anti-counterfeiting prototypes evaluation report · 2012. 1. 25. · building radio frequency...

Building Radio frequency IDentification for the Global Environment

Anti-Counterfeiting Prototypes Evaluation Report

Authors: Jasser Al-Kassab (SAP), Mikko Lehtonen (ETH Zurich), Nina Oertel (SAP), Ivan Delchev (SAP)

June 2009 This work has been partly funded by the European Commission contract No: IST-2005-033546

About the BRIDGE Project:

BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission.

This document:

This deliverable presents the evaluation of the five, within this work package developed and prototyped RFID and track-and-trace based solutions for anti-counterfeiting. The evaluation was conducted using various evaluation criteria and methods, including technical criteria such as feedback speed, scalability, and detection rate on the one hand, simulations and interviews with affected companies and customs organization on the other hand. The approaches are fast and the systems are scalable. As an industry-customizable approach, the rule-based anti-counterfeiting framework, for example, does also meet the requirements of the interviewed experts from affected brand owner companies. RFID and track-and-trace based anti-counterfeiting approaches enable automated mass authentication. With these approaches, tagged products can be authenticated throughout the whole supply chain, helping to pinpoint counterfeiter’s injection points and thus making it possible to early detect counterfeits in licit supply chains, in order to deter their further propagation.

Disclaimer:

Copyright 2009 by (SAP, ETH Zurich) All rights reserved. The information in this document is proprietary to these BRIDGE consortium members This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

http://www.bridge-project.eu/�

BRIDGE – Building Radio frequency IDentification solutions for the Global Environment

Executive Summary This deliverable presents the evaluation of the five, within this work package developed and prototyped RFID and track-and-trace based solutions for anti-counterfeiting. The evaluation was conducted using various evaluation criteria and methods, including technical criteria such as feedback speed, scalability, and detection rate on the one hand, simulations and interviews with affected companies and customs organization on the other hand. The approaches are fast and the systems are scalable. As an industry-customizable approach, the rule-based anti-counterfeiting framework, for example, does also meet the requirements of the interviewed experts from affected brand owner companies. RFID and track-and-trace based anti-counterfeiting approaches enable automated mass authentication. With these approaches, tagged products can be authenticated throughout the whole supply chain, helping to pinpoint counterfeiter’s injection points and thus making it possible to early detect counterfeits in licit supply chains, in order to deter their further propagation.

The findings suggest that RFID and track-and-trace approaches in general can help affected companies to gain a considerable edge in the fight against counterfeiting. Expensive and energy thirsty cryptographic tags are not required anymore. However, besides the advantages, the report also lists the inconveniences of each of the anti-counterfeiting approaches: serialized Tag ID (TID) numbers currently provide a practical hurdle against cloning, but this is no real protection and can be overcome with a 10 EUR impersonation device. Serialized TID numbers do not provide any sustainable long-term solution for tag cloning, but only a temporary solution before stronger tag authentication techniques. From the simulation study of the Synchronized Secrets Prototype we learned that the number of manual verifications with the synchronized secrets method would be very small, the overhead time can limit the usability of the presented method, only very few cloning attacks would go completely unnoticed, but if scan rate is low, the counterfeit product can already be consumed before the alarm is triggered. The rule-based anti-counterfeiting framework proved to be a scalable and fast approach able to support customs organization and affected companies to enable mass authentication and to give counterfeit indications, therefore supporting anti-counterfeiters and especially customs organization to “find the needle in the haystack”. However, the approach depends on anti-counterfeiting rules, created and maintained by the company/industry. But according to findings from the industry interviews, this is also where it strengths lies, since the rules can be defined to fit the company’s or industry’s requirements. With the statistical anti-counterfeiting approaches in place, the majority of cloned tags appear as abnormal events in RFID traces as soon as the tags enter the supply chain.

In the so-called “war of escalation” between counterfeiters and anti-counterfeiters, brand owner companies can escalate from one solution to the next stage of protecting the licit supply chain from fake products. This “war of escalation” will be discussed and described in the next deliverable, for which this report sets the technical foundation.


Table of Contents EXECUTIVE SUMMARY .................................................................................................................................... 3

TABLE OF CONTENTS ...................................................................................................................................... 4

TABLE OF FIGURES .......................................................................................................................................... 5

TABLE OF TABLES ............................................................................................................................................ 6

1 INTRODUCTION ......................................................................................................................................... 7

1.1 GOALS OF THIS REPORT ....................................................................................................................... 7 1.2 METHODOLOGY ..................................................................................................................................... 7 1.3 STRUCTURE OF THE REPORT ................................................................................................................ 8

2 EVALUATION DATA DESCRIPTION...................................................................................................... 9

2.1 EXPERT INTERVIEWS ............................................................................................................................. 9 2.2 SIMULATED DATA .................................................................................................................................. 9

3 EVALUATION CRITERIA ........................................................................................................................ 10

3.1 SECURITY ............................................................................................................................................ 10 33..11..11 Known Vulnerabilities ................................................................................................................... 10 33..11..22 Cost to Break................................................................................................................................. 10 33..11..33 Confidentiality ................................................................................................................................ 10

3.2 PERFORMANCE .................................................................................................................................... 10 33..22..11 Scalability ....................................................................................................................................... 11 33..22..22 Feedback Speed ........................................................................................................................... 11

3.3 COUNTERFEIT COVERAGE .................................................................................................................. 11 33..33..11 Clone and Counterfeit Detection Rate ....................................................................................... 11 33..33..22 Probability of False Negatives .................................................................................................... 11

3.4 INDUSTRY FEEDBACK .......................................................................................................................... 11

4 PROTOTYPE EVALUATION .................................................................................................................. 13

4.1 TID APPROACH ................................................................................................................................... 13 44..11..11 EEPROM and ROM tampering................................................................................................... 13 44..11..22 Manufacturing programmable chips .......................................................................................... 14 44..11..33 Stealing unprogrammed chips .................................................................................................... 15 44..11..44 Tag impersonation device ........................................................................................................... 15 44..11..55 Review of Gen-2 Chip Manufacturers ....................................................................................... 17 44..11..66 How much cost to break is needed?.......................................................................................... 18 44..11..77 Summary ........................................................................................................................................ 19

4.2 SYNCHRONIZED SECRETS APPROACH ............................................................................................... 20 44..22..11 Time-measurements .................................................................................................................... 20 44..22..22 Level of security (quantitative) .................................................................................................... 20 44..22..33 Limitations ...................................................................................................................................... 22 44..22..44 Summary ........................................................................................................................................ 22

4.3 RULE-BASED ANTI-COUNTERFEITING APPROACH ............................................................................. 23 44..33..11 Known Vulnerabilities ................................................................................................................... 23 44..33..22 Cost to Break................................................................................................................................. 24 44..33..33 Confidentiality ................................................................................................................................ 24 44..33..44 Scalability ....................................................................................................................................... 24


44..33..55 Feedback Speed ........................................................................................................................... 30 44..33..66 Probability to Detect a Counterfeit / Clone ................................................................................ 32 44..33..77 Probability of False Positives and False Negatives ................................................................. 35 44..33..88 Industry Feedback (to be finalized) ............................................................................................ 36

4.4 STATISTICAL APPROACHES ................................................................................................................. 44 44..44..11 Experiment I .................................................................................................................................. 45 44..44..22 Experiment II ................................................................................................................................. 48 44..44..33 Discussion and Limitations .......................................................................................................... 55 44..44..44 Summary ........................................................................................................................................ 55

5 SUMMARY AND OUTLOOK................................................................................................................... 57

REFERENCES ................................................................................................................................................... 58

APPENDIX A - DATA OF THE RULE-BASED ACF FRAMEWORK PERFORMANCE TESTS .......... 61

APPENDIX B - INTERVIEW GUIDELINE ...................................................................................................... 63

APPENDIX C - IMPLEMENTED SYNCHRONIZED SECRETS PROTOCOL ......................................... 69

Table of Figures FIGURE 1. STRUCTURE OF THE REPORT ................................................................................................................ 8FIGURE 2. ATTACK TREE AGAINST TID CHECKS .................................................................................................. 13FIGURE 3. BLOCK DIAGRAM OF SEMI-PASSIVE IMPERSONATION DEVICE ............................................................. 15FIGURE 4. PROGRAMMABLE SEMI-PASSIVE TAG PROTOTYPE (LEFT) AND A COMMERCIAL ENCAPSULATED TAG 16FIGURE 5. COUNTERFEITERS’ FINANCIAL INCENTIVES IN THE TOBACCO INDUSTRY ............................................ 19FIGURE 6. MEASURED AVERAGE TIMES AND STANDARD DEVIATIONS (ERROR BARS) OF DIFFERENT STEPS

(NUMBERS IN BRACKETS) IN THE IMPLEMENTED PROTOCOL (CF. APPENDIX C FOR THE DETAILED

PROTOCOL) ................................................................................................................................................... 20FIGURE 7. TIME DELAY BETWEEN CONSECUTIVE READS IN AN ACCESS CONTROL DATA SET ([17]) ................... 21FIGURE 8 SEQUENCE DIAGRAM OF THE RULE-BASED ANTI-COUNTERFEITING FRAMEWORK ........................... 25FIGURE 9 AN EXAMPLE TRACE OF AN ITEM WITH TWO AGGREGATION LEVELS .................................................. 26FIGURE 10 MEASURED TIMES FOR LEVELS OF AGGREGATIONS - 0. .................................................................... 27FIGURE 11 MEASURED TIMES FOR LEVELS OF AGGREGATION - 3 ....................................................................... 27FIGURE 12 PLOTTED MEASURED TIMES FOR AGGREGATION LEVELS – 0 ............................................................ 28FIGURE 13 PLOTTED MEASURED TIMES FOR AGGREGATION LEVELS - 3 ............................................................. 28FIGURE 14 LEVEL OF AGGREGATION VS. RE TIME .............................................................................................. 29FIGURE 15 LEVEL OF AGGREGATION VS. EGL TIME ........................................................................................... 29FIGURE 16 LEVEL OF AGGREGATION VS. "OTHERS" TIME .................................................................................. 29FIGURE 17 LEVEL OF AGGREGATION VS. "OVERALL" TIME ................................................................................. 29FIGURE 18 OVERALL TIMES DIVIDED INTO TIME FRACTIONS FOR (IN PERCENTAGE) FOR THE COMPONENTS .. 30FIGURE 19 AUTHENTICATION PROCESS PHASES ................................................................................................ 30FIGURE 20 SEQUENCE DIAGRAM WITH COLOURED FEEDBACK OVERALL SPEED .............................................. 31FIGURE 21 OVERALL RESPONSE TIME OF THE PROTOTYPE ............................................................................... 31FIGURE 22 COUNTERFEIT CASES AND THE RULE-BASED ANTI-COUNTERFEITING APPROACH ......................... 33FIGURE 23. THE FIRST VERSION OF THE STOCHASTIC SUPPLY CHAIN MODEL (SSCM) ................................... 45FIGURE 24. THE SIMULATED SUPPLY CHAIN IN EXPERIMENT I. NODE S1 REPRESENTS THE MANUFACTURER AND

