RU2449361C2 - Method of protecting computer network having dedicated server - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method is realised by taking action to restore communication in case of desynchronisation of address selection when receiving and transmitting message packets. In case non-delivery from the server of a request for the server to monitor the state of the connection for a time T_C and selection of the type of the message packet to restore communication, a message packet is generated at the client with a request to restore communication and includes therein the address of the restoration server A_BC and the client A_K. The message packet is then sent to the server. After decoding the selected data, the type of the obtained message packet is identified and the message is processed in case of an information type. At the end of communication, the message packet for restoring communication is ignored, and if communication continues, the masking function sampling rate is set to the initial state and the client is notified on restoration of communication.

EFFECT: more secure communication by masking the structure of the distributed computer network and easier accessing of elements of computer networks built based on a public network under random and deliberate interference conditions in communication channels and computer network nodes.

8 dwg

Description

The invention relates to the field of information security of digital communication systems and can be used in distributed computing networks (BC), built on the basis of a public communication network (for example, the Internet).

The claimed technical solution expands the arsenal of funds for this purpose.

A known method of protection against unauthorized exchange between the first computer network and the second computer network, implemented in the "Protection System for Connected Computer Networks" according to the patent of the Russian Federation No. 2152691, IPC G06F 12/14, publ. 07/10/2000

The method consists in performing the following actions: receive a communication message in the first network protocol format on the first network interface from the first computer network. The communication message is converted to a second network protocol format, as a result of which the source and destination address information is deleted from the communication message. A communication message is transmitted to the second network interface. Carry out the inverse transformation in the second network interface of the communication message in the first format of the network protocol. A communication message is transmitted after the reverse conversion to a second computer network.

The disadvantage of this method is the high probability of violating the confidentiality of information when using a distributed network, namely listening to and reconstructing the traffic of a distributed network at some point on the Internet.

There is also a method of protecting a virtual channel, implemented in the "Virtual channel protection system of a corporate network with the mandatory principle of access control to resources built on communication channels and switching means of a public communication network" according to RF patent No. 2163727, IPC G06F 13/00, F12 / 14, publ. 02/27/2001

The method consists in performing the following actions: the client negotiates its access rights with the firewall, for which checks are performed on the firewall. If all the checks are passed, then a packet is sent that allows the connection between the client and the firewall. Next, the packet that allows the connection, comes to the client, passing the block of the receiver / transmitter and the block of encryption / decryption and electronic signature. Then it is transferred to the closed protocol generation unit. Then they send a packet that establishes a connection using a standard connection, but in each packet they replace the IP addresses of the destination server with the IP address of the corporate firewall.

The disadvantage of this method is the relatively low security of the distributed network due to the existence of a high probability of disruption of its normal functioning.

A known method of protecting information circulating in a distributed telecommunication system when transmitting it over public communication channels, implemented in the "Distributed telecommunication system for transmitting shared data intended for their separate transmission and reception" according to US patent No. 6912252, IPC H04L 12/56; H04L 12/28, publ. 11/08/2001 g.

The method consists in the following actions: the source data from the sender is divided into N parts. Further, from their combinations, intermediate data groups are formed. Then, intermediate data is transmitted independently over N communication channels. The recipient receives groups of intermediate data arriving via N communication channels and restores the original data.

The disadvantage of this method is the relatively low security of the transmitted information when using a distributed network due to its open transmission and the relatively low level of security of the distributed network due to the increased likelihood of recognizing the structure of the distributed network due to an increase in the probability of detection of identifiers of its elements during information exchange as a result of an increase in the number of communication channels .

