CYBEX – The Cybersecurity Information

Exchange Framework (X.1500)

∗ †
Anthony Rutkowski Youki Kadobayashi Inette Furey
Yaana Technologies, USA NAIST, Japan DHS, USA
[email protected] [email protected] [email protected]
‡
Damir Rajnovic Robert Martin Takeshi Takahashi
FIRST, USA MITRE, USA NICT, Japan
[email protected] [email protected] takeshi [email protected]
This article is an editorial note submitted to CCR. It has NOT been peer reviewed.
The authors take full responsibility for this article’s technical content. Comments can be posted through CCR Online.

ABSTRACT to any attackers across the globe. The number of attacks

The cybersecurity information exchange framework, known is increasing drastically each year. From the viewpoint of
as CYBEX, is currently undergoing its first iteration of stan- new malicious code signatures, Symantec created 2,895,802
dardization efforts within ITU-T. The framework describes such signatures in 2009, a 71 percent increase over 2008; the
how cybersecurity information is exchanged between cyber- 2009 figure represents 51 percent of all such signatures ever
security entities on a global scale and how the exchange is created by Symantec [7].
assured. The worldwide implementation of the framework Countermeasures against these cybersecurity threats, how-
will eventually minimize the disparate availability of cyber- ever, are most frequently implemented by individual orga-
security information. This paper provides a specification nizations in isolation. Consequently, an organization in one
overview, use cases, and the current status of CYBEX. country may be attacked by malware whose countermea-
sures are already known and implemented within another
organization in another country. Such incidents occur due to
Categories and Subject Descriptors the lack of sharing of information among organizations. One
C.2.0 [Computer-Communication Networks]: General— of the biggest factors preventing organizations from sharing
Security and Protection; K.6.5 [Management of Comput- information with each other is the absence of a globally com-
ing and Information Systems]: Security and Protection mon format and framework for cybersecurity information
exchange. Albeit some countries such as the United States
possess domestic standards for approaching this problem,
General Terms most other countries have no such standards. Another such
Standardization, Security, Design factor is the absence of assured information exchange frame-
work, without which no organization will exchange informa-
tion.
Keywords To cope with this problem, ITU-T is now building an
CYBEX, cybersecurity, security, information exchange emerging standard – The Cybersecurity Information Ex-
change Framework (CYBEX). CYBEX provides a globally
1. INTRODUCTION common format and framework for assured cybersecurity in-
formation exchange, which will eventually minimize the dis-
Wide proliferation of the Internet is bolstering the im- parity of cybersecurity information availability on a global
mense development of cyber society, where diverse commu- scale. Since cybersecurity information can be shared world-
nications including sharing of private information and busi- wide, no country or organization implementing CYBEX will
ness transactions are taking place. In cyber society, malware be left behind in terms of its availability. Consequently, de-
such as viruses may attack any computer beyond the borders veloping countries, which currently have fewer resources to
of the country of its origin or target, and an attacker can at- put towards cybersecurity, can become equal partners with
tack computers all over the world by running other hackers’ developed countries with appropriate investments. There-
pre-packaged attack software. Sources of threats cross bor- fore countermeasures will be implemented through global
ders of countries and even continents. It is also possible for collaboration. The framework will also advance the devel-
an attacker to attack computers in country A by controlling opment of automating cybersecurity information exchange.
computers in country B while physically residing in coun- Most cybersecurity information exchange within organiza-
try C. Moreover, a system’s vulnerability may be exposed tions are not currently automated and depend largely on
∗This author is the Rapporteur of ITU-T Q.4/17. human intervention. Email, telephone calls and even face-
†This author is the Associate Rapporteur of ITU-T Q.4/17. to-face meetings are still the primary method for information
exchange. The need for and reliance on human interaction
‡This author is the main editor of this article.