NODE S17 THE CONSUMER. THE PERCENTAGES REPRESENT READING RATES IN CORRESPONDING NODES. ...................................................................................................................................................................... 46

FIGURE 25. THE IMPROVED STOCHASTIC SUPPLY CHAIN MODEL (SSCM) ....................................................... 49FIGURE 26. THE SIMULATED WP6 SUPPLY CHAIN (R DENOTES A READER DEVICE) ........................................... 52


FIGURE 27. RESULTS OF TEST 2: ROC CURVES FOR SSCML (LEFT) AND FOR SSCMT (RIGHT) BASED CLONE

DETECTION. THE CURVES SHOW THAT SSCML IS MUCH MORE RELIABLE THAN SSCMT IN DETECTING

CLONED TAGS, AND THAT MISSING READS DECREASE THE PERFORMANCE OF BOTH THESE METHODS. (NOTE THE DIFFERENT SCALES IN X-AXIS) ................................................................................................... 54

FIGURE 28. RESULTS OF TEST 3: ROC CURVES FOR SSCML WITH 99.9% (LEFT) AND 99% (RIGHT) READ

RATES. THE CURVES SHOW THAT INCREASING THE AMOUNT OF TRAINING DATA (MORE ACCURATE

MODELING OF THE SUPPLY CHAIN) IS IMPORTANT FOR RELIABLE DETECTION OF CLONED TAGS AS THE

NUMBER OF MISSING READS INCREASES. .................................................................................................... 54FIGURE 29. RESULTS OF TEST 4: ROC CURVES (LEFT) AND POSTERIOR DISTRIBUTIONS (RIGHT) OF NON-

FILTERED AND FILTERED TRACES FOR SSCML WITH 99% READ RATE. THE CURVES SHOW THAT OUR

FILTERING ALGORITHM THAT DETECTS MISSING READS CAN PROVIDE A DRAMATIC INCREASE TO THE HIT

RATE WITH SMALL FALSE ALARM RATES. ...................................................................................................... 54FIGURE 30. IMPLEMENTED SYNCHRONIZED SECRETS PROTOCOL ....................................................................... 69

Table of Tables TABLE 1. SUMMARY OF COMMERCIAL GEN-2 CHIPS AND THEIR TID NUMBERS .................................................. 18TABLE 2. QUANTITATIVE EVALUATION IN AN RFID ACCESS CONTROL APPLICATION .......................................... 22TABLE 3. HIT RATES FOR DIFFERENT LOTS OF CLONED TAGS (COUNTERFEIT PRODUCTS) FROM EXPERIMENT I

AT 1% FALSE ALARM RATE ........................................................................................................................... 47TABLE 4. NUMBER OF MISSING READ EVENTS WITH DIFFERENT FILTERS ............................................................ 53


1 Introduction In order to protect the licit supply chain from counterfeits, BRIDGE WP5 has developed and prototyped five solution approaches to anti-counterfeiting, based on the analysis of standard EPC/RFID tags and track-and-trace data: (i) tag authentication based on unique transponder ID (TID) numbers; (ii) Synchronized secrets approach to detect cloned tags; (iii) Rule-Based Anti-Counterfeiting Framework that offers a flexible anti-counterfeiting toolkit, and two solution approaches, which are based on statistical analysis to automatically detect cloned tags from track-and-trace data, (iv) a stochastic supply chain model (SSCM), and (v) a Hidden Markov Model (HMM) approach. All delivered solution approaches can be used with standard, low-cost UHF-tags. With these approaches, tagged products can be authenticated throughout the whole supply chain, helping to pinpoint counterfeiter’s injection points and thus making it possible to early detect counterfeits in licit supply chains, in order to deter their further propagation.

1.1 Goals of this Report The goal of Task 5.5 is the evaluation of these RFID and track-and-trace based anti-counterfeiting approaches, using evaluation criteria, such as the level of security, the solutions’ performance, or their detection rate, for example. However, in order to obtain a holistic assessment of the anti-counterfeiting approaches, this report moreover aims at evaluating the solutions by customs organization and affected companies using semi-structured interview guidelines.

1.2 Methodology

For the tag authentication approach (TID numbers), we opted for interviews with chip manufacturers and demonstrator building, using the semi-passive tag prototype of BRIDGE WP4. The Synchronized Secrets approach was evaluated by building a Synchronized Secrets demonstrator and by using quantitative evaluation with data from an RFID access control application. Moreover, it was evaluated using a mathematical model (see BRIDGE D5.4 Prototype Report). The statistical track-and-trace approaches were evaluated using a simulation study of a real-world supply chain. The rule-based anti-counterfeiting framework was evaluated using three sets of criteria. The first criteria set - level of security - mainly deals with technical security issues. It encompasses the identification of known vulnerabilities, the assessment of the costs to break the solution, and a discussion about confidentiality issues of the solution. The second group of evaluation criteria - performance - includes the assessment of the solutions’ scalability, i.e. its behaviour under load charges and peaks, and the feedback speed of the authentication. The third criteria group - counterfeit coverage - contains on the one hand criteria that evaluate the performance of the solutions in terms of counterfeit and clone detection, and on the other hand a criterion that assesses the probability of false negatives. Like the TID approach, the rule-based approach has moreover been evaluated with industry feedback, using a semi-structured interview-guideline containing 20 questions. 6 interviews were conducted with customs organizations and affected companies.


All presented criteria emerged from discussions with customs organizations and affected companies, which formulated these exigencies within interviews and meetings, and which were previously published in BRIDGE D5.1 Problem Analysis Report (Task 5.1), BRIDGE D5.2 Requirements Report (Task 5.2), and in BRIDGE D5.4 Prototype Report (Task 5.4). There is no distinct evaluation of the solutions’ costs, since the BRIDGE D5.3 Business Case Report (Task D5.3) contains a thorough business case analysis for RFID and track-and-trace based anti-counterfeiting solutions.

1.3 Structure of the Report

This report is organized as follows. Section 2 begins by presenting the data used for the evaluation of the anti-counterfeiting approaches. We make difference between data used for the simulations and data gathered in expert interviews. In Section 3, the evaluation criteria – categorized into security criteria, performance criteria, and counterfeit coverage criteria – for the different is presented in more detail. The industry feedback is also presented in this Section. Section 4 contains the evaluation for each prototype. In Section 5 we conclude with an outlook and a conclusion.

(I) Introduction

(II) Description of Evaluation Data

(III) Presentation of Evaluation Criteria

(IV) Prototype Evaluation

TID Approach Evaluation

SynchronizedSecrets

Approach Evaluation

Rule-BasedAnti-

CounterfeitingApproach Evaluation

Statistical Approaches Evaluation

(V) Summary and Outlook

Figure 1. Structure of the Report


2 Evaluation Data Description

2.1 Expert Interviews

The expert interviews were conducted using a semi-structured interview guideline containing 20 questions, which were subdivided into three parts. The guideline contains:

• General questions regarding the prototype to be evaluated,

• Prototype specific questions,

• An outlook, dealing with counterstrategies of counterstrategies of the counterfeiters, adapted to the individual solutions, and

• Questions concerning knowledge about counterfeiting activities, in order to better understand the domain (e.g., markets, entry points, etc.).

In addition to these questions, the customs organization interview guideline contains questions regarding the usage of such a system, questions regarding investments into such a solution (or obstacles), and questions regarding the preferred answering format of the solution. The interview guideline can be found in Appendix B of this report.

The interviews were conducted with anti-counterfeiting experts from affected companies (from the Special Interest Group Anti-Counterfeiting and beyond), and with experts from customs organization.

2.2 Simulated Data The statistical approaches of this work package are studied by simulating the flow of products in a generic pharmaceutical supply chain. The hypothetical pharmaceutical supply chain starts from the manufacturing level and ends to the patient who gets the drug product from retail level which consists of pharmacies and hospitals. Between these levels there are wholesalers who buy, sell and repackage the drug products. Furthermore, this experiment assumes that the tracing data is not complete: only half of the supply chain partners capture and share it, and the assumed read rates are 98%. The detailed description of this simulated data can be found in Section 4.4 and the therein referenced publications.

Same applies for the scalability and feedback tests of the rule-based anti-counterfeiting framework. The description of the simulated data can be found in Section 4.3.4 and Section 4.3.5.


3 Evaluation Criteria The goal of this deliverable is to provide a thorough evaluation of the anti-counterfeiting solutions proposed and developed within BRIDGE work package 5 (see D5.4 Prototype Report). To a great extent, the criteria set for the evaluation of the solutions emerged from discussions and interviews with affected companies and customs organization, which were conducted within the scope of the D5.1 Anti-Counterfeiting Problem Analysis Report and the D5.2 Requirements Report. Additional criteria stress on technical and security aspects, and will also be presented in this section and in the evaluation sections. The criteria can be categorized into security criteria, performance criteria, counterfeit coverage criteria, and industry feedback criteria. The remainder of this section presents the evaluation criteria in detail.

