to the node with the anonymization means, where at step 360, the inverse transformation will be performed to the transformation performed at step 220. And the substructure that does not contain PD (substructure 3 in Fig. 12) is sent to the network node at step 350b with storage facility. Further, the substructure that does not contain PD will be transferred to the client at block 371. The options for which the client receives the substructure at block 371 may be different. If step 350a is carried out, then after transformation at step 360, the node with the anonymization means will send a notification (notification) to the client at step 370a that the response is ready, the client will then contact the node with the storage means and receive a substructure that does not contain PD from the node with storage facility. The notification at step 370a may contain, for example, a unique identifier assigned to the substructure 3 in the process of dividing the structure of the response to the request at step 331, the substructure with such an identifier will be requested by the client from the network node with the storage means. In a particular case, steps 350a, 360, 370a may not be performed. In this case, the identifier assigned to the substructures during the partitioning process at step 200 will be similar to the identifier assigned at step 331, and the client at step 371 will receive the substructure 3, periodically polling the node with the storage means for substructures with the corresponding identifier. If steps 350a, 360, 370a are not performed, the structure of the response to the request is identical to the substructure not containing PD (substructure 3), which is assigned a unique identifier. In another special case, the node with the storage means independently sends in step 371 the substructure 3 to the client, in this case the identifier of the session (session) that was established between the client and the node with the storage means to perform step 210 is used, in this case a unique identifier assigned to the substructures in steps 200 and 331 are equal and equal to they are the session ID. In this case, when the node receives the substructure 3 at step 350b, it will read the identifier of the substructure 3 and forward it to the client, the session with which has the same identifier, the main condition for implementing this option is to keep the session between the client and the node with the storage medium until the end of the exchange. data between client and server when making a request and sending a response.

In a particular case, the circuit described in FIG. 12 can operate in asynchronous mode, in which case step 330 is performed without step 230, the data of substructure 2 is used and the resulting substructure 3, bypassing step 331, is sent to the node with the storage means (step 350b). Step 230 will be performed independently of step 330. This mode improves the server responsiveness and is used when only the data contained in the substructure containing no CD is needed to process the request. Combining the substructures (block 230) in such cases is only necessary to construct statistics, as in the example shown in FIG. 12a.

FIG. 13 shows an example of using the method shown in FIG. 12 to receive a verdict (dangerous / malicious or safe) for a file found on the client from the server. To send information about the detected file to the server (in this example, the information about the file is the MD5 of the file), a data structure is formed that includes the client ID and MD5 of the detected file. At step 200, the modifier divides the generated structure to be sent to the server into substructures, as a result of the division, a substructure containing the client ID and a substructure containing the MD5 of the file is obtained, in order to understand which structure the substructures are part of, they are assigned an identifier (in the figure, the identifier is marked as StructureID ). At block 210, the client modifier sends the received substructures. Sending is carried out on different routes (route A and route B) and different receivers. Along route A, the substructure is sent to the server, while route A includes a network node with an anonymization tool located in a regional network different from the network where the server is located and not on the same Intranet with the server or client. The substructure containing the client ID is routed to the server via the anonymizer node (route A). Along the route B, the substructure is sent to a network node with a storage facility located in a regional network different from the network on which the server is located and not on the same Intranet with the server or client. The substructure containing the MD5 file is directed to the host with the storage medium (route B). At step 220, the anonymization means transforms the client ID, where the client ID is stored on the node, and the AnonymizedID token replaces it in the substructure (in the particular case, the Client ID can be encrypted). The resulting substructure is sent to the server (step 221). At block 222, the substructure with the MD5 file will be received by the server. If the method is performed synchronously, then at step 230, the substructures received by the server at step 221 and step 222 will be merged and at step 330 the request will be processed. In our example, MD5 will be scanned against the database of malicious and safe files and, based on the results of the scan, they will receive a verdict and form a response to the request (in the given example, the file turned out to be malicious - MD5-BAD). The generated response to the request is divided at step 331 into two substructures, as a result of the division, a substructure containing the client ID and a substructure containing the verdict (MD5) is obtained in order to understand which structure the substructures are part of, they are assigned an identifier (in the figure, the identifier is marked as StructureID), in a particular case, the identifier may be identical to the identifier assigned to the substructures in step 200. In step 350b, the substructure with the verdict is sent to the host with the storage medium, which either sends the substructure to the client in step 371 (if the StructureID matches the session ID between the node and the client set in step 210), or keeps it on demand. The specified substructure may be in demand by the client in case he receives a notification from a node with a means of anonymization received by clients as a result of performing steps 350a, 360, 370a. Alternatively, the client continually polls the host with the storage facility to see if the host has a response substructure (in this case, the StructureID assigned to the substructures in steps 200 and 331 should be identical). At block 372, the client processes the response. If the method is performed in an asynchronous mode (Fig. 13a), then step 230 and step 330 are performed independently, the StructureID in step 330 does not change and is identical to the StructureID in step 200, and in the particular case is equal to the session ID between the client and the node with the storage means of step 210 , within which the substructure transfer will also be carried out at block 371.