The closest in its technical essence to the claimed is the "Method of protecting the computer network" according to the patent of the Russian Federation No. 23235694, IPC 7 G06 F15 / 40, publ. November 2, 2006

и клиента

. После чего передают ПС серверу. При наличии у клиента данных для передачи формируют управляющий сигнал формирования ПС. Кодируют сформированный ПС. Включают текущие адреса клиента и сервера в соответствии с функциями выбора. После чего передают пакет серверу. Увеличивают у клиента счетчик шага выбора адресов на 1 (i_K=i_K+1). Принимают пакет на сервере. Декодируют полученный ПС. Выделяют адреса сервера и клиента. Сравнивают выделенные адреса со сформированными по функции выбора адресами. Игнорируют принятый ПС в случае несовпадения адресов. При совпадении адресов декодируют выделенные данные и обрабатывают их. Увеличивают у сервера счетчик шага выбора адресов (i_c=i_c+1). Далее продолжают обмен ПС до окончания сессии.The method consists in the following actions: pre-set the table of N client addresses and S server addresses, determine the function of selecting server addresses F ^N (i) and client F ^S (i), as well as the function of selecting the sending address of the false packet G ^N (i) ≠ F ^N (i). Assign the current addresses of client A _TK and server A _TC . Set the value of the address selection counter at the client and server to 1. Generate a control signal to generate a false message packet (PS) in the absence of data to transmit to the client. Form a false PS. Then, the generated false PS is encoded. Convert coded false MS to TCP / IP format. Include in the PS the current server address

and customer

. Then transmit the PS to the server. If the client has data for transmission, a control signal is generated for generating the MS. Encode the generated PS. Include the current client and server addresses according to the selection functions. Then they transmit the packet to the server. The client’s counter increments the address selection step by 1 (i _K = i _K +1). Accept the packet on the server. Decode the resulting PS. Allocate server and client addresses. Compare the selected addresses with the addresses formed by the selection function. Ignore the received PS in case of address mismatch. When the addresses match, the selected data is decoded and processed. The server counter increments the address selection step (i _c = i _c +1). Then continue the exchange of PS until the end of the session.

Compared to analogs, the prototype method allows misleading attackers regarding the structure of a distributed aircraft by masking it using changes in the identification structure and the information part of message packets transmitted to the network to significantly increase aircraft safety in terms of maintaining confidentiality (Interpretation of the terms used is given at the end of the description) information about the structure of the aircraft.

The disadvantage of the prototype is the relatively high complexity of ensuring the availability of ² elements of aircraft built on the basis of a public communication network (for example, the Internet), under the influence of random and deliberate interference on communication channels and nodes of the aircraft, and the availability of elements of the aircraft will be the lower, the more complicated the function the choice of address when sending message packets, which determines the complexity of the procedures for reconstructing the aircraft structure in the prototype by the intruder. This is due to the fact that the prototype does not provide a procedure for reconnecting in case of violation of synchronization of address selection when receiving and transmitting message packets. In addition, the prototype has a narrow scope, since the encoding procedures of the transmitted information are applicable to a limited number of elements of the aircraft, and the procedure for distributing encryption keys is strictly regulated, which tightens the trust requirements for subscribers.

The purpose of the claimed technical solution is to develop a method of protecting aircraft with a dedicated server, which reduces the complexity of ensuring the availability of elements of aircraft built on the basis of a public communication network (for example, the Internet) under the influence of random and deliberate interference on communication channels and aircraft nodes by introducing actions to restore communication in case of violation of synchronization of address selection when receiving and transmitting message packets.

Hereinafter, the term server is understood to mean a servicing device that performs calculations, i.e. servicing inquiries of users (subscribers) of the aircraft.