3.1 Security This first set of criteria encompasses security relevant aspects, including the assessment of known vulnerabilities, the cost to break a solution, and confidentiality aspects.

3.1.1 Known Vulnerabilities

In order to assess the security level of each of the proposed solutions and in order to anticipate countermeasures and attacks of counterfeiters, this deliverable lists known vulnerabilities. Known vulnerabilities encompass all known ways, in theory or in practice, how the product authentication can be fooled, such as all counterfeiter’s attacks against the system.

3.1.2 Cost to Break

The so-called “war of escalation” describes the permanent combat between the counterfeiters and the anti-counterfeiters prevention strategies. Prevention is characterized by the Cost to Break (CtB) a system [24]. Assuming that the adversary most likely breaks the system where the barrier is the lowest, CtB is the minimum cost an adversary needs to invest to find and exploit vulnerabilities.

3.1.3 Confidentiality

According to the International Organization for Standardization (ISO), confidentiality is defined as “ensuring that information is accessible only to those authorized to have access”, and this is one of the cornerstones of information security [25]. Since BRIDGE work package 5 deals with RFID reads within the supply chain, no personal data is involved. Hence, WP5 does not have any privacy issues in terms of personal privacy. This criterion, however, deals with the data sharing between supply chain partners for the collaboration in the fight against counterfeiting.

3.2 Performance The performance analysis refers to the investigation of an algorithm or a program’s behaviour either statically or using runtime information. In the context of WP5, this analysis


will evaluate the expected performance of the different employed algorithms and prototypes, in order to identify potential bottlenecks.

3.2.1 Scalability

In the fields of software engineering and telecommunications, “scalability describes a system, network, or process property, which indicates its ability to either handle growing amounts of work in a graceful manner, or to be readily enlarged” [26] For example, it can refer to the capability of a system to increase total throughput under an increased load when resources (typically hardware) are added. As a term and a property of systems, it is generally difficult to define [27, 28], and in any particular case it is necessary to define the specific requirements for scalability on those dimensions, which are deemed important. A system, whose performance improves after adding hardware, proportionally to the capacity added, is said to be a scalable system. The proposed anti-counterfeiting solutions are evaluated in order to assess their capability to deal with increasing loads of data.

3.2.2 Feedback Speed

Feedback speed is the time it takes from the scanning of the product, until the system or the user gets the authentication feedback for the same product. According to interviews with customs organization and affected companies from different industries, the feedback speed is rated as differently important. This report will assess the feedback speed of the solutions also depending on various trace sizes and aggregation level complexities.

3.3 Counterfeit Coverage

3.3.1 Clone and Counterfeit Detection Rate

This criterion deals with the actual detection of counterfeit products in licit supply chains. In the fight against counterfeits, this criterion assesses the security performance of the evaluated anti-counterfeiting solution. The evaluation of this criterion will be adapted to the anti-counterfeiting solution itself. Solutions’ weak points will be discussed in this sub-section, as well as in sub-section 3.3.2, where the probability of false negatives will be discussed.

3.3.2 Probability of False Negatives

Bulk-reading enabled, automatically working systems can be highly independent from human interaction. It is therefore crucial that counterfeits are not mistakenly identified as genuine products (referred to as “Type II error” or “beta error”), and that genuine products are not misleadingly taken as counterfeits (referred to as “Type I error” or “alpha error”). The quality of the proposed anti-counterfeiting solutions can be tested against this evaluation criterion.

3.4 Industry Feedback

Most importantly is the feedback of affected companies from different industries and customs organization, since the solution’s success depends on the usage of these stakeholders. For the evaluation of this criteria, an industry and customs organization interview guideline was created, which can be found in the appendix of this report. The guideline contains:


• General questions regarding the prototype to be evaluated,

• Prototype specific questions (e.g., rule specifications in case of the rule-based anti-counterfeiting framework),

• Questions regarding the current status of anti-counterfeiting activities, such as the amount of resources spent today in the fight against counterfeits, or the assessment of the benefits of bulk authentication,

• An outlook, dealing with counterstrategies of counterstrategies of the counterfeiters, adapted to the individual solutions, and

• Questions concerning knowledge about counterfeiting activities, in order to better understand the domain (e.g., markets, entry points, etc.)

In addition to these questions, the customs organization interview guideline contains questions regarding the usage of such a system, questions regarding investments into such a solution (or obstacles), and questions regarding the preferred answering format of the solution. Both interview guidelines can be found in the appendix (Appendix B) of this report.


4 Prototype Evaluation

4.1 TID Approach

This section analyzes the known vulnerabilities of TID checks. We evaluate the effort to execute different attacks in monetary terms or other resources as far as it makes sense and can be done under general assumptions. The attack tree against TID checks is illustrated in Figure 2. (This evaluation has been published in 2009 IEEE International Conference on RFID [23]).

ROM / EEPROM tampering

Manufacturing programmable

chips

Stealing unprogrammed

chips

Manufacturing tag impersonation

device

Buying unprogrammed

chips

How to foolTID check

Figure 2. Attack tree against TID checks

4.1.1 EEPROM and ROM tampering

One way to clone the serialized TID numbers, in theory, is to purchase standard tags and to manipulate the content of their TID memory. Even though standard tags’ TID memory is write-protected, there are ways to bypass this. In section II we described how TID memory can be written using EEPROM and ROM (for the non-serialized parts). Both these memories are vulnerable to physical tampering if suitable equipment and knowledge are available.

Tampering of EEPROM and ROM has been discussed in the field of smart card security. The general rule is that the more sophisticated the chip structure is (e.g. higher manufacturing precision), the more expensive the equipment needed to tamper with it. The difficulty in these techniques is that the adversary needs to know or find out which parts of the physical chip (e.g. transistors) to tamper with, and the attacks can also damage nearby portions of the integrated circuit.

According to expert interviews, the cost of equipment to manipulate ROM memory starts from tens of thousands of dollars. Specialized failure analysis laboratories can provide pieces of the necessary physical analytical services at rates around USD 400 per hour [1]. For example, an electron beam of a conventional scanning electron microscope can be used to read, and possibly write, individual bits in ROM and EEPROM. To do this, the surface of the chip must be first exposed, usually via chemical machining [2]. Single bits in a ROM can be overwritten using a laser cutter microscope and EEPROM can be altered using two microprobing needles [3].

Focused Ion Beam (FIB) is perhaps the most powerful equipment to analyze and tamper with the structure of integrated circuits. FIB tools are scientific instruments that resemble a scanning electron microscope and they are used, for example, to locate failure sites within EEPROM memory microcircuits [4]. FIB can be used to modify the hardware circuitry in


different ways: it can change a hardwired ROM cell and in principle it can also modify an EEPROM cell. This technique corrupts the EEPROM cell forever, i.e. rewriting is no longer possible, but that is not a problem in the case of TID. In some cases, FIB can also restore test circuitry in smart cards by restoring a fuse that has been blown to physically prevent access to the test state [6]. According to Koemmerling [5], using laser interferometer stages, a FIB operator can navigate on a chip surface with 0.15 μm precision. Using laser-interferometer navigation or infrared laser imaging it is possible to locate individual transistors. Modern FIB workstations cost less than half a million USD and are available in over hundred organizations [5].

4.1.2 Manufacturing programmable chips

If any existing chip manufacturer would sell UHF chips with programmable (unlocked) TID memory, the practical hurdle of TID checks would be completely undermined; an adversary could simply buy an empty chip and write the wanted TID number on it. Current EPC standards do not require permanently locked TID memory banks, but according to the best of the authors’ knowledge all available EPC chips have their TID memory locked. Chips with programmable TID numbers would cause discontent among companies who use TID as a security feature and it appears that the current UHF chip manufacturers recognize their responsibility in securing the TID scheme. However, nothing really prevents companies from manufacturing and selling programmable chips.

In addition to the current chip manufacturers, also a new entrant could start producing programmable chips. According to expert interviews, the biggest effort in manufacturing such chips is in the IC design that includes both an analog radiofrequency part and a digital part. The IC design projects of modern Gen-2 chips cost several millions of dollars and can last 2-3 years. However, these projects include many activities that would not be necessary for a manufacturer of programmable chips, most importantly optimization of the chip size and price. According to expert estimates, the minimum effort to make an IC design is in the range of hundreds of thousands of dollars and there are at least tens of semi-conductor foundries who could produce the chips.

We derive a rough estimate of what programmable chips could cost in small quantities. According to tag manufacturers, chip manufacturers sell modern Gen-2 chips around EUR 0.05 - 0.07 apiece today and the total price of the resulting RFID label would be around EUR 0.15 - 0.20 (in volumes of tens of thousands). This chip price includes the chip manufacturer’s variable manufacturing cost per chip, fraction of the fixed costs like IC design (depreciation), and the chip manufacturer’s profit. When manufacturing programmable chips in smaller quantities, the fixed costs (e.g. IC design and configuring wafer production line) are divided by a much smaller number of chips. In addition, assuming a less optimized IC design, the price per chip could be 10 to 100 times bigger than that of the most popular UHF chips, and the resulting price of a single programmable RFID label would be around EUR 0.60 - 7.15.


4.1.3 Stealing unprogrammed chips

In theory, a wafer could be stolen early enough in the manufacturing process by an adversary who wants to write his own TID numbers on the chips. However, also this would require an investment in infrastructure to write the chips. Therefore this approach does not seem to be scalable. Furthermore, wafers are high-value articles that are tracked and traced both inside and outside the factories and therefore stealing them would neither be easy nor go unnoticed.

4.1.4 Tag impersonation device

One option to bypass the TID check is to build a device that effectively emulates or imitates an RFID tag, without the need for IC manufacturing. This kind of device could fool the inspections if the tag is not seen during the check. This could be done in practice, for example, when pallets or cases of goods are verified by distributors or customs and the impersonation device is hidden inside the package. In addition, in case when the tag is not a label but a hard tag (encapsulated tag), the spoofing device could be built inside it (cf. Figure 4). These kinds of encapsulated tags are used in applications requiring longer tag life cycle or tolerance for harsh conditions.

