Ruslan Rakhmetov, Security Vision
Information security specialists are often tasked with concealing transmitted information, protecting intellectual property, and preventing unauthorized interference with information systems. Although cryptographic information protection methods are used in most cases, in some situations, specialists are forced to employ obfuscation techniques, which are also used by attackers. In the first part of this article, we will discuss obfuscation, the different obfuscation methods, and the applications of this technique. The next part will cover the application of obfuscation in software and hardware.
In general, obfuscation is confusion, the deliberate introduction of ambiguity (from the English obfuscate – to confuse, from the Latin obfuscare – to obscure, to conceal). Below, we will describe the types of obfuscation techniques used in various fields.
1. Communicative obfuscation: the deliberate introduction of distortions into the language of communication in order to conceal the meaning is a technique of communicative (linguistic) obfuscation. Examples of obfuscation include various "secret languages" or "argot" - essentially slang used to conceal the meaning of what is said from outsiders or to complicate linguistic analysis of what is said (including using ASR technology - Automatic Speech Recognition). Speech Automatic speech recognition (automatic speech recognition). Furthermore, foreign vocabulary or lesser-known dialects can be used for language obfuscation: for example, in pre-revolutionary Russia, members of the upper classes communicated among themselves in French, in part to prevent servants from understanding what they said, and during the Great Patriotic War, communications specialists from minority ethnic groups in the USSR could use their native languages among themselves to conceal the meaning of their words from eavesdropping adversaries. Furthermore, certain social groups also use communication obfuscation methods —primarily, representatives of certain professions (IT/ISP specialists, PR and sales specialists, politicians).
2. Obfuscation of ML models and neural networks: hiding the internal structure and training data helps to resist model theft (Model stealing) and data extraction (Data Obfuscation is achieved through parameter encapsulation, obfuscation of the neural network structure, and the addition of a protective layer to the neural network .
3. Data obfuscation: Data masking (obfuscation) is used for non-cryptographic protection of confidential information, including personal data. Data obfuscation can be implemented using the following methods:
· Randomization: sensitive data is replaced with random data;
· Replacement : Sensitive data is replaced with meaningless or intentionally distorted data created using a specific algorithm. For example, base64, UUE, and MIME encoding methods may be used, as well as spoofing methods , including the use of various special characters and homoglyphs ;
· Shuffling: For example, customers' postal codes are swapped with each other according to a certain algorithm;
· Noise injection/random perturbation method: for example, adding a few random characters to user IDs;
· Masking: Some sensitive data is hidden using a specific algorithm—for example, part of a bank card number is hidden with * symbols. When using this type of masking, it's important to remember that the bank card number (PAN, Primary Account Number) in accordance with the ISO/IEC 7812–1:2017 standard can be from 10 to 19 digits long (the most common PAN is 16 digits long – for example, in MIR, Visa, Mastercard cards) and consists of a bank identifier (BIN, Bank Identification Number (the first 6-8 digits of the card number), a unique digital identifier of the bank's client (up to 12 digits) and a final verification digit calculated using the Luhn algorithm (designed to calculate the card number's check digit to protect against accidental errors when entering the card number). Therefore, it makes no sense to conceal the first 6-8 digits of the BIN identifier, since their list is finite, and the mapping of BINs to banks is well known. The method of replacing bank card data is called PAN truncation and is defined in the PCI DSS standard: the full bank card number is concealed; in practice, only the last 4 digits are left visible. This means, for example, that when printing receipts or displaying transaction history, third parties will not be able to see the full card number;
· Tokenization: replacing sensitive data with a token—an identifier consisting of a sequence of characters obtained through a one-way transformation (similar to a hash function). The comparison of the original data with the token is performed in a tokenization system , which ensures the validity of the presented token is verified. Examples of tokenization include mobile payment services such as Apple Pay and Google. Pay, Mir Pay (MIR Pay), in which the real PAN numbers of bank cards (also called FPAN, Funding Primary Account Number) are replaced with tokenized DPAN identifiers (Device Primary Account Number), stored in the corresponding payment app on the smartphone. When paying, the smartphone's NFC chip transmits this virtual DPAN number to the POS terminal, and the merchant's recipient bank requests verification of the DPAN number's validity in the tokenization system —i.e., from the token service provider (TSP, Token). Service A provider , which performs the matching between the received DPAN token and the actual FPAN number of the bank card. In the case of the MIR Pay system, this provider is JSC NSPK (National Payment Card System).
Data obfuscation can be static and dynamic: static masking (SDM, Static Data Masking) means applying a selected masking method and algorithm before storing or transmitting data that requires obfuscation, and dynamic masking (DDM, Dynamic Data Masking obfuscates sensitive data immediately when users access it (taking into account delimitation rules and the access control model). A variation of dynamic masking is on-the-fly data masking . data masking), which is used when transferring protected data from one system to another - for example, when confidential data is masked directly at the moment of its transfer from the production segment to the test circuit, where work is carried out with masked data.