ACM SIGCOMM Computer Communication Review 59 Volume 40, Number 5, October 2010
 Table 1: CYBEX family specifications
CYBEX family specifications
Functional blocks
imported specifications newly built specifications
Information Description block CPE, CCE, CVE, CWE, CAPEC, MAEC, CVSS, X.dexf, X.pfoc
CWSS, OVAL, XCCDF, ARF, IODEF, CEE,
TS102232, TS102667, TS23.271, RFC3924, EDRM,
Information Discovery block X.cybex.1, X.cybex-disc
Information Query block X.chirp
Information Assurance block EVCERT, TS102042 V2.0 X.eaa
Information Transport block TS102232-1 X.cybex-tp, X.cybex-beep
vspace-2mm

consumes a great deal of time. By advancing automation CYBEX

of cybersecurity information exchange, the costs (e.g., per- Exchange Exchange
Policies Policies
sonnel costs) within each organization will be significantly
reduced and the operation will be more efficient. At the Exchange Exchange
Requests Requests
same time, human-operation-based mistakes such as mis-
communication can be avoided; thus the quality of opera- + +
Weakness, Events, Incidents,
Evidence
tions can be improved. Vulnerabilities & & Heuristics
Information
The rest of this paper is organized as follows: Section State Information Information

2 explains the scope of CYBEX, Section 3 describes the

overview of CYBEX specification, Section 4 describes the Security
Incident
Automation
use cases of CYBEX, Section 5 describes the current status Detection Schema
Schema
of CYBEX, and Section 6 concludes the paper.
Tools Tools

Software,
2. SCOPE OF CYBEX Systems,Services,
CYBEX focuses on cybersecurity information exchange Networks

between cybersecurity organizations as shown in Figure 1. Enabled by CYBEX

Cybersecurity information is information required for cy-
bersecurity operations such as on a vulnerability, and a cy- Figure 2: Cybersecurity ecosystem enabled by CY-
bersecurity organization is an organization running cyber- BEX
security operations such as CERTs of countries and private
companies. How to acquire/use cybersecurity information
is outside the scope of CYBEX.
3. OVERVIEW OF CYBEX SPECIFICATIONS
Cybersecurity Cybersecurity Considering the cybersecurity information life cycle, we
Organization Organization
concluded that five functional blocks are needed for CY-
BEX: Information Description, Information Discovery, In-
Cybersecurity Cybersecurity information exchange Cybersecurity
Information Information
formation Query, Information Assurance and Information
acquisition use Transport, as are shown in Figure 3. The Information De-
scription block structures cybersecurity information for ex-
change purposes, the Information Discovery block identifies
and discovers cybersecurity information and entities, the In-
Focus of CYBEX formation Query block requests and responds with cyberse-
curity information, the Information Assurance block ensures
Figure 1: Scope of CYBEX the validity of the information, and Information Transport
block exchanges cybersecurity information over networks.
Each functional block consists of assorted specifications1
The cybersecurity information exchange provides an effec- as are shown in Table 1. As can be seen, one important char-
tive cybersecurity ecosystem where knowledge derived from acteristics of CYBEX is that this de jure standard is based
reports, testing, experience, and experience are used to cre- on current de facto standards, and that by creating CYBEX
ate and evolve the weakness and vulnerability information in cooperation with the creators of each de facto standards
that in turn can be used together with system state infor- we can increase the utility and compatibility of CYBEX
mation to measure and enhance security. These building with these standards, so users will be able to use CYBEX
blocks can also be used for creating extension capabilities
that include detection of malware or automating known se- 1
The term ”specification” in this paper includes draft Rec-
cure states of software, services, and systems. This cyber- ommendations that are not completed yet or that are still
security ecosystem enabled by CYBEX is shown in Figure in its initial phase of development though it usually refers
2. Evidence is produced when required by authorities for to a detailed description of the design and materials that is
wrongdoing. ready for use.

