Abstract
Recent research [12] has suggested that traditional top down security policy models are too rigid to cope with changes in dynamic operational environments. There is a need for greater flexibility in security policies to protect information appropriately and yet still satisfy operational needs. Previous work has shown that security policies can be learnt from examples using machine learning techniques. Given a set of criteria of concern, one can apply these techniques to learn the policy that best fits the criteria. These criteria can be expressed in terms of high level objectives, or characterised by the set of previously seen decision examples. We argue here that even if an optimal policy could be learnt automatically, it will eventually become sub-optimal over time as the operational requirements change. The policy needs to be updated continually to maintain its optimality. This paper proposes two dynamic security policy learning frameworks. Copyright 2009 ACM.