Achieving adequate functionality and performance for such a device is possible even with moderate effort and costs and without special equipment. The effort can be further decreased by using a UHF-tag hardware and software developer platform such as the WISP1

Figure 3

. To illustrate the feasibility of an attack based on a tag impersonating device, we present our implementation and evaluate the implementation effort. A generic block diagram of such a device is illustrated in . The hardware blocks are described below.

Figure 3. Block diagram of semi-passive impersonation device

The antenna can be a simple half-wave dipole. It can be easily fabricated by anyone.

The analog front-end should be capable to detect the reader signal and to create backscatter modulation during reply. As the receiver does not need to be very sensitive or frequency selective, fairly unsophisticated structures can be used. A simple rectifier, envelope detector, and a comparator are enough [7]. More complex and better performing front-end designs can be found in the literature (e.g. [8]). Backscatter modulation can be done with a single transistor.

The digital part implements the actual communication protocol. The protocol description is publicly and easily available and protocol emulation can be implemented by using a microcontroller or a Field Programmable Gate Array (FPGA). This is the most challenging

1 http://www.seattle.intel-research.net/WISP/


part and will be discussed later. The chip used for protocol emulation is also the most expensive component of such impersonation device.

The battery provides operating power for the digital part and the battery voltage can also be utilized to make the front end more sensitive.

Figure 4. Programmable semi-passive tag prototype (left) and a commercial encapsulated tag

Implementing the protocol without prior knowledge naturally requires a serious effort. However, the communication protocol is open and standardized which makes it easily available for anyone and, demonstrably, the protocol emulation can be done (e.g. it is done in [7], [9], [10]).

For example, the Gen-2 protocol has been successfully implemented in a microcontroller in BRIDGE WP4 [7]. The used microcontroller is a very lightweight and inexpensive controller with an 8MHz clock rate. Due to the slow clock rate, all mandatory data rates are not supported by the prototype. The cost of the microcontroller is only few euros and the total bill of materials (BOM) is less than EUR 10. The prototype is shown in Figure 4. Implementation of the protocol with supporting functions is mainly done in the C language. The total amount of source lines of code (SLOC) within the protocol implementation is around 2300. By using a basic COCOMO-model (The COnstructive COst MOdel [11]) with embedded project coefficients, the estimated man month (MM) effort for the implementation is around 10MM. These numbers roughly reflect the required effort for software based protocol implementation with a microcontroller.

To achieve total conformance with the Gen-2 protocol, a faster and more expensive microcontroller should be used. The problem is to meet the timing requirements of the physical layer with higher communication data rates. However, a tag impersonation device does not necessarily need absolute compliance with the standard since all features of the protocol are not likely to be needed in a basic TID check. A tag impersonation device can also be implemented based on a Field Programmable Gate Array (FPGA) instead of a microcontroller. FPGA implementation is closer to a real hardware implementation and in general requires more effort with Register Transfer Level (RTL) code than a similar task in the C language and a microcontroller. Since the physical design can be omitted, it is still significantly less than a real application-specific integrated circuit (ASIC) design effort. The required speed should be easy to achieve with an FPGA so, in contrast to a microcontroller, higher data rates should not be a problem. Present Gen-2 chips include roughly 40000


transistors [12], which indicates that even a low-cost FPGA is sufficient to implement the same functionality. Prices of such FPGA chips start from ten Euros. Also other ”fixed” non-recurring engineering (NRE) costs are comparable to microcontroller implementation and are only a fraction compared to ASIC design NRE costs.

4.1.5 Review of Gen-2 Chip Manufacturers

This subsection evaluates the possibility of buying Gen-2 chips with writable, not locked, TID memory by reviewing practices of major Gen-2 chip manufacturers. If buying such unprogrammed chips was possible, copying a serialized TID number would be as easy as copying an EPC number, and the cost to break would be the market price of such chip. The presented information is collected from interviews with the chip manufacturers and from public product catalogs and the results are summarized in Table 1.

NXP: The currently available UHF chips from NXP include UCODE G2XM, UCODE G2XL, SL3 ICS1001, SL3 ICS3101, and SL3 ICS3001. All these chips have serialized write-protected transponder ID numbers already today. The tag identifier in the UCODE chips is 64-bit long and includes a 32-bit unique serial number. These TID numbers are written in the TID memory bank of the Gen-2 tags. NXP uses a 140 nanometer manufacturing process. The non-serial part of the TID numbers is not defined by the chip mask but it is programmed to the tag as well. The TID memory is locked by destroying bridges, connectors on the surface of the chips, after the TID numbers are written and the tags are tested on the wafer. This happens before cutting the chips from the wafer. After these bridges are destroyed, the TID write command no longer works and even the manufacturer cannot change the TID values. According to the company, NXP would not sell chips with programmable TID numbers to the market since it has been a reliable supplier for security products for years and has a reputation and a brand to maintain.

Impinj: The currently available UHF RFID chips from Impinj comprise Monza, Monza/ID, and Monza/64. Of these chips Monza/ID has a serialized 64 bit transponder ID that is factory-programmed and the other chips have only short, nonserialized TID numbers. The serial part of Monza/ID chip’s TID memory is written in the user memory. The non-serial part is defined in the chip-mask and written as hard-wired ROM (cf. subsection II-B), and the serial part is permalocked using a lock-bit. Locking is done before cutting the chips from the wafer. In the near future, all UHF chips from Impinj will have serialized TID numbers.

Alien: The current UHF RFID chip ICs of Alien Technology include Higgs-2 (H2) and Higgs-3 (H3). H2 has a 32-bit non-serial TID written in ROM and an optional factory programmed 32-bit serial number that is written on the chips if needed. Vast majority of the H2 chips in the market do not have serialized TID numbers because the market has only recently started to demand them. H3 chips have the serialized TID number as a standard feature and the company predicts that in two years all UHF chips they sell will have serialized TID numbers. The serialized TID numbers are written during the inlay production process and protected in a foundry protect process that disables the chip’s internal commands for rewriting the TID memory. Alien uses a 160 nanometer manufacturing process.

TI: UHF Gen2 STRAP contains 32-Bit TID Memory (Factory Programmed and Locked). In HF products, TI has chips with 64-bit Factory Programmed Read Only Numbers. According


to official documentation, the TID bank is permanently locked. TI uses a 130 nanometer manufacturing process.

ST Microelectronics: The current UHF RFID chip IC of ST Microelectronics is XRAG2. It has TID memory bank which can be programmed to store either the serialized 64-bit ISO TID number or the non-serialized 32-bit EPC TID number. To allow writing the TID numbers in both ISO and EPC formats, none of the TID memory is implemented as hard-wired ROM but it can be programmed by the chip manufacturer. The TID numbers are programmed and protected from rewriting while the chips are on the wafer. XRAG2 is manufactured using a 180 nanometer process.

Quanray: The current UHF chips of Quanray include QR2233. According to the company, a permalocked serial TID number is a standard feature of this chip.

Table 1. Summary of commercial Gen-2 chips and their TID numbers

Chip Company Chip Model ID Serial TID TID Lock

Higgs-2 Alien ROM Optional Yes

Higgs-3 Alien ROM Standard Yes

Monza Impinj ROM No Yes

Monza/ID Impinj ROM Standard Yes

Monza/64 Impinj ROM No Yes

UCODE G2XM NXP EEPROM Standard Yes

UCODE G2XL NXP EEPROM Standard Yes

SL3 ICS1001 NXP EEPROM Standard Yes



UHF Gen2 STRAP TI ROM No Yes

XRAG2 ST Micro. EEPROM Optional Yes

QR2233 Quanray EEPROM Standard Yes

This review suggests that all Gen-2 chips of the reviewed major chip manufacturers have permanently locked TID numbers. Moreover, the authors are also not aware of other companies selling unprogrammed chips. As a result, to the best of the authors’ knowledge, it is not possible to buy chips with unprogrammed TID numbers today.

4.1.6 How much cost to break is needed?

In this subsection we illustrate the financial incentives of counterfeiters in the tobacco industry so as to evaluate how much security (cost to break) is needed from a technical security feature. Cigarettes are the world’s most widely smuggled legal products and accounted more than half of the 126 million counterfeit and pirated products that were seized by the European customs in 2006 [16]. To illustrate the vast size of the illicit tobacco market, the smuggler’s market share is estimated to account for 15 percent [14] of the total USD 20 billion tobacco market in the UK [15]. More than half of the illicit cigarettes in the UK are counterfeits and the rest are diverted genuine products [14]. Assuming that illicit actors make their profit by not paying the taxes and duties that account for ca. 80% of cigarettes’ sales


price in the UK and given a sales price of USD 10 per pack, the illicit profit per pack would be around USD 8 (cf. Figure 5).

Cost & Margin

Taxes & Duties

10 USD

2 USD

Genuine product

Cost & Margin

Budget forbreaking the

TID check

Ilicit productsold as genuine

Illicit Profit

Smugglers don’t pay taxes!

Figure 5. Counterfeiters’ financial incentives in the tobacco industry

If single packs of cigarettes were tagged and the authenticity of a pack was verified by checking that the RFID tag has a correct serialized TID number, illicit actors would have a big financial motivation to buy or even to produce programmable RFID tags. The illicit actors’ budget per one cloned tag could be several dollars and even more assuming that tagging would take place in higher aggregation levels such as for cartons of 10 packs. Carton level tagging could also introduce more opportunities for using tag impersonation devices. Furthermore, because of the vast size of the illicit market, also the investment that is needed in design and manufacturing of programmable chips could be absorbed as a mere cost of doing business by the counterfeiters. The break-even from the initial investment in IC design could come after some hundreds of thousands of sold counterfeit packs. As a result, relying on TID checks does not appear to be secure enough as a long-term solution for the tobacco industry.