This goal is achieved by the fact that in the known method of protecting the aircraft, which consists in pre-setting N> 1 server addresses, functions for selecting server addresses F ^N (i) and selecting addresses for sending a false message packet G ^N (i), where i = 1, 2, 3, ... is the address selection step. Assign the current server address A _TC , the address of the client A _K. The numbers of the steps for selecting the addresses of the server i _C and client i _{K are} assigned the values i _C = 1 and i _K = 1. If the client does not have data for transmission, a false information packet of messages is generated, encoded and converted to TCP / IP format, the current server address selected in accordance with the specified function G ^N (i) is included in the false packet of messages, and transmitted. If the client has data for transmission, a message packet is generated, encoded and converted to TCP / IP format, then the current address of the server A _TC selected in accordance with the function F ^N (i) is included in it and transmitted to the server. On the server allocate addresses A _TC and A _K and A _TC is compared with the address location selected by a predetermined function F ^N (i). If they do not match, the received message packet is ignored. If it matches, the encoded data is extracted from the received message packet and decoded, assigned i _C = i _C +1 and i _K = i _K +1 and the exchange of message packets continues until the client has completed the data for transmission. In a predefined source data, K≥0 addresses of clients requiring encoding information when transmitting it, the address A _{BC of the} server for reconnecting, the time interval T _{with the} server monitoring the connection status and the maximum permissible message packet length D are additionally set. In addition, the types of message packages are set: false, informational, and recovery. After converting the false message packet to TCP / IP format, if its length exceeds the maximum permissible length D, the message packet is fragmented and the client address is additionally included in it. If the client has data, they pre-select the type of message package and, if the information type is selected, form the information message package. The transformed information packet of messages in case of its length exceeding the maximum permissible length D is fragmented, and after inclusion in the information packet of messages the addresses of server A _{TC are} additionally included in the packet of messages client address A _K. If the server does not receive the request for control by the server of the connection status during T _s and the type of the packet for reconnecting messages is selected from the client, a packet of messages with the request for reconnecting is generated, encoded and converted to TCP / IP format, and if its length exceeds the limit value D it is fragmented and includes the addresses of the recovery server A _BC and client A _K. After that, a message packet is transmitted to the server. After decoding the extracted data, the type of the received message packet is identified and, in the case of the information type of the message packet, it is processed. When the exchange of information is completed, the communication restoration message packet is ignored, and when the information exchange is continued, i _C = 1 is set and a communication restoration notification is sent to the client. The client is notified of the restoration of communication, after which they establish i _K = 1 from the client.

The values of N server addresses are selected within N = 2-50. As in the prototype, a sequence of Fibonacci numbers is used as a function of selecting a server address F ^N (i), and a sequence of Luc numbers is used as a function of selecting an address to send a false message packet G ^N (i).

Due to the new set of essential features in the claimed method, communication between the client and the server of the computer network is restored in the event of a violation of the synchronization of address selection when receiving and transmitting message packets caused by the impact on the communication channels and nodes of the computer network of random and intentional interference, which ensures the achievement of the formulated technical result - reducing the complexity of ensuring the accessibility of elements of computer networks built on the basis of a general communications network knowledge.

The claimed objects of the invention are illustrated by drawings, which show:

figure 1 is an example of a typical structure of the aircraft with a dedicated server;

figure 2 - structure of the message package;

figure 3 - structure of the IP header of the message packet;

figure 4 - block diagram of a sequence of actions that implement the method of protection of aircraft with a dedicated server;

5 is a diagram of an experiment;

6 is a drawing representing the structure of the aircraft with a dedicated server, determined during the experiment.

The implementation of the claimed method is explained as follows. A computing network (BC) with a dedicated server is a combination of client PCs, peripheral and communication equipment, combined by physical communication lines, when information processing in the interests of subscribers is carried out through one computer called a server. All elements of the aircraft are identified by identifiers, which are used in the most common TCP / IP protocol family by network addresses (IP addresses). To transfer information between client PCs (as well as their combination - local aircraft) and the server using the interaction protocols, a connection is established (Fig. 1, a), which, in this case, is understood as the information flow from the sender to the recipient (Fig. 1, b ) The information flow, as a rule, is transmitted through public communication networks (for example, the Internet), which complicates the solution of the problem of ensuring aircraft safety. This is due to the appearance of aircraft security threats aimed at unauthorized access to aircraft resources, to interception of information in the process of its transmission through communication channels, as well as to reducing the availability of aircraft elements through the implementation of deliberate destructive influences.