ACM SIGCOMM Computer Communication Review 60 Volume 40, Number 5, October 2010
 CYBEX to include observable attributes. MAEC provides a language
and format for characterizing the behaviors and actions of
Information Description block
malware with two core components consisting of enumerated
elements (vocabulary) and schema (grammar).
Information Discovery block
The Countermeasure Knowledge Base accumulates infor-
Information Query block
mation on countermeasures that corresponds to cyber risks.
To describe information in the knowledge base, CYBEX in-
Information Assurance block troduces the Common Vulnerability Scoring System (CVSS)
[9, 13], Common Weakness Scoring System (CWSS) [12],
Information Transport block Open Vulnerability and Assessment Language (OVAL) [9,
13], and eXtensible Configuration Checklist Description For-
mat (XCCDF) [9, 13]. CVSS provides for an open frame-
Figure 3: Five functional blocks of CYBEX work for communicating the characteristics and impacts of
IT vulnerabilities, while CWSS provides that for software
weaknesses. OVAL provides a language used to encode sys-
tem details and an assortment of content repositories held
seamlessly with available products, making CYBEX more throughout the community, and XCCDF provides a lan-
practical and deployable. guage for writing security checklists, benchmarks, and re-
Each of the functional blocks are elaborated on in the lated kinds of documents.
following subsections. The Product & Service Knowledge Base accumulates in-
formation on products and services. To describe informa-
3.1 Information Description Block tion in this knowledge base, CYBEX introduces Common
This functional block structures cybersecurity informa- Platform Enumeration (CPE) [9, 13] and Common Config-
tion for exchange purposes and provides the formats and uration Enumeration (CCE) [9, 13]. CPE provides a struc-
languages to describe it. These formats and languages are tured naming scheme for information technology systems,
depicted through the introduction of 18 existing specifica- platforms, and packages, while CCE provides unique iden-
tions and three newly created ones. tifiers to system configuration issues to facilitate fast and
From the viewpoint of the cybersecurity operational in- accurate correlation of configuration data across multiple in-
formation ontology that is modified from the one in [11] to formation sources and tools. Note that knowledge on cyber
accommodate forensic aspects, these specifications are clas- risks and countermeasures are often linked to specific prod-
sified as shown in Figure 4. The following subsections pro- ucts and services. For instance, a CVE is linked to CPE
vide the details of the introduced specifications following the identifiers and CVSS scores in NVD. Hence the Product &
operation domains defined by the ontology. Service Knowledge Base is linked to Cyber Risk Knowledge
Base and Countermeasure Knowledge Base as is shown in
3.1.1 Knowledge Accumulation Domain Figure 4.
Knowledge Accumulation domain is an operation domain
that accumulates knowledge on cybersecurity, which will be
3.1.2 IT Asset Management Domain
then shared and reused by other organizations. The Na- IT Asset Management domain is an operation domain
tional Vulnerability Database [10], for instance, is providing that administrates and protects IT assets of user organi-
practical facilitation for such operations. The information zations. The necessary information for this operation is
required for this operation is stored in either of the three stored in the User Resource Database and Provider Resource
knowledge bases: Product & Service, Cyber Risk or Coun- Database. To describe information in the User Resource
termeasure. Database, CYBEX introduces the Assessment Result For-
The Cyber Risk Knowledge Base accumulates informa- mat (ARF) [13], which provides a standardized IT asset as-
tion on cyber risks including that on vulnerabilities and sessment result format that facilitates the exchange of such
threats. To describe information in the knowledge base, results among systems.
CYBEX introduces Common Vulnerabilities and Exposures
(CVE) [9, 13], Common Weakness Enumeration (CWE) [9, 3.1.3 Incident Handling Domain
13], Common Attack Pattern Enumeration and Classifica- Incident Handling domain is an operation domain that
tion (CAPEC) [9, 13], and Malware Attribute Enumeration monitors and responds to cyber-incidents. The necessary in-
and Characterization (MAEC) [9, 13]. CVE provides unique formation for this operation is stored in the Incident Database
identifiers for publicly known vulnerabilities in commercial and Warning Database. To describe information in the Inci-
and open source software to facilitate rapid and accurate dent Database, CYBEX introduces the Incident Object De-
correlation of vulnerability data across multiple information scription Exchange Format (IODEF) [6], X.pfoc, and Com-
sources and tools. CWE is an XML/XSD-based specifica- mon Event Expression (CEE) [9, 13]. IODEF defines a
tion that provides unique identifiers for the weaknesses in data representation that provides a framework for exchange
software code, design, architecture, or implementation as of information about computer security incidents. X.pfoc
well as a rich body of knowledge about the cause, impact, (Phishing, Fraud, and Other Crimeware Exchange Format)
and mitigations of these weaknesses to include code exam- extends IODEF to support the reporting of phishing, fraud,
ples. CAPEC is an XML/XSD-based specification that pro- and other types of electronic crime. The extensions also
vides unique identifiers for the patterns of attack against support exchange of information about widespread spam
software as well as a rich body of knowledge about the at- incidents. CEE defines a common language and syntax for
tack steps, impact, and mitigations of these attack patterns expressing how events are described, logged, and exchanged.