4.1.7 Summary

The evaluation of TID-based tag verification scheme confirm that serialized TID numbers currently provide a practical hurdle against cloning of Gen-2 chips since Gen-2 chips with programmable TID memory, to the best of the authors’ knowledge, are not commercially available today. However, working prototypes of semi-passive tags (e.g. in BRIDGE WP4) demonstrate that a tag impersonation device can be built from less than ten euros worth of standard components to fool TID checks. As a result, end-users should only make use of serialized TID numbers in applications where the tagged items can be physically inspected as a temporal and complementary solution. In particular, we discourage end-users to completely rely on TID checks because it could create a lucrative opportunity for manufacturing programmable chips that would completely undermine the practical hurdle that the TID scheme provides today. Overall, the biggest threat against this scheme relates to the commoditization of RFID technology. Therefore, serialized TID numbers do not appear to provide any sustainable long-term solution for tag cloning, but only a temporary solution before stronger tag authentication techniques.


4.2 Synchronized Secrets Approach The synchronized secrets prototype demonstrates the developed approach that raises an alarm as soon as two tags with the same ID are scanned within a supply chain. This subsection evaluates the developed approach and demonstrator.

4.2.1 Time-measurements

Given that an RFID infrastructure is in place and the used tags have a modest amount of user memory, the direct cost of the synchronized secrets method is the time delay of verifying and updating the synchronized secret. This overhead time was measured with the demonstrator from 100 reads where the tagged product faces the antenna in 5 cm distance.

Figure 6. Measured average times and standard deviations (error bars) of different steps (numbers in brackets) in the implemented protocol (cf. Appendix C for the detailed protocol)

The average overall processing time of one tag was 864 ms. This includes 128 ms for the inventory command, 181 ms for reading the EPC number, and the remaining 555 ms is the time overhead of the synchronized secrets protocol. The measured average times and standard deviations are presented in Figure 6. The results show that the time overhead of the protocol increases one tag's processing time approximately by a factor of 300%, after the inventory command. Even though the time overhead is short in absolute terms, it makes a difference in bulk reading where multiple products are scanned at once. A closer look on the times of different steps reveals that writing a new synchronized secret on the tag is only a slightly slower than reading a secret from the tag, and that the biggest variance is experienced within the back-end access.

The performance depends on implementation and has potential for improvement through optimization of reader and back-end software. In addition, variance in web server latency makes the time overhead hard to predict. Despite these limitations, this simple experiment provides evidence that the overhead time can limit the usability of the presented method in time-constrained bulk reading.

4.2.2 Level of security (quantitative)

Level of security of the synchronized secrets method depends on how often the tags are scanned and on how much time the adversary needs to conduct the cloning and impersonation attack. We study the scan rates of genuine tags based on a public access


control data set [17]. This data set is an activity record of proximity cards within an access control system that controls the access to parts of a building and it enables quantitative evaluation and benchmarking the detection rate of the synchronized secrets method. Though an optimal evaluation should be done with data from a supply chain application, a similar public data set does not exist for that application. Despite this limitation, also the access control data set enables evaluation and illustration of the performance of the synchronized secrets method.

The probability that a tag was scanned again within the studied data set is presented in Figure 7 as a function of time delay from the previous scan. This value equals the probability that an arbitrarily injected cloned tag raises an alarm (Case 1) given the attack delay. For example, an adversary who clones a genuine tag when it is scanned and injects the tag 2 or 24 hours after cloning has a 41% or a 72% chance of raising an alarm upon impersonation, respectively. The overall probability of a tag being scanned again was 99.15%, which corresponds to the detection rate. The findings suggest that only very few cloning attacks would go completely unnoticed in the studied application, and that an adversary needs to conduct the impersonation attack within a few hours after tag cloning to have a relative good chance of not raising an alarm.

Figure 7. Time delay between consecutive reads in an access control data set ([17])

We compare the performance of the synchronized secrets method to that of Deckard, a system that was designed to detect cloned tags within the aforementioned data set based on statistical anomalies [18]. On different parameters, Deckard was able to detect 63% of cloned tags with a 3.7% false alarm rate, or 46.3% of cloned tags with a 2.5% false alarm rate. These are published results from simulated attack scenarios within the aforementioned data set [18].

Assuming that 10,000 tags scanned, 10 of which are cloned, and that each alarm leads to a manual verification, we can compare the number of alarms generated by Deckard and synchronized secrets approach. The number of cloned tags prevented indicates the case where the (true) alarm is triggered to the cloned tag (Case 1). The number of cloned tags detected indicates the case when the (true) alarm is triggered when a genuine tag is scanned (Case 2). We assume that all true alarms generated by Deckard are triggered when the


cloned tag is scanned so that the number of tags that are prevented and detected is the same. For synchronized secrets method, the number of cloned tags prevented is a function of the attacker’s delay (average time needed from cloning attack to injecting the cloned tag).

The results are summarized in Table 2. The number of cloned tags that generate an alarm as they are read (number of cloned tags prevented) is almost the same for both techniques. However, the synchronized secrets method clearly outperforms the benchmark technique on other two dimensions. First, owing to the very high probability that a tag was scanned again within the data set (99.15%), in average all 10 cloned tags would be detected by the synchronized secrets method. Second, the number of manual verifications with the synchronized secrets method would be very small (10) compared to that of the benchmark technique (256 or 375). This high difference is due to the high false-alarm rate of the benchmark technique and the fact that the synchronized secrets method triggers an alarm only when a tag cloning attack has occurred.

Table 2. Quantitative evaluation in an RFID access control application

Method Parameters Cloned tags Prevented (Case 1)

Cloned tags Detected (Case 2)

Manual verifications

Benchmark [18] Hit rate 63.0% False-alarm rate 3.7% 6 6 375

Benchmark [18] Hit rate 46.3% False-alarm rate 2.5% 5 5 256

Synchronized secrets (2h attack delay)

Prevention rate 41% Detection rate 99.15% 4 10 10

Synchronized secrets (24h attack delay)

Prevention rate 72% Detection rate 99.15% 7 10 10

4.2.3 Limitations

If a cloned tag enters the supply chain before the corresponding genuine tag is read again, the cloned tag will first go unnoticed and the alarm will be triggered when the genuine tag is read the next time (Case 2). As a result, the counterfeit product can already be consumed before the alarm is triggered. For security relevant products that are not often scanned while the tags can be accessed by adversaries (e.g. drugs that wait in non-secured warehouses for long times), this can be a major limitation. In addition, the synchronized secrets method needs to know when the tagged products leave the RFID system to “close the trace”. As a result, the method is vulnerable to injection of unnoticed cloned tags (Case 3) if it is not known when the genuine products are no longer within the traced system.

4.2.4 Summary

Detecting cloned RFID tags appears attractive for securing commercial RFID applications since it does not require more expensive and energy thirsty cryptographic tags. This subsection evaluates the synchronized secrets method that detects cloning attacks and pinpoints the different tags with the same ID. The method requires only a small amount of rewritable memory from the tag but it provides a considerable increase to the level of security for systems that use unprotected tags. A major benefit of the presented measure is that it can be used with standard EPC Gen-2 and it can be applied in all RFID applications where


the tags are repeatedly scanned. The additional cost factor of the presented method is manual verifications needed to ascertain which of the tags (objects) with the same ID number is the cloned one, but the number of needed verifications for the presented method is considerably smaller than for comparable detective security measures. Overall, the presented method has the potential to make harmful injection of cloned tags into RFID systems considerably harder using only a minimal hardware overhead.

4.3 Rule-Based Anti-Counterfeiting Approach

4.3.1 Known Vulnerabilities The anticipated vulnerabilities of the Rule-Based Anti-Counterfeiting approach were introduced in the BRIDGE D5.4 Prototype deliverable. On the one hand, they encompass physical tagging attacks, including:

• Removal and reapplication of tags: the counterfeiter could remove genuine tags from a packaging and apply it to his counterfeit product’s packaging. This represents an one-to-one exchange of genuine products with counterfeits, which continue the travel through the supply chain. The genuine product could be sold outside authorized distribution channels.

• Replacement of original products with counterfeits: the counterfeiter could exchange the genuine product with a counterfeit, taking out the genuine one, and disposing it in secondary distribution channels (one-to-one exchange).

• Attaching cloned tags on counterfeits: a player in the authorized supply chain can clone identifiers, attach them to counterfeits, sell the counterfeits, and dispose of the genuine products outside authorized channels (would allow mass supply chain injection), until the cloning activities (due to duplicate EPC numbers) are detected.

• Tag defects or absence of tags: these include cases of counterfeit products with non-functional tags, tags with invalid product identifiers, tags with fake product identifiers, or no tag at all.

On the other hand, known vulnerabilities include backend system attacks, such as:

• Infiltration of false traces into the backend system: counterfeiters could include traces of counterfeit products, which did not travel throughout the supply chain, into the system. Once they are tested by the system, they would be authenticated as genuine.

• Manipulation of existing traces (counterfeit traces become marked as genuine traces): traces of counterfeits could be manipulated in a way that they are authenticated as genuine products.

The possible and known vulnerabilities of this approach were also discussed with anti-counterfeiting experts from different industries and customs organization (see also Section 4.3.8). The results mainly correspond to the attack types on the Rule-Based Anti-Counterfeiting approach identified in the previous deliverable (see above). The experts mainly stressed on the attack types where RFID tags could be reapplied on other packages, and on attacks to the backend system, including denial of service attacks (the whole system could be tied up and authentication checks could take intolerably long time) of the whole system, and “blackmailing attacks”, where traces of genuine products could be classified as counterfeits by counterfeiters. This aspect, however, is not part of the WP5 activities. Another remark from the experts was that counterfeiters could officially register and become “legal” supply chain partners, making it more difficult to detect them.


4.3.2 Cost to Break In reference to the previous subsection (4.3.1), all one-to-one product exchanges or reapplications of tags onto counterfeit products do not require high investments from counterfeiters. However, they can - to a great extent - be avoided by using tamper-proof tags, which are destroyed upon removal. Same applies for product packages, which could additionally have a seal to break once the package is opened. Mass injection via tag cloning requires certain investments into RFID infrastructure, including tags and readers, for example. Counterfeiters with access to this infrastructure could clone tags without additional fees. However, it is difficult to assess the prices of these attacks, since tag and reader prices continuously sink. Concerning system attacks (infiltration, manipulation), counterfeiters require besides the technical infrastructure a certain knowledge of the system and the ability to attack / hack it, in order to infiltrate and manipulate existing traces in the company’s EPCIS systems. For the latter two cases it is, however, extremely difficult to make exact cost statements.