The tasks of protecting the resources of the aircraft and the information part of message packets during transmission over communication channels from unauthorized access are quite effectively solved by cryptographic methods. However, even if there is no possibility of decoding the intercepted information, an attacker, by analyzing the identification structure of message packets, can open the structure of the aircraft and take destructive actions on the elements of the aircraft and reduce their availability to authorized subscribers. This is due to the fact that the addresses of senders and recipients of message packets are transmitted in clear text.

Thus, a contradiction arises between the need to openly transmit the addresses of senders and recipients of message packets over communication channels and the requirement to ensure aircraft safety, because identifying the true addresses of the corresponding entities by an attacker at some point on the Internet creates the prerequisites for the implementation of destructive effects on aircraft. The claimed technical solution is aimed at eliminating this contradiction.

To preserve the confidentiality of information about the structure of the aircraft in the claimed method, it is masked by changing the identification structure and the information part of the message packets transmitted to the network. All components of the message packets (figure 2, 3) are electromagnetic signals in digital (binary) form. The actions considered above on them consist in the corresponding signal transformations, in which their parameters are changed (the total number of bits and the sequence of their zero and unit values).

In the process of changing network addresses, the server and client need to coordinate them. For this, N> 1 server addresses are pre-set, server address A _{BC is} for communication restoration, server address selection functions F ^N (i) and address selection for sending a false message packet G ^N (i), where i = 1, 2, 3, ... is the address selection step. IP addresses with a length of 4 bytes (32 bits) are set and displayed in the base of addresses in the most used form of representation of IP addresses - in decimal form (the format for representing IP addresses in decimal form is known and described, for example, in the book of Olifer B .G. And Olifer N.A. “Computer networks. Principles, technologies, protocols.”, Studies for Universities, 2nd ed.; - St. Petersburg: Peter, 2003. p. 497). The values of the number N of server addresses are selected, for example, based on the address space resource. In particular, the values of N can be set within N = 2-50.

As in the prototype, as a function of selecting the server address F ^N (i), a sequence of Fibonacci numbers is used, a description of which can be found, for example, in (Mathematical Encyclopedia. - M.: Sovetskaya Encyclopedia, 1985, Vol. 5. - p. 911), and as a function of address selection for sending a false message packet G ^N (i), a sequence of Luc numbers is used, the description of which is, for example, in (Graham R., Knut D., Ptashnik O. Specific mathematics. The basis of computer science. Trans. From English. - M .: Mir, 1988. - p. 344).

In addition, the types of message packages are set: false, informational, and recovery.

If the transmission of message packets between the client and server occurs only when data transmission is necessary, then the intensity of the traffic created by the aircraft element characterizes (unmasks) its importance. This can allow an attacker to identify the server and implement threats to the security of the aircraft based on the results of traffic analysis. As a result of this, at times when the client does not have data to transmit, the claimed method generates false (masking) message packets and transmits them in accordance with a predefined address selection function G ^N (i) for false message packets. Thus, false message packets reaching the recipient are not processed (ignored).

Figure 4 presents a block diagram of a sequence of actions that implement the claimed method of protecting aircraft with a dedicated server.

In a predefined source data, K≥0 addresses of clients requiring encoding information during its transmission, a time interval T _C of the server monitoring the connection status and the maximum allowable length D of the message packet are additionally set.

At the initial stage, from the base of addresses, the current address of the server A _TC , the address of the client A _K , and also the address A _{BC are} assigned (block 1 in FIG. 4). The numbers of the steps for selecting the addresses of the server i _C and client i _{K are} assigned the values i _C = 1 and i _K = 1. When implementing the claimed method of protection, system administrators can assign current addresses either strictly according to the instructions or, after coordinating their actions, by phone.