ACM SIGCOMM Computer Communication Review 61 Volume 40, Number 5, October 2010
 Provider Resource Product & Service KB
DB
IT Asset IT Infrastructure
CPE CCE
Management Provider
Domain User Resource DB
Researcher
ARF
Administrator

Incident DB Countermeasure KB
IODEF CEE Knowledge
Incident Response Team CWSS CVSS Accumulation
X.pfoc
Handling Domain
Registrar
Domain OVAL XCCDF
Warning DB
Coordinator
Cyber Risk KB
Evidence DB
TS102232 TS102657 Product
Forensics CVE CWE
Domain RFC3924 TS23.271 & Service
Developer
Inspector CAPEC MAEC
X.dexf EDRM

DB: Database KB: Knowledge Base

Figure 4: Cybersecurity information specifications in CYBEX

3.1.4 Forensics Domain

Forensics domain is an operation domain that supports
law enforcement operations by collecting evidences. The 0 1 2 Joint ITU-T & ISO

necessary information for this operation is stored in the Ev- ITU-T|ITU-R ISO
idence Database. To describe information in the database,
CYBEX introduces six forensics specifications: ETSI TS102232 1 3
.. .
[2], ETSI TS102657 [3], ETSI TS23.271 [1], RFC3924 [5], 0 2 4 48 = cybersecurity

Electronic Discovery Reference Model (EDRM) [4] and X.dexf. 48

ETSI TS102232 defines a data representation that provides Every country has a
Architecture TBD
a framework for exchange of information between a network numeric identifier
automatically reserved in
mediation point and a law enforcement facility to provide the OID 2.48 cybersecurity 1 .. . 33 .. . 44 .. . 81
an array of different real-time network forensics associated namespace
USA France UK Japan
with a designated incident or event. ETSI TS102657 defines
1
the same but with stored network forensics. ETSI TS23.271
defines a data representation that provides a framework for
exchange of information between a network mediation point
and an external facility to provide an real-time or stored Figure 5: OID-based discovery
location forensics associated with a network device. RFC
3924 defines a data representation that provides a frame- making their services known, and by those seeking sources
work for exchange of information between a network access for the information they require. Figure 5 depicts the con-
point and a provider mediation facility to provide an ar- cept of identifying cybersecurity information in OID-based
ray of different real-time network forensics associated with discovery. Cybersecurity information is hierarchically in-
a designated incident or event. EDRM defines a data repre- dexed in a tree, so that any information can be traceable by
sentation that provides a framework for exchange of infor- following the tree. Note that the OID space and namespace
mation between a network mediation point and a juridical are defined by X.cybex.1, which also provides a guideline
designated party to request and provide an array of different for administrating the OID arc for cybersecurity informa-
stored network forensics associated with a designated inci- tion exchange. Central registries have many advantages in
dent or event. X.dexf (Digital Evidence Exchange Format) that users can easily know where to go and quickly find what
defines structures and data elements for structured digital they are looking for. Their main disadvantage is that users
evidence exchange. need to know of the existence of a given registry in the first
place before using it, either as an information provider or the
3.2 Information Discovery Block one seeking information. In addition, the different resources
This functional block identifies and discovers cybersecu- and costs involved in maintaining a central repository can
rity information and entities. X.cybex-disc provides such also make it prohibitive for those with limited resources.
methods and mechanisms, and provides two paradigms for A common example of decentralized discovery is the RDF
service and information discovery in common use: central- [14] of the World Wide Web Consortium (W3C). RDF is
ized discovery and de-centralized discovery. a syntactic and semantic language for representing informa-
Centralized discovery can best be explained by pointing tion describing available resources. Figure 6 depicts the con-
to the OID [8] as an example of how one or more hierarchical cept of identifying cybersecurity information in RDF-based
registries are used by information providers as a means of discovery. A user wishing to access such information uses