4.3.3 Confidentiality

Regarding the aspect of confidentiality, there are no privacy issues with the Rule-Based Anti-Counterfeiting Framework regarding personal data. However, the more complete the product’s trace, the more effectively can the system work. Hence, an open exchange of supply chain information between companies would foster an optimal functioning of the prototype. Data sharing issues between companies, in terms of confidentiality, arise. A look at the currently implemented anti-counterfeiting rules reveals that EPCIS and supply chain information interchange between companies is for the majority of the anti-counterfeiting rules of high importance (see also next deliverable, D5.6 – Application Guideline and Implementation Roadmap). An example rule is the “Missing ADD event rule” in a supply chain overarching scenario. This rule requires the manufacturer to share his manufacturing information with the supply chain partners, and customs organization. From the interviews with affected companies we know that companies would share their information for the sake of a counterfeit-clean supply chain.

Since work package 5 works with RFID technology only in the supply chain, no personal data is involved. WP5 does therefore does not have any privacy issues in terms of personal privacy. This criterion, however, deals with the data sharing between supply chain partners in for the collaboration in the fight against counterfeits.

4.3.4 Scalability For the purpose of the scalability evaluation we conducted a series of simulations on the WP5 Rule-Based Anti-Counterfeiting Application. The goal was to assess how the system handles different loads, varying inputs and to identify potential hotspots and bottlenecks. For the test we used a machine with an Intel Core 2 Duo @ 2.4GHz processor and a total of 4 GB system memory. From the software side we used Windows XP (SP2) as an operating system and the GlassFish V.2 J2EE Application Server with Java EE 5 environment. In order to better illustrate the relevance of the measured statistics we will first explain how the performance measurement was conducted:

1. The last EPCIS event of a pre-generated trace is sent to the application. The complete trace is already present in a known and reachable for the prototype EPCIS.

2. The trace is gathered by the Event Gathering Layer (EGL) from the EPCIS repository. The time from start to end of this activity is measured.


3. The trace is evaluated against the Rule Engine (RE) rules. The time from start to end of this activity is measured.

4. The results are displayed on screen. The total time from start of step 2) to end of step 4) is measured.

5. The total time minus 2) and 3) is calculated to evaluate the indirect computational overhead.

Figure 8 shows a sequence diagram of the Rule-based Anti-Counterfeiting Prototype. The colors correspond to the steps listed above: red 2), orange – 3) and blue – 5). The sum of these times corresponds to the value measured in step 4)

Figure 8 Sequence Diagram of the Rule-Based Anti-Counterfeiting Framework

In more detail - the RE time is the time it takes for the Rule-based Engine to apply all rules on a particular EPC trace, including the Decision Support System evaluation. The EGL time is the time it takes for the Event Gathering Layer component to gather all relevant events for a given EPC from local and remote EPCIS sources. The rest of the time can be attributed to persisting the alerts, intermediate method invocations, EJB beans lookups etc. The EGL time is highly dependent on external factors such as network congestion, number of involved EPCIS or EPCIS response times. For that reason we tested it in near-optimal conditions – one EPCIS deployed locally containing only the trace required for the current test.

The test data was simulated in order to achieve specific properties, such as level of aggregation or trace size, for example. The same simulation algorithm was used to generate all traces, only configuration parameters were varied. In that way a meaningful comparison of the test results is possible. A total of 24 traces was generated with configuration parameters (i) “trace size”, which varied from 10 traces through 500 traces (10, 20, 50, 100, 250, and 500), and (ii) “level of aggregation”, which varied from 0 through 3 levels (0, 1, 2, and 3). For each aggregation level, the trace length is divided into (2 * aggLevels + 1) subparts. The trace starts with the original EPC, after 1 subpart it’s aggregated into a container, after one


more subpart the container is aggregated into another container and so on. After the middle of the trace the process of disaggregation starts – the top-level box is disaggregated and the lower-level box continues to travel and so on. The last subpart is the original EPC travelling on its own again. This trace configuration resembles the expected travel way of a product. Figure 8 presents a simulated trace with 2 levels of aggregation.

The rule-engine was tested with a total of 11 rules. For each performance test, all required events were pre-inserted into a single EPCIS repository, located locally and deleted afterwards in order to prevent any interference with other tests. Each test was repeated 5 times and the results were averaged.

Figure 9 An Example Trace of an Item with two Aggregation Levels

The measured times table can be found in the appendix. The next section introduces and discusses the obtained (and plotted) results.

Test Results

Figure 10 illustrates the measured Rule-based Anti-Counterfeiting Framework times, separated into RE, EGL, and “others” time for level of aggregation 0. The majority of the time is attributed to the event gathering layer, and its proportion grows with the trace size. Same applies to the rule engine time. It increases not as strongly as the EGL time though. With a growing trace size, however, the time for all other processes remains more or less constant.


Figure 10 Measured times for levels of aggregations - 0.

With a higher level of aggregation, the time proportions do not change significantly. Figure 11 illustrates the test times with a level of aggregation of 3 (the Figures for the aggregation levels 1 and 2 can be found in the appendix).

Figure 11 Measured times for levels of aggregation - 3

Figure 12 shows the plots of the measured times for aggregation levels zero vs. time, together with a linear plot for comparison. Comparing the slopes, it can be observed that:

• EGL time grows linearly in relation to the trace size, with a linear slope,

• RE time grows linearly in relation to the trace size, with a linear slope, and

• “Others” time remains relatively constant regardless of trace size.

Linear scalability relative to load means that with fixed resources, performance decreases at a constant rate relative to load increases. This is a very desirable property for a system and is also sometimes referred to as “perfect scalability”. The system is designed to be stateless - each interaction request has to be handled based entirely on information that comes with it.


This fact means that the system can be replicated and this will increase its performance in relation to the load or demand.

In order to make sure that load peaks can be handled adequately, the application also contains internal queues which allow for queuing events for processing, allowing them to be processed batch-wise, so that client requests are not declined even if peak times with lots of evaluation work.

-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)

Figure 12 Plotted measured times for aggregation levels – 0

Higher levels of aggregation only slightly increase the slope. Figure 13 shows the trace size vs. time plot for an aggregation level of 3. The linear response can be observed again, where especially important is the fact that the RE handles traces containing aggregations with speed similar to traces without aggregations, thus being able to handle complex product traces which occur in real-life scenarios.

-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

3000,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)

Figure 13 Plotted measured times for aggregation levels - 3

The plots for aggregation levels 1 and 2 can be found in the appendix.


When looking uniquely at the influence on the system times from the levels of aggregations, we obtain the following Figures:

EGL Time depending on the levels of aggregations

Figure 14 Level of Aggregation vs. RE Time

Figure 15 Level of Aggregation vs. EGL Time

Figure 16 Level of Aggregation vs. "Others" Time

Figure 17 Level of Aggregation vs. "Overall" Time

Figures 7, 8, 9, and 10 show that the levels of aggregation only have little influence on the system’s performance. The majority of the time is spent on the gathering of events, and more specifically on the EPCIS internally collecting the required events, not the multiple calls to the known EPCISs. The bigger the trace, the more prominent is this observation: for 10 events, the roundtrip time for the web service call is significant to the time it takes for the EPCIS to collect them. For 250 events and more, the roundtrip time becomes less and less important. It is important to note that the tests were conducted with a locally available EPCIS repository. However, this is the expected case for non-local repositories as they are usually highly accessible. Taking the “others” time - the time it takes to receive an event - convert it to a suitable internal format, store the event locally, put the event in a queue for processing, prepare the query for the EGL requests, aggregate the responses of the EGL into a trace, prepare the rule engine (inserts external facts), persist all alerts etc., remains relatively constant with only a slight increase when trace size increases, due to the more events gathered from the EPCISs.

Summary

The scalability test results show that the system design has a very favourable linear scalability and is able to handle graciously increasing load charges. Multiple instances of the system are interchangeable due to its statelessness, which increases its overall performance


when resources are added. The EGL aspect of the overall time depends mainly on external factors and was examined for completeness. The outcome showed that in favourable conditions, the EGL does not prove to be a bottleneck for the system. In contrast to that, the actual trace rule-based evaluation, which is the most important functionality of the system, only takes a small fraction of the overall time (see Figure 18).

75,25%65,38%

45,82%

33,27%

17,81%10,62%

23,27%

32,05%

51,87%

64,08%

78,26%83,03%

1,49% 2,56% 2,31% 2,65% 3,93% 6,35%

0,00%

10,00%

20,00%

30,00%

40,00%

50,00%

60,00%

70,00%

80,00%

90,00%

100,00%

10 20 50 100 250 500

Trace Size

RE

EGL

Others

Figure 18 Overall Times Divided into Time Fractions for (in percentage) for the Components

4.3.5 Feedback Speed

The authentication process consists of five phases. Reading the EPC/RFID tag (a) and sending the information to the authentication system (b) represent the first two phases. Once the information is received by the authentication system, it gathers all events which were part of the product’s trace and creates a virtual trace (c), which is then analyzed by the rule engine (d - authentication test). Once the authentication test is performed, the system sends back the response to the requesting user (e).

Figure 19 Authentication Process Phases

The complete feedback speed corresponds to the sum of the bars coloured in blue in the sequence diagram in Figure 20.


Figure 20 Sequence Diagram with Coloured Feedback Overall Speed

0

500

1000

1500

2000

2500

3000

0 100 200 300 400 500 600

Tiem

(ms)

Trace Size (number of events)

Overall Response Time

Agg Level 0

Agg Level 1

Agg Level 2

Agg Level 3

Figure 21 Overall Response Time of the Prototype

It can be observed that the aggregation level of traces does not influence the system majorly – about 15% difference between level 0 and 3. However, it should be noted that the evaluation was done in very favourable conditions – very low network latency and locally deployed repository. In general, with the complexity of the trace in terms of size and aggregation levels the number of involved repositories grows, and thus the network times increase. Predictions of how companies distribute their data, is out of the scope of this evaluation report.