To generate and transmit false message packets, it is initially determined by the client whether there is data to be transmitted to the server at the input of the client's transmitting device (Bl.2 in FIG. 4). In the absence of such data, a control signal is generated from the client to generate a false initial data packet, which is fed to a special software or hardware-software module for generating false initial data packets. Then, in the indicated module, using one of the possible methods, for example, using a pseudo-random sequence generator, a false source data packet of the required length is generated (blocks 3, 4 in FIG. 4). The method of operation of the pseudo-random sequence generator is known and described, for example, in RF patent No. 2081450. After converting the false message packet to TCP / IP format (bl.5 in FIG. 4), if its length exceeds the maximum permissible length D (bl.6 in FIG. 4), the message packet is fragmented (bl.7 in FIG. .four). Fragmentation is used when it is necessary to transmit the IP datagram ³ through the BC segment, in which the maximum transmission unit (MTU ⁴ ) is smaller than the size of this datagram. If the size of the datagram exceeds this value, then fragmentation must be performed on the router that transmits this datagram. Include in the false message packet the server address selected in accordance with the specified function G ^N (i) (bl.8 in Fig.4) and the client address A ^K , and transmit it (bl.9 in Fig.4).

If the client has data, the type of message packet (informational or recovery) is pre-selected (bl.10 in Fig.4) and in the case of the choice of the information type an informational message packet is formed (bl.11 in Fig.4). After that, any of the known methods are encoded (see, for example, the book by Moldovyan N.A. et al. “Cryptography: from primitive to synthesis”, St. Petersburg: BVH - Petersburg, 2004, p. 301-337) the generated source package ( bl.12 in FIG. 4) and convert it to the TCP / IP format (bl.13 in FIG. 4). The conversion is to add an IP header to the encoded data packet. The resulting packet is an information packet of messages, the overall structure of which is shown in figure 2. The converted information message packet in case of its length exceeding the maximum allowable length D is fragmented (Bl.15 in FIG. 4).

и адрес клиента A_K (бл.16 на фиг.4) и передают серверу сформированный информационный пакет сообщений (бл.17 на фиг.4).In the fields, the sender address and the recipient address of the IP header (Fig. 3) include the pre-selected server address

and the client address A _K (bl.16 in FIG. 4) and transmit to the server the generated information packet of messages (bl.17 in FIG. 4).

After receiving the information packet of messages on the server (bl.19 in Fig. 4), the addresses of client A _K and server A _TC (bl.20 in Fig. 4) are extracted from its header, and the address A _TC (bl. 21 in FIG. 4) with an address selected by a given function F ^N (i). After decoding the extracted data, the type of the received message packet is identified and, in the case of the information type of the message packet, it is processed.

If the addresses do not match, the received packet is not analyzed, because its sender is not an authorized participant in the information exchange. If the addresses match, the encoded data is extracted from the received message packet (block 23 in FIG. 4) by decoupling the IP header, decoded (block 24 in FIG. 4) and the received data is processed. Assign i _C = i _C +1 and i _K = i _K +1 and continue to transmit message packets until the client has completed the data for transmission.

Information transfer in the opposite direction, i.e. from the server to the client, it is carried out similarly.

In the process of conducting information exchange, both random and deliberate interference is affected by communication channels and aircraft nodes, which can cause distortion of the identification structure and information part of message packets transmitted in the network, which leads to violation of coordination (synchronization) of addresses on the server and client sides receiving and transmitting message packets.

To control the synchronization of addresses on the server side in the process of information exchange, the connection status is monitored, which consists in sending a connection control packet to the client.

If the connection status monitoring request is not received from the server for T _s , the recovery type of message packet is selected on the client side. They form a message packet with the client to restore communication, encode and convert it to TCP / IP format, and if it exceeds the length of the limit value, D fragment it. It includes the addresses of the recovery server A _BC and client A _K. After that, a message packet is transmitted to the server.

Upon receipt of a message packet with a request to restore communication on the server side in order to protect against client spoofing, check (Bl.28 in Figure 4) the state of information exchange between the client and server (completed or not completed). When the exchange of information is completed, the message-retrieval message packet is ignored, and if necessary, the exchange of information is set i _C = 1 and a notification of restoration of communication is sent to the client. The client receives a confirmation packet for reconnecting, and then sets i _K = 1 on the client, thereby coordinating (synchronizing) addresses with the server, and resume information exchange.

The possibility of achieving the formulated technical result was tested experimentally. A generalized scheme of the experiment is presented in figure 5.

The aircraft model with a dedicated server was two remote PCs (PC 1 and PC 2), as well as a server connected via the Internet, represented in the model by router M ₄ . To connect to the Internet, the PC 1, PC 2 and server used routers M ₁ , M ₂ and M ₃ .

During the experiment, information exchange was implemented between the PC 1, the PC 2 and the server through the routers. Message packets from PC 1 and PC 2 to the server were transmitted in encoded form, and only the IP header containing the sender and receiver addresses (IP addresses of routers M ₁ , M ₂ and M ₃ ) was transmitted in clear form.

A packet analyzer was connected to the M ₄ router, which allows intercepting and analyzing message packets to extract the addresses of the sender and recipient from them, as well as view their contents.

In the first version of the experiment, the address of router M ₃ was fixed. Using a packet analyzer, it was revealed that through the M ₄ router during the information exchange of PC 1, PC 2 and the server, message packets with open IP headers containing the addresses of the routers M ₁ , M ₂ and M ₃ , as well as with the encoded information component, pass through . That is, packet interception and analysis made it possible to detect the transmission of encoded information between the server and two nodes on the Internet.

This observation made it possible to unambiguously determine the secure communication channels established between the routers, as well as unambiguously highlight a server that implements information exchange with PC 1 and PC 2. Therefore, it can be assumed that an attacker with high probability could, using a packet analyzer on router M ₄ , determine the structure of the aircraft with a dedicated server (IP address 213.196.76.10), as shown in Fig.6, a, and to carry out destructive actions in order to disrupt information exchange, which contradicts the requirement for bespechenii Sun Safety.

In the second version of the experiment, a base of three IP addresses was set for router M ₃ , and in accordance with the sequence of actions described in the claimed method in the process of information exchange, they were changed. The addresses of the routers M ₁ and M ₂ remained fixed. Between the transmission of true message packets, the formation and transmission of false message packets were carried out. The address of the M ₃ router was changed after each message packet was transmitted.

Using a packet analyzer, it was revealed that message packets with open IP headers and with the encoded information component of message packets pass through the M ₄ router in the process of information exchange, as in the first version of the experiment. However, the analysis of the message packet headers did not reveal a single communication channel between the routers M ₁ and M ₃ , M ₂ and M ₃ . On the contrary, it was revealed several communication channels between different pairs of addresses (Fig.6, b) with approximately equal intensity of information exchange.

After selective distortion of the structure of the transmitted message packets and, as a result, violation of the synchronization of address selection during the reception and transmission of message packets during the experiment, communication between the client and the server of the computer network was restored. This result was achieved by allocating the address A _{BC of the} server for reconnecting (IP-address 213.196.76.12), access to which clients was carried out in the process of information exchange in accordance with the sequence of actions described in the claimed method.

Thus, a continuous change in the transmitted message packets of server addresses is achieved, as well as the transmission of false message packets when the sender does not have the source data for transmission. Moreover, the change of addresses occurs in each transmitted message packet, and the new addresses for the change are selected according to a pre-selected algorithm and transmit them in encoded form. Only the current addresses are transmitted in clear text. This makes it virtually impossible to identify them with respect to a particular network user and, therefore, reveal the structure of a distributed aircraft.

