A Multi-Agent System for Enforcing “Need-To-Know” Security Policies

Abstract

We propose a multi-agent system architecture for the adaptive authorization of access to confidential information. The proposed multi-agent system provides "need-to-know" content-based authorization of requests to access confidential information. "Need-to-know" authorization is that which grants access to confidential information only if that information is necessary for the requester's task or project. In our system, we treat the authorization task as a text classification problem in which the classifier must learn a human supervisor's decision criteria with small amounts of labeled information, e.g. 20 to 30 "documents", and to be capable of generalizing to other documents with a zero, or near-zero, false alarm rate. Since "need-to-know" authorizations must be determined for multiple tasks, multiple users, and multiple collections of confidential information, with quick turn-around from definition to use, the authorization agent must be adaptive and capable of learning new profiles quickly and with little impact on the productivity of the human supervisor and the human end-user. To this end, we examined five different text classification methods for solving this problem, "agentified" the best performer, and inserted it in a secure document management system context.