The system times of sub-processes (c) and (d) have already been evaluated for the scalability criterion (see subsection 4.3.4 and detailed results in the appendix). The rest of


the total time can be attributed to internal transformations and persisting, as well as transfer times over the network.

4.3.6 Probability to Detect a Counterfeit / Clone

Despite various research activities, the knowledge about counterfeiter’s strategies, e.g., the counterfeits’ routes and entry points into supply chains, and their distribution channels is limited due to the clandestine and illegal nature of this business. Interviews with experts from customs organization and affected companies, which were repeatedly conducted within this work package, confirmed these findings (see also D5.1 Problem Analysis Report, D5.2 Requirements Report, and this report). To assess the detection capabilities of the Rule-Based Anti-Counterfeiting Framework, it is necessary to systematically explore the possibilities of counterfeiters in tracking enabled supply chains, for which the available data is not suitable. Simulation research studies, which were conducted in order to evaluate the detection rate of rule-based anti-counterfeiting approaches were not convincing. Their results range between detection rates from 0 to 100%, since they are extremely manipulable by factors such as the read rate, the type of the supply chain, the rules, etc.

For the evaluation of the rule-based anti-counterfeiting framework, we therefore opted for a more analytical approach. Suppose all items of a certain type are equipped with EPC/RFID tags and thus unique identifiers (UIDs), and a tracking infrastructure covering the supply chain is in place. The first challenge for the counterfeiter is to obtain UIDs for his counterfeit products. One option is to completely omit the UID, but this strategy should be easily detectable during authentication. For actually obtaining a UID, the options include guessing identifiers, transferring the UIDs of genuine products to counterfeits, or copying the UIDs found on genuine products. If identifiers are guessed randomly, the resulting UID may in rare cases be a duplicate of a valid UID, but most likely it will be invalid, i.e., no genuine item carrying the same UID exists. To transfer UIDs, counterfeiters may remove RFID tags from genuine items and reapply them to counterfeits, or they may seek access to UIDs of disposed products and reuse them (one-to-one exchange as previously discussed). Any UID found on a counterfeit will have at least one of these properties: (i) it is invalid, has been (ii) transferred, or is (iii) duplicated. The counterfeit items must be distributed, either by injecting them in licit channels or by distributing them outside of the legitimate supply chain, for example by smuggling, selling on flea markets or through online shops. For the resulting item trace, it is important whether there are read points on the path of the item or not. Illicit distribution channels are likely to contain no read points and thus be invisible, while licit channels can be assumed to be visible. The combined effects of UID and distribution strategies on traces will now be analyzed. The various scenarios are illustrated in Figure 22.


Manufacturer Distributor Wholesaler Retailer Customer

Wholesaler Retailer Customer

Manufacturer Distributor Wholesaler


Distributor Wholesaler Retailer Customer

a


Customer



Manufacturer Distributor

Distributor

b

c

e

f

g

Manufacturer Customerd

Figure 22 Counterfeit Cases and the Rule-Based Anti-Counterfeiting Approach

An item with an invalid UID that is traded completely through invisible channels has no trace. This can be detected immediately. Items with invalid UIDs that are injected in the licit supply chains will appear suddenly after the injection point (Figure 22a). Some events at the beginning of their trace are missing and the trace will fail the completeness check as the first event in the trace is not a successor of the genuine manufacturing trace event. However, if a counterfeiter manages to inject counterfeits in the licit channel before the first event is usually captured – which is most likely in the production facilities of genuine items – and it is ensured that this manipulation does not distort the further routing of the item, the resulting trace will fully correspond to the genuine trace and the counterfeit will not be detected. If distortions surface later in the trace (not only in terms of location but also in terms of wrong business steps or missing transaction information), the counterfeit will also be detected (Figure 22g). An additional check for UID validity offered by the rights holder and strict number management can mitigate this threat.

In case a counterfeit carries a transferred UID (valid and unique), the events in the trace were triggered by the movements of two items: Up to the point in time when the UID was removed, the events were created for a genuine product and the beginning of the trace will conform to the model.

After that, the counterfeit carries the stolen UID. Depending on the distribution of the counterfeit, the following possibilities for the continuation of the trace exist: if the counterfeit is distributed outside visible channels, the trace ends early (Figure 22b). Unless the last


captured event was a valid terminal event, the completeness check will fail. If the counterfeit is injected in the licit supply chain, the sequence of events will only be valid if the counterfeit directly replaces a genuine item, the time needed for the product exchange does not lead to a time threshold violation and the manipulation does not lead to distortions on the future path of the counterfeit. If the injection is not a direct replacement but takes place further upstream (Figure 22c), downstream (Figure 22d) or in another branch of the supply chain (Figure 22e), the trace will contain no transition allowing this sequence of events. If the replacement leads to an exceeded transition time, invalid transitions or events later in the trace (Figure 22g), it will also be detected.

If counterfeits with duplicate UIDs are distributed through invisible channels, they can be detected as long as the trace of the genuine item carrying the UID is not complete (Figure 22a). If the duplicates are injected in the licit supply chain, the trace that is retrieved for the UID is a mix of all sub-traces created by the multiple items carrying the same UID (Figure 22f). As soon as the first item with a copied UID is injected in the supply chain, this will result in an invalid trace as a transition between the last event captured for the genuine item (from which the UID was copied), and the first event triggered by the counterfeit is missing. However, if the counterfeiter manages to inject the counterfeit at exactly the station where the next event for the genuine item is expected, the injection will remain undetected, but only as long as the genuine item does not arrive at this station. As soon as the genuine item triggers the next event, the trace becomes invalid as a transition is missing and the counterfeit can be detected at the next sighting. Note that in this specific case, a genuine item will be classified as counterfeit (false positive). As counterfeiters will probably put the same copied UID on many items, it may be acceptable to misclassify one genuine item if this allows detecting mass copied items.

From this analysis follows that a wide range of potential counterfeiter activities result in traces that deviate from the traces of genuine items and can thus be detected by the rule-based anti-counterfeiting framework. Only few options are open to counterfeiters to “construct” traces for counterfeits that are indistinguishable from the traces of originals. Moreover, each of these remaining options requires considerable effort in terms of knowledge and access to the licit supply chain.

RFID and track-and-trace based authentication enables a high check rate compared to traditional authentication, as automated event capturing can be combined with authentication and this can be done for many items simultaneously. Extending the possibility to check items by their UID to end customers will further increase the check rate. The detection capability of the approach for low effort strategies such as identifier guessing without access to the licit supply chain is given, as well as the capability to detect the strategy most prevalent today - the distribution through illicit channels.

Additional safeguards such as random inspection of inconspicuous goods, investigation of the sources of detected counterfeits facilitated by tracking data and UID validation may help in limiting the number of counterfeits that cannot be spotted with the proposed approach. In combination with a high check rate, this may result in detection rates that are high enough to drive counterfeiters out of business or make them target more vulnerable products. In any


case, tracking based counterfeit detection will raise the bar for counterfeiters and each detected counterfeit decreases the overall negative consequences of counterfeiting.

When analyzing the documented counterfeiting cases described in the D5.4 Prototype Report, it turns out that in all cases, the counterfeiters injected their illicit merchandise at an unknown point into the supply chain, either before or at the retailer. According to the overview provided in Figure 22, these cases correspond to sub-case (a). With the rule-based anti-counterfeiting framework in place, these counterfeit cases would have been detected at an earlier point in time. In suspicious cases, however, manual testing will still be necessary. As described in the counterfeiters’ countermeasures in the D5.4 Prototype Report, tags might be broken due to mishandling, invalid (see discussion above), have fake product identifiers (see above), might be reapplied to counterfeit products (see above), or be cloned (see above). Within the rule-based anti-counterfeiting framework, rules can be specified that help to detect these injections and thus making the licit supply chain more secure against mass counterfeiting. As described above, however, one-to-one exchanges of genuine products with counterfeits are still possible.

Besides tempering with physical products, tags and identifiers, counterfeiters could also attack the EPCglobal backend system by creating (adding), replacing, cloning, or manipulating product traces. Backend system attacks are beyond the scope of BRIDGE WP5 though.

Track-and-trace based anti-counterfeiting solutions within EPCglobal network actually leverage existing investments into the EPCglobal network (see also BRIDGE D5.3 Business Case Report [9]), and allow licit supply chain partners to collaborate and thus to detect and prevent counterfeiting. To insert illicit goods into legitimate, protected supply chains, counterfeiters would need to apply RFID tags on their fake products. We believe that this already represents an obstacle to counterfeiting and offers some deterrence, but it is not yet a secure solution. The combination of EPC internal data and external data, along with the rule-based approach allows for the definition of highly customizable, industry- and company specific anti-counterfeiting rules, leveraging company- and customs-specific anti-counterfeiting knowledge. Hence, using the knowledge of counterfeiting cases, and moreover of the “supposed-to-be” supply chain, companies can create their specific anti-counterfeiting rules, which can be then used to analyze the track-and-trace data.

4.3.7 Probability of False Positives and False Negatives

Especially in automated mass authentication, mechanisms for avoiding high false positive rates are required, as a large share of genuine items for which a counterfeit warning is issued might hamper the practical applicability of the approach. Given current rates of read errors in RFID based systems, issuing a warning for any deviation might be a too harsh decision criteria in real world operations and the decision logic may be further refined to account for this requirement. According to our testing experience, false negatives are on the one hand caused by the incompleteness of the trace, and on the other hand by the specification of the anti-counterfeiting rules. The trace can be incomplete due to the tag’s read rates within the supply chain, insufficient supply chain information, or a too little amount of data sharing (from companies) within the supply chain. The efficient specification of the


rules is therefore crucial for the reduction of the number of false positives on the one hand side, and for the detection of counterfeits. We therefore suggest the specification of set of rules, which are combined using a decision support system (DSS), as already implemented in the rule-based anti-counterfeiting framework. The DSS support the anti-counterfeiting experts to have the system trigger alerts, only if predefined combinations of rules alert. For automated mass authentication, manual testing still the final means though.

