A Road Map of Knowledge Management for Network Security and Roles of Soft Computing Atsushi Inoue Department of Computer Science Eastern Washington University Cheney, WA 99004-2412 E-mail: atsushi.inoue@ewu.edu Anca L. Ralescu ECECS Department University of Cincinnati Cincinnati, OH 45221-0030 E-mail: anca.ralescu@uc.edu Abstract— This paper presents a road map of knowledge management for network security. To handle real-time manners and unpredictable distributions of network traffic, a sophisticated artificial intelligence needs to underlie a multi agent system architecture served as a middleware of knowledge management operations. To realize this, Soft Computing intrinsically plays the key roles in the most of primary knowledge management tasks. I. I NTRODUCTION The last decade has witnessed an increase in efforts to built upon the advancement of information technologies, (especially that of artificial intelligence techniques for knowledge repre- sentation and reasoning, broadly called knowledge manage- ment) to ensure that experience and knowledge are accessed and used by the right people at right times in right format [34], [11], [29]. The premise of such efforts is that knowledge- empowered enterprises will achieve substantial improvement on effectiveness, productivity, and service quality by lever- aging the collaborative knowledge of their people within a framework of knowledge management in real time. To realize this, the following technologies are necessary: (1) Knowledge Representation - for knowledge integration; (2) Just-In-Time Knowledge Delivery - for the real-time knowledge sharing; and (3) One-stop Search - for single interface to the search of knowledge. In the context of network security administration, knowl- edge management is indeed a powerful infrastructure for many of its tasks including, but not limited to: (1) profil- ing of computational activities, (2) sharing and/or updating of configurations for tools (e.g. snort and tcpdump) within selective criteria in real-time bases, (3) incident response (e.g. notification to certain people, change or hold of routing, and disabling services and/or hosts in order to protect them), (4) tracking and recording computational activities at the time of incident for forensic activities, and (5) tracking and recording configurations inconsistent with security policies for penetration testing. Such tasks can be performed efficiently and effectively by placing appropriate queries for the one-stop search of knowl- edge, which is accessible by just-in-time knowledge delivery and represented in a canonical knowledge representation. This paper presents a road map toward a framework for artificial intelligence underlying security knowledge manage- ment in a way that assists security administrators to pro- vide trustworthy services to their respective organizations. In particular, this is realized by development of a multi agent system for (1) data collection, (2) mining data relevant to network security, (3) query processing, and (4) embedding the query processing to security relevant tasks, such as tracking of suspicious activities, and assessment and auditing of security tools configurations. II. NETWORK SECURITY ADMINISTRATION A. Current Recently, the issue of network security has drawn significant attention from the public and research community [8], [26]. Practical tools [35], [38], [39], [13], [25], books [2],[33], [27],[28],[20] and training programs (e.g., short courses and their materials [32], [27],[28]) for network security have come out, and they are indeed making significant contributions on advancing the technology. Some efforts on using artificial intelligence (mainly for intrusion detection tasks) have also been made, although such efforts have not yet received much attention, mainly due to the lack of integrated knowledge of artificial intelligence and network security [3],[22]. Reflecting such trends, further sophistication of network administration tasks is needed in order to ensure maximum network security. At a minimum, network administrators are always imposed to gain additional knowledge on the top of their administrative tasks. B. Future This road map puts forward the idea that, AI and data management techniques can be called upon to create an envi- ronment for network security management without increasing the the burden on the network administrator. For a concrete illustration of network security tasks the following scenarios are considered: Scenario 1 - Detection of, and response to, a suspicious activity: Jim, a network administrator, is notified by an alert on his computer that an unusual increase in network traffic has taken place in the last five minutes. He then places the following query to an agent at his workstation and received the corresponding responses from remotely distributed agents: