On the Usability of Clustering for Topic-Oriented Multi-level Security Models

Security levels used in organizations today are typically course-grained, broad and distinct, using security levels such as "Confidential" and Secret". However, current research is advocating a move towards more fine-grained security models, e.g. Such as Attribute-Based Access Control, where information objects and end-users are characterized in terms of complex meta-data. One idea promoted is a topic-oriented approach where information objects are characterized in terms of fine-grained descriptions of the topics of its content. It will lead to higher flexibility, but will also rely on a policy-database to assign a specific security policy to topics and subtopics. Due to increased complexity, it will also require automatic or semi-automatic tools for determining the topics and sub-topics of information objects, and the tools should extract topics that are easily understood by humans, since humans need to control the policy. This paper studies the feasibility of using clustering techniques to help humans in extracting the topics from information objects. A number of clustering methods are discussed, including k-means, Ward's hierarchical agglomerative clustering, Correlated Topic Models (CTM) and Latent Dirichlet Allocation (LDA). To the best of our knowledge, an in-depth analysis on the feasibility of using clustering for this problem has not been presented in previous work. Our analysis points out challenges with clustering in particular, which must be addressed before realizing the general vision of topic-oriented policy-driven security models.