The claimed invention allows to decentralize the data coming from the client, which provides anonymity for the user, whose device is a client, the data exchanged between the client and the server cannot be associated with the client when accessing the server. Part of the data is known only to the server, part only to a network node with an anonymization tool and without simultaneous access to these system components it is impossible to deanonymize the data, and the impossibility of simultaneous access to components, including government agencies, is ensured by the distribution of system components across various regional networks, different as on a geographical basis, and on the basis of territorial jurisdiction. Also, the claimed invention, when using a node with a storage facility, makes it possible to hide the client's external IP address from the server (the server picks up the substructure not directly from the client, but through the node with the storage facility), and also to reduce the load on the node with the anonymization facility.

In some cases, after the data structure is divided into two data substructures, one of which contains confidential data, it becomes necessary to further separate this substructure. This is done in a particular case when the data is critical, only being together, for example, the IP address and the timestamp together are personal data, dividing the substructure that contains this link into a substructure with an IP address and a substructure with a timestamp, the data loses its property personal and can be processed by a node that does not have the ability to combine these structures, without the restrictions imposed by legislation on the processing of critical (in this case, personal) data. But in this case, the mechanism for transferring data to the server becomes more complicated. FIG. 14 depicts a method for transmitting critical data in a client-server architecture, which in a particular case is used to receive data from clients for building statistics. At step 200, the modifier separates the structure to be sent to the server in accordance with the criteria, one of such criteria may be the presence of critical (for example, confidential, including personal) data in the structure, as a result of the division, a substructure containing critical data (on Fig. 14, for example, is a substructure 1) and does not contain such data (in Fig. 14 it is, respectively, a substructure 2). In step 201, the modifier further divides the substructure containing the critical data into at least two substructures (in Fig. 14, for example, these are substructure 3 and substructure 4). In step 210, the modifier sends the substructure 2 to the server along route B. In step 211, the substructures obtained by dividing the substructure containing critical data are sequentially sent along a different route than route B, where the alternative route includes a network node with a transformation means (in the example in Fig. 14 this is a route A), and located in a particular case in a regional network, different from the network that hosts the server and is not on the same Intranet with the server or client. Further, at step 220, the substructures passing through the node with the transforming means are transformed by the said means and transmitted further to the server (step 223) in the transformed form. In general, substructures from the same client at different times are transformed differently (for example, Client ID -> AnonymizedID1 ≠ AnonymizedID2 ≠ AnonymizedID3, etc.), this applies to all examples, but in a particular case, when for some security systems it is necessary to accumulate information (build statistics) on a specific client for a substructure from the same client, the conversion will be identical (for example, Client ID -> AnonymizedID1 = AnonymizedID2 = AnonymizedID3, etc.). Finally, at step 230, the sub-structures received from the client are combined into a structure (Structure '). Obviously, the final structure (Structure ') is different from the original one, since at least two substructures have been transformed by the anonymization tool. The resulting structure in the database will be used by infrastructure tools ¹⁴ ( ¹⁴ Tools and database are not shown in this figure. Individual infrastructure elements, such as request processing tool and attack detection tool are shown in other figures) on the server side, for example, when building a profile. The transformation of substructures and / or data of substructures by means of transformation is performed in a way that excludes the possibility of reverse transformation of substructures and / or data of substructures by any means other than means of a host with a means of transformation.

FIG. 14a shows an exemplary embodiment of a method for transmitting critical data. On the client, a structure is formed to send to the server, the structure contains the client's IP address, timestamp (English TimeStamp) and MD5 of a file. In step 200, the modifier separates the structure to be sent to the server, and as a result of the division, a substructure containing the IP address and timestamp and a substructure containing the MD5 of the file are obtained. In step 201, the modifier further divides the substructure containing the IP address and the timestamp into two substructures (in Fig. 14a, these are the substructure with the IP address and the substructure with the timestamp). To understand which substructure containing MD5 the IP substructure is associated with and the TimeStamp substructure they are assigned identifiers (in the figure, identifiers are marked as StructureID1, StructureID2) and the same identifiers are placed in the MD5 substructure. At step 210, the modifier sends the substructure with MD5 to the server along route B, and at step 211, the substructure with the IP address and the substructure with the timestamp are sequentially sent along a route other than route B, where the alternative route includes a host with a transform tool (in the example in Fig. 14a, this is route A), where the node with the transforming means is located in a particular case in a regional network different from the network in which the server is located and not on the same Intranet with the server or client. Next, in step 220, the substructure with the IP address and the substructure with the timestamp are transformed and transmitted further to the server (step 223) in the transformed form. The transformation is carried out as substructures are received. Finally, at step 230, the subframes received from the client are combined into a structure that contains the translated IP address, the translated timestamp, and MD5.

