RYOTARO NAKATA - Academia.edu (original) (raw)

Papers by RYOTARO NAKATA

Research paper thumbnail of Evaluation of vulnerability reproducibility in container-based Cyber Range

arXiv (Cornell University), Oct 29, 2020

The cyber range is a practical and highly educational information security exercise system, but i... more The cyber range is a practical and highly educational information security exercise system, but it has not been widely used due to its high introduction and maintenance costs. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. Moreover, it is not clear whether the sufficient vulnerabilities are reproducible, required to conduct incident scenarios in the cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabilities used in common exercise scenarios and confirm that 99.3% of the vulnerabilities are reproducible. The container-based cyber range can be used as a new standard to replace existing methods.

Research paper thumbnail of Development of cyber security attack and defense exercise system CyExec using Docker container-type virtualization technology

Development of cyber security attack and defense exercise system CyExec using Docker container-type virtualization technology

Research paper thumbnail of Motivation in Teaching Expert Development Project by KOSEN Security Educational Community

Motivation in Teaching Expert Development Project by KOSEN Security Educational Community

2023 IEEE Global Engineering Education Conference (EDUCON)

Research paper thumbnail of Application of ISO/IEC 29100:2011 to the evaluation criteria of privacy impact assessment

Application of ISO/IEC 29100:2011 to the evaluation criteria of privacy impact assessment

Research paper thumbnail of Development of Privacy Impact Assessment procedure manual conforming to ISO / IEC 29134:2017

Development of Privacy Impact Assessment procedure manual conforming to ISO / IEC 29134:2017

SECURITY MANAGEMENT

Research paper thumbnail of CyExec*: A High-Performance Container-Based Cyber Range With Scenario Randomization

IEEE Access, 2021

With increasing threats to information security, information security education through practical... more With increasing threats to information security, information security education through practical exercises specifically cyber range has attracted attention. However, the use of a cyber range is not widespread because of the high initial and maintenance cost and difficulty of developing new scenarios. Because many virtual instances are executed in the cyber range, the advantage of container type virtualization, which can provide a lightweight execution environment, is expected to increase efficient hardware utilization and decrease the total cost. On the other hand, containers pose challenges in scalability and scenario development when it comes to their use in cyber ranges because their performance advantages and vulnerability reproducibility have not been reported. In this paper, we conducted an exhaustive experiment to compare the performance and reproducibility of container-type virtualization with other virtualization types. The results show that containers can provide a more efficient execution environment than the other types, with almost perfect vulnerability reproducibility of more than 99% while reducing memory consumption by half and storage consumption to 1/60. The container's high performance and reproducibility enabled us to develop CyExec * , a cyber range system with DAG-based scenario randomization technology. CyExec * can increase educational effectiveness by automatically generating multiple scenarios with the same learning objective. Compared with a random scenario generator for CTF using another virtualization type, CyExec * shows more than three times higher performance. CyExec * can solve existing cyber range issues.

Research paper thumbnail of Evaluation of vulnerability reproducibility in container-based Cyber Range

ArXiv, 2021

A cyber range, a practical and highly educational information security exercise system, is diffic... more A cyber range, a practical and highly educational information security exercise system, is difficult to implement in educational institutions because of the high cost of implementing and maintaining it. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. And it is not clear whether the sufficient vulnerabilities are reproducible, which is required to conduct incident scenarios in cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabiliti...

Research paper thumbnail of Proposal for a Privacy Impact Assessment Manual Conforming to ISO/IEC 29134: 2017

Proposal for a Privacy Impact Assessment Manual Conforming to ISO/IEC 29134: 2017

In this paper, we compared the requirements of previously developed manual and ISO/IEC 29134:2017... more In this paper, we compared the requirements of previously developed manual and ISO/IEC 29134:2017 and analyzed the changes. As a result, there were no major differences in requirements. It is useful to conduct a privacy impact assessment (PIA) before actually operating the system to appropriately construct and operate a system that handles personal information. A manual (procedure manual) is necessary to implement PIA efficiently. In June 2017, ISO issued the ISO/IEC 29134:2017 as an international standard on PIA. Cause the past PIA manual developed based on ISO 22307:2008, development of a PIA manual conforming to ISO/IEC 29134:2017 was required. By our analysis, as a newly stated matter, ISO/IEC 29134:2017 explicitly indicated Due Diligence, stakeholder engagement, and risk countermeasures. Based on the analysis results, we propose a new PIA manual reflecting the requirements of ISO/IEC 29134:2017.

