In most modern organizations, almost all important information is stored in electronic form, across a variety of computer networks, servers, and other information systems. Trusted users inside an organization often have access to confidential and protected information. Consequently, organizations often employ a variety of security mechanisms to prevent unauthorized access to and/or use of such information.
One such mechanism is through the monitoring of computing resources within the organization. Merely by way of example, U.S. patent application Ser. Nos. 11/556,942, 11/556,968, 11/557,025 and 11/557,047, already incorporated by reference, described several exemplary systems and methods for monitoring and/or replaying events occurring on a monitored computer. Other systems and methods are available as well.
Pattern matching algorithms, including keyword matching algorithms, are well-known in the field of computers. Such algorithms (which can include, without limitation regular expressions, hashes and similar tools) are often used to locate desired text from among a large block of undifferentiated text.
Accordingly, pattern and/or keyword matching routines can be useful in the field of computer monitoring, because such routines can assist in determining whether an event should be monitored and/or collected, based for example on a set of text associated with the event. Merely by way of example, if a user of a monitored computer sends an email message, that fact alone may be of little interest, because users commonly send email messages as part of their legitimate work activities. If that message, however, contains sensitive and/or confidential information, the sending of the message is of much more interest from a security standpoint.
Hence, it is useful to be able to perform keyword and/or pattern matching within the context of computer monitoring, as well as in a variety of other contexts. Most keyword or pattern matching applications, however, store the keywords/patterns of interest in a form that is relatively accessible. Merely by way of example, a keyword matching application might store a set of keywords of interest in a file, and compare monitored text with the keywords in that file in order to determine whether an event associated with the monitored text should be monitored, analyzed and/or collected.
In such an environment, a savvy user often will be able to ascertain the keywords of interest and take appropriate steps to disguise any illegitimate activity (e.g., by avoiding the use of the keywords). What is needed, therefore, are systems and methods that allow for pattern and/or keyword matching without providing any readily-identifiable indication of the keywords and/or patterns of interest.