ACM SIGCOMM Computer Communication Review 62 Volume 40, Number 5, October 2010
 in X.cybex-tp. This describes the overview of transport pro-
tocols for cybersecurity information exchange. Based on the
general overview, protocol specific features are described in
RDF search the X.cybex-beep draft recommendation, which describes a
engine A transport protocol based on BEEP. Albeit other protocols
Search
can be used for this transport, currently only the BEEP
protocols are being investigated. Other candidate proto-
cols, such as SOAP, exist but no draft recommendation for
Cybersecurity List of RDF search
Entity • Identifiers engine B
such protocols have been presented yet. From the viewpoint
• capability of forensics, ETSI TS102232-1 is also introduced here. This
information
provides assurance of forensics information delivery to law
enforcement and security authorities.
RDF search
engine C
4. USE CASES
Cybersecurity information source Target range of search CYBEX provides the framework for exchanging cyberse-
curity information between cybersecurity entities. The us-
Figure 6: RDF-based discovery age of the standard is up to users. Nevertheless, to demon-
strate the usability of CYBEX, this section describes two
use cases of CYBEX.
an RDF search engine, which has its own list of indices to
the assorted cybersecurity information in the network. Note
Manipulate Transport the Receives any
that the search ranges of each RDF search engine are dif- Discover
cybersecurity information from updates of the
cybersecurity
ferent. Then the search engine replies to the cybersecurity information of the the entity to the information
entity
entity with the list of identities and capability information discovered entity user

of candidate cybersecurity information sources. RDF’s main

advantage is that resources and costs associated with mak- Information Information Query Information
Discovery block block Transport block
ing RDF information available are minimal, and those pro-
viding information and those seeking information need not
know of each other’s existence beforehand. RDF’s main dis- Figure 7: Cybersecurity information acquisition
advantage is that in order for users to find the information
they seek, starting from zero-knowledge, they literally need
to crawl the entire Internet. However, aggregations of RDF- A user may wish to know the vulnerabilities on a particu-
formatted information can provide a useful compromise be- lar computer and to keep updated about them and their
tween centralized and decentralized discovery mechanisms related information. In this case, CYBEX is one of the
in some applications. most feasible options for the user, which may use CYBEX as
shown in Figure 7. First, the user identifies a cybersecurity
3.3 Information Query Block issue on a specific computer that they are interested in, and
This functional block requests and responds with cyberse- they want to find out more about the issue from an appropri-
curity information. CYBEX introduces X.chirp, which pro- ate repository that knows about this cybersecurity issue by
vides secure access, including management and maintenance using either OID-based discovery or RDF-based discovery
of cybersecurity information through a common set of inter- (the Information Discovery block). The user sends queries
faces. X.chirp is a query language that is an extension of to the repository to obtain and retrieve the desired infor-
SQL. mation about the cybersecurity issue that is stored within
the repository using X.chirp (the Information Query block).
3.4 Information Assurance Block The information can then be transferred to the user using
This functional block ensures the validity of the informa- BEEP with a CYBEX profile (the Information Transport
tion. CYBEX introduces three standards: X.evcert, X.eaa block) or some other transfer mechanism. The user now has
and ETSI TS 102042 V2.0. X.evcert is a draft recommen- the desired information about the cybersecurity issue on the
dation for digital certificates. It provides a framework for specific computer using the various components of CYBEX.
EV Certificates, which describes the minimum requirements Since the connection state is preserved in the case of BEEP,
that must be met in order to issue and maintain EV Cer- if there is a change in the repository information about the
tificates concerning a subject organization. X.eaa is a draft cybersecurity issue, the user can be notified. This allows
recommendation for identity assurance. It provides an au- the user to acquire updated and current information about
thentication life cycle framework for managing the assurance the cybersecurity issues on the computer systems they care
of an entity’s identity and associated identity information about.
in a given context. ETSI TS102042 V.2.0 is a draft recom- Another use case is when CERT A finds an incident in
mendation for policy requirement for certification authori- CERT B, then wishes to convey the incident information
ties (CA). It describes these requirements for certification to CERT B. In this case, CERT A searches CERT B using
authorities issuing public key certificates. RDF-based discovery (the Information Discovery block) and
receives the candidate list of CERT B with the description
3.5 Information Transport Block of capabilities. Based on the capability information, CERT
This functional block exchanges cybersecurity information A chooses the entity that seems most likely to be CERT B
over networks. The overview of such a function is described according to its capability description, and connects with

ACM SIGCOMM Computer Communication Review 63 Volume 40, Number 5, October 2010
the entity via SSL. CERT A then receives EVSSL from the usage, CYBEX will not be able to provide its true value or
entity, with which it can ensure that the entity is CERT B contribute to cybersecurity. In order to advance cybersecu-
(the Information Assurance block). CERT A thus sends the rity, the effectiveness of CYBEX needs to be globally and
incident information following the IODEF format to CERT widely recognized.
B, which sends back another IODEF message to report the
completion of implementing countermeasures later (Infor- 7. ADDITIONAL AUTHORS
mation Description block). The procedure is depicted in
Additional authors: Craig Schultz (Multimedia Architec-
Figure 8.
tures, email: [email protected]) and Gavin Reid (Cisco,
email: [email protected]) and Gregg Schudel (Cisco, email:
[email protected]) and Mike Hird (BIS, email: mike.
CERT A RDF Search Engine CERT B [email protected]) and Stephen Adegbite (FIRST, email:
[email protected]).
Discovery