Research paper thumbnail of CyExec*: Automatic Generation of Randomized Cyber Range Scenarios

With the development of information technology, the need for information security education is in... more With the development of information technology, the need for information security education is increasing, and the effectiveness of cyber range exercises is attracting attention. The cyber range is a system to learn knowledge and skills by experiencing an incident scenario reproduced in a virtual environment. Many scenarios are required to train a security expert through various incident experiences. However, scenario development requires highly specialized expertise. Thus, in practice, only a limited number of scenarios are worn out around. Identical scenarios may decrease the educational effect since the other teams’ actions or write-ups on the internet will hint the students. We propose CyExec*, a cyber range system that automatically generates multiple scenarios based on DAG(Directed Acyclic Graph)-based scenario randomization. Multiple scenarios with the same learning objectives can enhance teaching effectiveness and prevent cheating. We developed the DAGbased scenario randomiz...

Research paper thumbnail of An Effective Cybersecurity Exercises Platform CyExec and its Training Contents

International Journal of Information and Education Technology, 2020

Recently the threats of cyberattacks, especially of targeted attacks are increasing rapidly and a... more Recently the threats of cyberattacks, especially of targeted attacks are increasing rapidly and a large number of cybersecurity incidents are occurring frequently. On the other hand, capable personnel are greatly lacking, and strengthen the systematic human resource development cultivating capabilities for cybersecurity activities is becoming an urgent issue. However, only a few parts of academia and private sector in Japan can carry out the cybersecurity exercises because of high cost and inflexibility of commercial or existing training software. On this account, in order to enforce cybersecurity practical exercises cost-effectively and flexibly, we developed a virtual environment Cybersecurity Exercises (CyExec) system utilizing VirtualBox and Docker. We also implemented an open source vulnerability scanner tool WebGoat and our original cyberattack and defense training contents on CyExec.

Research paper thumbnail of Evaluation of vulnerability reproducibility in container-based Cyber Range

arXiv (Cornell University), Oct 29, 2020

The cyber range is a practical and highly educational information security exercise system, but i... more The cyber range is a practical and highly educational information security exercise system, but it has not been widely used due to its high introduction and maintenance costs. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. Moreover, it is not clear whether the sufficient vulnerabilities are reproducible, required to conduct incident scenarios in the cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabilities used in common exercise scenarios and confirm that 99.3% of the vulnerabilities are reproducible. The container-based cyber range can be used as a new standard to replace existing methods.

Research paper thumbnail of Development of cyber security attack and defense exercise system CyExec using Docker container-type virtualization technology

Development of cyber security attack and defense exercise system CyExec using Docker container-type virtualization technology

Research paper thumbnail of Motivation in Teaching Expert Development Project by KOSEN Security Educational Community

Motivation in Teaching Expert Development Project by KOSEN Security Educational Community

2023 IEEE Global Engineering Education Conference (EDUCON)

Research paper thumbnail of Application of ISO/IEC 29100:2011 to the evaluation criteria of privacy impact assessment

Application of ISO/IEC 29100:2011 to the evaluation criteria of privacy impact assessment

Research paper thumbnail of Development of Privacy Impact Assessment procedure manual conforming to ISO / IEC 29134:2017

Development of Privacy Impact Assessment procedure manual conforming to ISO / IEC 29134:2017

SECURITY MANAGEMENT

Research paper thumbnail of CyExec*: A High-Performance Container-Based Cyber Range With Scenario Randomization

IEEE Access, 2021

With increasing threats to information security, information security education through practical... more With increasing threats to information security, information security education through practical exercises specifically cyber range has attracted attention. However, the use of a cyber range is not widespread because of the high initial and maintenance cost and difficulty of developing new scenarios. Because many virtual instances are executed in the cyber range, the advantage of container type virtualization, which can provide a lightweight execution environment, is expected to increase efficient hardware utilization and decrease the total cost. On the other hand, containers pose challenges in scalability and scenario development when it comes to their use in cyber ranges because their performance advantages and vulnerability reproducibility have not been reported. In this paper, we conducted an exhaustive experiment to compare the performance and reproducibility of container-type virtualization with other virtualization types. The results show that containers can provide a more efficient execution environment than the other types, with almost perfect vulnerability reproducibility of more than 99% while reducing memory consumption by half and storage consumption to 1/60. The container's high performance and reproducibility enabled us to develop CyExec * , a cyber range system with DAG-based scenario randomization technology. CyExec * can increase educational effectiveness by automatically generating multiple scenarios with the same learning objective. Compared with a random scenario generator for CTF using another virtualization type, CyExec * shows more than three times higher performance. CyExec * can solve existing cyber range issues.