In addition, the claimed method achieves the restoration of communication between the client and the server of the computer network in case of violation of the synchronization of address selection when receiving and transmitting message packets caused by the impact on the communication channels and nodes of the computer network of random and deliberate interference, which ensures the achievement of the formulated technical result - reduction the difficulty of ensuring the accessibility of elements of computer networks built on the basis of a public communication network.

List of Terms Used

1. Confidentiality - a property that allows not to give the right to access information or not to disclose it to incomplete persons, logical objects or processes [GOST R. ISO 7498-2-99. Information technology. Interconnection of open systems. The basic reference model. Part 1. Information Security Architecture]. Along with the “confidentiality” property, the security of information and an object is also determined by the integrity and accessibility of its elements [V. Domarev. Information technology security. Systematic approach: - К: LLC TID DS, 2004. - 992 p. on page 107].

2. Accessibility - the property of being accessible and used upon request by an authorized logical entity [GOST R. ISO 7498-2-99. Information technology. Interconnection of open systems. The basic reference model. Part 1. Information Security Architecture].

3. IP-datagram - a message packet formed at the network level (IP protocol) [Nortkan S, Novak D. Detection of security breaches in networks, 3rd edition: Per. from English - M.: Williams Publishing House, 2003. - 448 p.: Ill. on page 32].

4. MTU is the maximum possible length of a datagram that a technology can place in the data field of its transmission unit [Olifer V. G., Olifer N. A. Computer networks. Principles, technologies, protocols: textbook for universities. - SPb .: Peter, 2003. - 864 s: ill.].

Claims (1)

A method of protecting computer networks with a dedicated server, which consists in pre-setting N> 1 server addresses, functions for selecting server addresses F ^N (i) and selecting addresses for sending a false message packet G ^N (i), where i = 1, 2 , 3, ... - step select address, and is assigned the current address of the server a _TS client address a _K, and the numbers of steps of selecting the server addresses i _C and customer i _K is assigned the value i _C = 1 and i _K = 1, in the absence of the data client for transmission generates a false information packet of messages, encodes and converts it into TCP / IP format, including into the false message packet, the current server address selected in accordance with the specified function F ^N (i), and transmit it, if the client has data to transmit, form a message packet, encode and convert it to TCP / IP format, then include it current address of the server a _TC, selected according to the function F ^N (i), and transmitting it to the server where the recovered address a _TC and a _K and compares address a _TC with the location selected for the given function F ^N (i), with they do not match, the received message packet is ignored, and if it matches the received message packet, it is highlighted dissolved encoded data and decoding them, assigning values i _C = i _C +1 and i _K = i _K +1 and continue to exchange messages before closure packets at the client data for transmission, characterized in that it further define K≥0 client address requiring encoding information during its transmission, the address of the A _BC server for reconnecting, the time interval of the T _C monitoring of the connection status by the server and the maximum permissible length D of the message packet, and also specify the types of message packets: false, informational and recovery, after converting false a message packet in TCP / IP format if its length exceeds the maximum permissible length D, the message packet is fragmented and additionally includes the client address, if the client has data, the message packet type is pre-selected, and if the information type is selected, an information packet is generated messages, moreover, the converted information message package, in case of its length exceeding the maximum permissible length D, is fragmented, and after the server address A _{TC is} included in the information message package, add They carefully include the client address A _K in the message packet, and if the server does not receive the control request from the server for connection status during T _C and the type of the connection recovery message package is selected, the client generates a message package with the connection restoration request, encodes it and converts it to TCP / IP, and if its length exceeds the limit value D, it is fragmented and includes the addresses of the recovery server A _BC and client A _K , after which they send a message packet to the server, after decoding the extracted identifier data they determine the type of the received message packet, and in the case of the information type of the message packet, it is processed, and at the end of the information exchange, the communication restoration message packet is ignored, and when the information exchange is continued, the value i _C = 1 is set and the notification of the restoration of communication is sent to the client, received from the client notification of the restoration of communication, after which the client sets the value i _K = 1.

Images