Candidate list 8. REFERENCES

SSL connection
[1] TS23.271 : Handover for Location Services. European
Telecommunications Standards Institute, March 2001.
EVCERT [2] TS102232 : Handover Interface and Service-Specific
Details (SSD) for IP delivery. European
IODEF
Countermeasure
Telecommunications Standards Institute, December
IODEF reply implementation 2006.
[3] TS102657 : Handover interface for the request and
delivery of retained data. European
Telecommunications Standards Institute, December
Figure 8: IODEF information notification 2009.
[4] The Electronic Discovery Reference Model. URL
http://edrm.net, August 2010.
[5] F. Baker, B. Foster, and C. Sharp. Cisco Architecture
5. CURRENT STATUS OF CYBEX for Lawful Intercept in IP Networks. IETF RFC 3924,
October 2004.
CYBEX is expected to be standardized in December 2010.
[6] R. Danyliw, J. Meijer, and Y. Demchenko. The
By this time, the structure of CYBEX ensembles will be
Incident Object Description Exchange Format. IETF
determined. Nevertheless, each of the specifications that
Request For Comments 5070, December 2007.
form CYBEX needs to be discussed and advanced further for
their determination. This December, only CVE and CVSS [7] M. Fossi, D. Turner, E. Johnson, T. Mack, T. Adams,
are expected to be standardized as imported specifications in J. Blackbird, S. Entwisle, B. Graveland, D. McKinney,
ITU-T. The other specifications are expected to be finalized J. Mulcahy, and C. Wueest. Symantec Global Internet
by the end of 2013. Security Threat Report. XV, April 2010.
CYBEX is, nevertheless, still evolving and developing. [8] International Telecommunication Union. Information
For instance, it has yet to be adapted to cloud computing. technology - Open Systems Interconnection -
As discussed in [11], the existing cybersecurity information Procedures for the operation of OSI Registration
standards are designed for current, non-cloud computing Authorities: General procedures and top arcs of the
and need to be modified to accommodate cloud comput- International Object Identifier tree. X.660, August
ing. CVSS, for instance, assumes a single computer as their 2008.
evaluation target and cannot cope with virtual machines. [9] R. A. Martin. Making Security Measurable and
Moreover, in the case of cloud computing, data separated Manageable. CrossTalk, the Journal of Defense
from an IT asset need to be protected. This could be done, Software Engineering, September/October 2009.
for instance, by implementing data provenance technologies. [10] National Institute of Standards and Technology.
As mentioned, CYBEX is designed to be highly practi- National Vulnerability Database (NVD).
cal and deployable. Many of the imported standards are http://nvd.nist.gov/, August 2010.
de facto standards for specific purposes in specific regions. [11] T. Takahashi, Y. Kadobayashi, and H. Fujiwara.
Moreover, partial implementation of CYBEX is performed Ontological approach toward cybersecurity in cloud
by several organizations. Toward the dissemination of CY- computing. International Conference on Security of
BEX, even more implementation will be provided. Information and Networks, 2010.
[12] The MITRE Corporation. Common Weakness Scoring
6. CONCLUSION System (CWSS). URL http://cwe.mitre.org/cwss/,
This paper introduced CYBEX, a new cybersecurity stan- August 2010.
dard that will be finalized in December 2010. CYBEX [13] The MITRE Corporation. Making Security
provides a framework for assured cybersecurity information Measurable. URL http://msm.mitre.org/, August
exchange between cybersecurity entities and minimizes the 2010.
disparity of cybersecurity information availability among cy- [14] The World Wide Web Consortium (W3C). Resource
bersecurity entities. The challenge is finding a means of per- Description Framework (RDF). URL
mitting wide usage of CYBEX. Without global and widespread http://www.w3.org/RDF/, August 2010.

ACM SIGCOMM Computer Communication Review 64 Volume 40, Number 5, October 2010