Research paper thumbnail of Evaluation of vulnerability reproducibility in container-based Cyber Range

ArXiv, 2021

A cyber range, a practical and highly educational information security exercise system, is diffic... more A cyber range, a practical and highly educational information security exercise system, is difficult to implement in educational institutions because of the high cost of implementing and maintaining it. Therefore, there is a need for a cyber range that can be adopted and maintained at a low cost. Recently, container type virtualization is gaining attention as it can create a high-speed and high-density exercise environment. However, existing researches have not clearly shown the advantages of container virtualization for building exercise environments. And it is not clear whether the sufficient vulnerabilities are reproducible, which is required to conduct incident scenarios in cyber range. In this paper, we compare container virtualization with existing virtualization type and confirm that the amount of memory, CPU, and storage consumption can be reduced to less than 1/10 of the conventional virtualization methods. We also compare and verify the reproducibility of the vulnerabiliti...

Research paper thumbnail of Proposal for a Privacy Impact Assessment Manual Conforming to ISO/IEC 29134: 2017

Proposal for a Privacy Impact Assessment Manual Conforming to ISO/IEC 29134: 2017

In this paper, we compared the requirements of previously developed manual and ISO/IEC 29134:2017... more In this paper, we compared the requirements of previously developed manual and ISO/IEC 29134:2017 and analyzed the changes. As a result, there were no major differences in requirements. It is useful to conduct a privacy impact assessment (PIA) before actually operating the system to appropriately construct and operate a system that handles personal information. A manual (procedure manual) is necessary to implement PIA efficiently. In June 2017, ISO issued the ISO/IEC 29134:2017 as an international standard on PIA. Cause the past PIA manual developed based on ISO 22307:2008, development of a PIA manual conforming to ISO/IEC 29134:2017 was required. By our analysis, as a newly stated matter, ISO/IEC 29134:2017 explicitly indicated Due Diligence, stakeholder engagement, and risk countermeasures. Based on the analysis results, we propose a new PIA manual reflecting the requirements of ISO/IEC 29134:2017.

Research paper thumbnail of CyExec*: Automatic Generation of Randomized Cyber Range Scenarios

With the development of information technology, the need for information security education is in... more With the development of information technology, the need for information security education is increasing, and the effectiveness of cyber range exercises is attracting attention. The cyber range is a system to learn knowledge and skills by experiencing an incident scenario reproduced in a virtual environment. Many scenarios are required to train a security expert through various incident experiences. However, scenario development requires highly specialized expertise. Thus, in practice, only a limited number of scenarios are worn out around. Identical scenarios may decrease the educational effect since the other teams’ actions or write-ups on the internet will hint the students. We propose CyExec*, a cyber range system that automatically generates multiple scenarios based on DAG(Directed Acyclic Graph)-based scenario randomization. Multiple scenarios with the same learning objectives can enhance teaching effectiveness and prevent cheating. We developed the DAGbased scenario randomiz...

Research paper thumbnail of An Effective Cybersecurity Exercises Platform CyExec and its Training Contents

International Journal of Information and Education Technology, 2020

Recently the threats of cyberattacks, especially of targeted attacks are increasing rapidly and a... more Recently the threats of cyberattacks, especially of targeted attacks are increasing rapidly and a large number of cybersecurity incidents are occurring frequently. On the other hand, capable personnel are greatly lacking, and strengthen the systematic human resource development cultivating capabilities for cybersecurity activities is becoming an urgent issue. However, only a few parts of academia and private sector in Japan can carry out the cybersecurity exercises because of high cost and inflexibility of commercial or existing training software. On this account, in order to enforce cybersecurity practical exercises cost-effectively and flexibly, we developed a virtual environment Cybersecurity Exercises (CyExec) system utilizing VirtualBox and Docker. We also implemented an open source vulnerability scanner tool WebGoat and our original cyberattack and defense training contents on CyExec.