4. Obfuscation of personal data: use of methods of depersonalization, anonymization, pseudonymization , differential privacy.
4.1. Depersonalization of personal data (abbreviated PDn ) is defined in the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (Article 3, paragraph 9) as an action as a result of which it becomes impossible to determine the ownership of PDn to a specific PD subject without the use of additional information . In accordance with Russian legislation, personal data depersonalization is performed in accordance with the requirements of the Russian Government Resolution of August 1, 2025, No. 1154 "On Approval of Requirements for the Depersonalization of Personal Data, Methods of Depersonalization of Personal Data, and the Rules for the Depersonalization of Personal Data" and the Order of Roskomnadzor of June 19, 2025, No. 140 "On Approval of Requirements for the Depersonalization of Personal Data and Methods of Depersonalization of Personal Data..." (this Order replaced the previous Order of Roskomnadzor of September 5, 2013, No. 996). These documents list the following methods of depersonalization of personal data:
· Introduction of identifiers: replacement of part of the information ( personal data values ) with identifiers with the creation of a table (reference book) of the correspondence of identifiers to the original personal data;
· Change in composition or semantics: change in composition or semantics of personal data , including by replacing it with the results of statistical processing or by deleting, distorting, or changing the attributes of personal data;
· Decomposition: dividing the array of personal data into several parts with subsequent separate storage;
· Shuffling: rearranging individual records, as well as groups of records in the PDn array;
· Transformation: aggregation and transformation of an array of anonymized personal data by generalizing (aggregating) the attributes of the personal data , including preserving the original distribution of each value of the attributes of the personal data.
4.2. Pseudonymization PDn is defined in the international standard ISO/IEC 20889:2018 (“Terminology and classification of privacy-enhancing data de-identification techniques”) as a de-identification method in which the identifier of a PD subject is replaced with a pseudonym in order to conceal the identity of this PD subject. In the European General Data Protection Regulation (General Data Protection According to Article 4, paragraph 5 of the GDPR, pseudonymization means processing personal data in such a way that it can no longer be attributed to a specific personal data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures that ensure that the personal data cannot be associated with the personal data subject. In essence, pseudonymization is similar to anonymization: pseudonymized and anonymized personal data can be converted into the original personal data using additional information (key table, directory).
4.3. Personal data anonymization is defined in the international standard ISO/IEC 29100:2024 ("Privacy Framework") as a process that irreversibly modifies personal data such that the personal data subject can no longer be identified directly or indirectly by any personal data operator , even when using enriched data from third parties. Anonymized data is not attributed to any personal data subject; it is impossible to reconstruct real personal data from it or link it to subjects. It can be used without restrictions; however, full anonymization should not be confused with depersonalization and pseudonymization.
4.4. Differential privacy is defined in the international standard ISO/IEC 20889:2018 ("Terminology and classification of privacy-enhancing de-identification techniques") as a formal privacy model that ensures the immutability of personal data processing results when any individual record is added or deleted. Thus, differential privacy ensures that accurate aggregated statistical information can be obtained from a dataset about a group of individuals without disclosing the identity of any individual. This is achieved by introducing noise (random data) into statistical calculations, taking into account the so-called "privacy budget"—the maximum permissible amount of information that can be disclosed about a group of individuals from a dataset without compromising the anonymity of individuals.
5. Data obfuscation for copyright protection.
To protect copyright, identify licensing violations, and control the use of intellectual property, digital watermarks can be applied to various objects (files, images, videos). The use of digital watermarks based on obfuscation Watermarking makes them invisible to users and attackers, resistant to various methods of their violation/removal, and also clearly indicates the authorship or ownership of a particular object by a specific person or organization. In addition, violation/removal of a digital watermark should lead to a violation of the functionality and/or integrity of the protected object (for example, the media file cannot be played), as well as notification of the user and/or author (owner of the object) of unauthorized interference. Often, digital watermarking methods based on obfuscation are used in conjunction with steganography methods and are applied in technical means of copyright protection (DRM systems, Digital Rights Management). In addition, obfuscation can also be used in printing using the technology of applying so-called "yellow dots" to printer printouts (Printer Tracking Dots or Machine Identification Code (MIC), which contain information about the printer's serial number, time, and date of printing, making it possible to identify the source of the printout, especially in the event of a data leak on paper media. Some DLP systems also install similar digital watermarks : the image displayed on the monitor contains invisible micro-distortions that can be used to identify the device in the event of a data leak using computer screen photography—a trick often used by untrustworthy employees to leak confidential information.