Modification tool, anonymization tool, combiner, request processing tool, attack detection tool, storage tool in the present invention means real devices, systems, components, a group of components implemented using hardware such as application-specific integrated circuit, ASIC) or field-programmable gate array (FPGA) or, for example, in the form of a combination of software and hardware, such as a microprocessor system and a set of software instructions, as well as neuromorphic chips {eng. neurosynaptic chips) The functionality of these tools can be implemented exclusively by hardware, as well as in the form of a combination, where part of the functionality is implemented by software, and part by hardware. In some implementations, the tools may be executed on a processor of a general purpose computer (eg, as depicted in FIG. 15). Databases can be implemented in all possible ways and contained both on one physical medium, and on different ones, located both locally and remotely.

FIG. 15 represents an example of a general-purpose computer system, a personal computer or server 20, comprising a central processing unit 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processing unit 21. The system bus 23 is implemented as any bus structure known from the prior art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interfacing with any other bus architecture. System memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains basic procedures that transfer information between the elements of the personal computer 20, for example, at the time of loading the operating room. systems using ROM 24.

The personal computer 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31, such as CD-ROM, DVD -ROM and other optical media. The hard disk 27, the magnetic disk drive 28, and the optical drive 30 are connected to the system bus 23 through the hard disk interface 32, the magnetic disk interface 33, and the optical drive interface 34, respectively. Drives and corresponding computer storage media are non-volatile storage media for computer instructions, data structures, program modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29 and a removable optical disk 31, but it should be understood that other types of computer storage media 56 are possible that are capable of storing data in a computer readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36, where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39. The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40, manipulator " mouse "42). Other input devices may be used (not shown): microphone, joystick, game console, scanner, etc. Such input devices are conventionally connected to the computer system 20 through a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, etc. ...

The personal computer 20 is capable of operating in a networked environment using a network connection with other or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the entity. the personal computer 20 shown in FIG. 14. In a computer network, there may also be other devices, such as routers, network stations, peer-to-peer devices, or other network nodes.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, personal computer 20 is connected to local network 50 via a network adapter or network interface 51. When using networks, personal computer 20 may use a modem 54 or other means of providing communication with a wide area network, such as the Internet. Modem 54, which is an internal or external device, is connected to the system bus 23 via a serial port 46. It should be noted that the network connections are only exemplary and are not required to reflect the exact configuration of the network, i. E. in fact, there are other ways of establishing a connection by technical means of communication of one computer with another.

In conclusion, it should be noted that the information given in the description are examples, which do not limit the scope of the present invention defined by the claims. One skilled in the art will appreciate that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (17)

1. A method of transferring a data structure containing critical data to a server, in which: a) share on the client a data structure intended to be sent to the server to: - a substructure containing critical data (hereinafter CA); - a substructure that does not contain CD; b) carry out the primary transformation of the data substructure containing the CD on the client without the possibility of reverse transformation of the data by means of anonymization; c) sending data to the node with the means of anonymization, which includes a substructure that does not contain a CA and a transformed substructure of data containing a CA, where the node with the means of anonymization is not on the same Intranet with the server or client; d) by means of anonymization, the secondary transformation of each received data substructure containing CD is carried out without the possibility of reverse transformation on the server or client; e) transfer data substructures from the anonymization tool to the server. 2. A method according to claim 1, in which critical data is data in respect of which the law of the state in whose jurisdiction the client is located, or an authorized entity imposes restrictions on the collection, storage, access, distribution and processing. 3. The method according to claim 1, in which the original and transformed data substructures after transformation are not saved at the node. 4. The method of claim 1, wherein the conversion is performed by encryption. 5. The method according to claim 1, in which critical data is personal data or their special categories in the terminology of the GDPR. 6. The method according to claim 1, in which the CD is confidential data ~ any data protected by the law of the state in the jurisdiction of which the client is located. 7. The method according to claim 6, in which personal data is also confidential data. 8. The method according to claim 1, wherein the network node with the anonymization means is located in a regional network different from the regional network in which the server is located. 9. The method according to claim 8, wherein the regional network of the network node with the anonymization means and the regional network of the server are located in different jurisdictions. 10. The method of claim 8, wherein the regional network is simultaneously a national network.

Images