From the interviews with customs organization we know that liability issues play an important role in whether products are stopped at the border or not (see also BRIDGE D5.2 Requirements Report). Customs organization can run into liability issues when products are mistakenly confiscated at the border. Anti-counterfeiters from customs and from affected companies will use their experience (with the system) in order to configure the decision support system in a way that the right thresholds, for example, are found where the number of false positives is reduced, but still counterfeits are detected.

The means by which counterfeiters can still trick the system and introduce their counterfeit merchandise into licit supply chains – by creating indistinguishable traces from the originals – was discussed in the previous sub-chapter. There it was also argued that the combination of the detection capability and the attainable check rate may lead to favourable counterfeit detection rates, particularly in comparison with traditional authentication approaches.

4.3.8 Industry Feedback (to be finalized)

For the industry evaluation of the Rule-Based Anti-Counterfeiting prototype, an interview guideline with 20 questions (18 for the customs organization guideline), subdivided into three parts, was developed. The guideline encompasses the evaluation of the approach, the rule specification and the evaluation of the current status in anti-counterfeiting and general questions about counterfeiting activities in their industries. The guideline can be found in the Appendix.

The interviews were on the phone with anti-counterfeiting experts from affected companies from different industries. The approach was presented by means of a slide set. The selection of the companies included - but was not limited to - partners from the Special Interest Group Anti-Counterfeiting (SIG AC), which accompanied the Work Package 5 from the beginning of the BRIDGE project, because of a missing application partner in WP5. For the evaluation of the findings, we opted for an aggregated and anonymized approach.

Customs Organization Evaluation

Customs organization sees a potential in the rule-based anti-counterfeiting framework. Automated mass checks could support them in finding the so-called “needle in the haystack”, since once a counterfeit product is found it is easy to identify it as such. The difficulty lies in the identification of the “right” shipment that contains counterfeit products. Moreover, by far not all products pass a customs office where apparently suspicious products can be stopped and checked. With the automated checks, the rule-based approach could help customs to gain a considerable edge in the fight against counterfeiting and leverage existing authentication activities by concentrating them on suspicious products. Moreover, customs organization stated that they would find a system beneficial that could test complete trucks at


borders, for example, in real-time within seconds, without having to stop it and to check the contents manually.

They liked the “missing production event” rule that helps to identify counterfeit injections into the supply chain. However, they also it is crucial to know have a reliable system because of the liability issues, i.e. to know how relevant these alerts are. They also stated that parallel imports should not be stopped, since the European Union has the “community exhaustion” in place, hence allowing parallel trade between member states.

Customs organization ranked feedback speed, scalability, detection rate, and security as the most important qualities of the system.

Customs organization evaluated the possibility to specify anti-counterfeiting rules for the rule-based framework as highly feasible, since even today such “rules” are specified, e.g. for shipments from a certain country in combination with a “tariff number”. One stated example was the import of milk products or toys from China, which are stopped at the border and tested in special laboratories. In general, the customs stations are rather self-controlled, however, a central place exists which could specify these rules and give advices. As for the necessary resources to be spent in order to maintain the rule-set, no information could be given. When asked about investments into such a system, customs organization mentioned that a solution for stopping certain products (see milk and toy example above) already exists and that they see it more as an investment from the copyright holder to equip customs with such a solution. From a personnel point of view, there are no specialists which exclusively check for counterfeits, since everybody supports this task.

Regarding the answer type of the authenticity check, a percentage-wise evaluation of the product’s authenticity would already represent an improvement compared to the current status. Moreover, for customs organization it is important that all products have such a tag, or that it is known which products are supposed to have such a tag, so that the authenticity check effort does not increase. When asked about countermeasures of counterfeiters, attacks to the backend system, removal and reattachment of tags, and fake (cloned tags, tags with guessed UIDs) were mentioned.

The last part of the interview guideline covered general anti-counterfeiting related questions, such as the distribution channels for counterfeits or current strategies of counterfeiters. According to customs organization, most counterfeit products are still sold on the Internet. In the illicit supply chain, intermediaries sell these products via multi-level sales to end customers. However, the cases and numbers of counterfeit products in licit supply chains are far smaller than in illicit supply chains. Counterfeiters use the strategy of shipping their merchandise disassembled and undisguised and re-assemble the products at the product’s destination. The transportation route of these products is not transparent though: the routs can be indirect and illogical so that it is hard to trace the products back. The findings from the D5.1 Problem Analysis Report were again confirmed: there is only little information available about the counterfeit distribution, the collaborators, and the flow of counterfeits.

Affected Companies Evaluation

Automotive Industry Evaluation


Experts from two affected companies from the automotive industry were interviewed for the evaluation of the rule-based anti-counterfeiting framework.

Part I – Evaluation of the Approach

Both experts from the affected companies from the automotive industry agreed when asked about the perceived usefulness of the presented approach. They evaluate the approach as useful in the fight against counterfeits, but uttered their concerns towards the employed technology. While one expert mentioned that customs organization especially needs a unified approach in the fields of RFID and anti-counterfeiting and that employees should be equipped with an RFID reading device, in order to be able to read the tags, he also stressed on the fact that the deployment of this approach necessitates the EPC/RFID tag to substitute the barcode, which is in place today. The other expert agreed, however, uttered his concerns towards the technology’s price (high variable tag prices). He stated that this technology will become very interesting to the automotive industry, once the tag prices can compete with nowadays employed technologies. He also addressed existing technological obstacles, such as low read rates in the area of metal spare parts, and even lower read rates for spare parts which are transported in metal boxes, so-called lattice boxes. Both, however, appreciated the flexibility of the approach, the bulk reading capabilities of the technology, and thus the possibility of automated mass authentications. When asked about the potentials of this approach, they mentioned the unified system, the saving of resources to check the authenticity of products, and the automation, provided a reliable Internet connection was in place.

The immaturity of the technology and the necessity of a network infrastructure (including a database connection) for the authentication, yielding into new investments, as compared to other approaches, were identified the main difficulties for this approach. The example of a garage without in Internet connection (in order to authenticate a product) was mentioned.

When asked about the number of their partners in their supply chain, both estimated that the number would be between 3-5, including at least the production/manufacturer, the distribution center (internal or external), the retailer, and the wholesaler. Certifications and standards (e.g., ISO 9001, 14001; ISO-TS 16949, etc.) within the automotive industry require manufacturers in this industry to protocol the information about their supply chain. This fact facilitates the detection of counterfeiting activities by using mass authentication approaches such as the rule-based anti-counterfeiting approach under study.

The experts were asked to rank five evaluation criteria according to their importance with the following result: 1. Detection rate of the solution, 2. Security of the solution, 3. Feedback speed/ performance (up to 30 seconds), 4. Scalability (since 4-5 million products would have to be assessed), and 5. Read write performance.

Part II – Rule Specification

The second part of the interview guideline concerned itself with the specification of anti-counterfeiting rules for the affected companies.

Both experts could immediately specify anti-counterfeiting rules for their company, but also for the industry as such. One expert proposed a rule that would “only allow certified supply chain partners or OEMs to order distinct spare parts” and he confirmed the “missing add-event rule”, which would check for the genuine production event of the brand owner. However, he also mentioned that most of the products are sent directly from the manufacturer to the OEM, only having a logistics provider in-between. The other expert stated that his company is aware of the companies, which copy their genuine products,


hence which produce counterfeits. A rule that stops the propagation of counterfeit products from these companies was proposed. Moreover, some spare parts are assembled of smaller parts which come from different countries. If such a part was declared to come from a country that does not have production sites for this part, then its propagation should also be stopped.

According to both experts, the data for the specification of rules has to be gathered from different departments within the company. While one expert evaluated this as a rather small effort, the other expert said that it is not easy due to the number of persons involved. However, most knowledge about the supply chain in automotive companies is available within the companies.

When asked about an evaluation of how many companies would be able in the industry to specify such rules, the experts agreed that virtually all companies could do it, since their knowledge about their supply chains, is quite broad. Supply chain players usually have a good knowledge about their downstream partners. Regarding the dynamic of the supply chain, one expert said that its supply chain partners do not change very often, whereas carriers / haulers do. The other expert said that his supply chain can be very dynamic, also in terms of suppliers. Business processes, however, do not change very often in both companies. Changes can occur between twice a year, or every 5 years. Also exceptions in the supply chain are seldom for both partners. One expert mentioned that his company has 7 manufacturing sites and 7 distribution centers worldwide, which were interconnected. However, he agreed that changes occur rather seldom.

Regarding the maintenance of the rule-set, one expert said that he liked the approach since existing knowledge in anti-counterfeiting could be leveraged with this approach. However, he could not estimate the effort (in man months, for example), in order to maintain the rule-set. He confirmed that it is important to guarantee the traceability of the products, including the day of production, its producing factory and the charge number, especially for recalls and production stops. He envisaged a self-learning and self-maintaining anti-counterfeiting system, based on the rule-approach. The other expert mentioned that at least one person would be permanently necessary in order to maintain the rule-set. His assessment is due to the nature of counterfeiting (due to constantly changing strategies) and the maintenance of contact and the exchange of information with other supply chain partners.

Both experts would invest into the solution, provided its ROI was proven and that it does not cost much more (or equally much), as a barcode-based solution. Both would wait until the prices were more interesting.

Part III – Current Status Evaluation

This part of the interview guideline concerned itself with the current status of the anti-counterfeiting efforts within both companies from the automotive industry.

The number of persons working in the companies in the fields of anti-counterfeiting was difficult to assess for the interviewed experts, since besides the patent department, also developers (especially in the predevelopment department) have to be included in the anti-counterfeiting team, since they also put efforts into the development of spare parts, which are hard to copy. Therefore, the estimations of both experts diverged between 2-10 persons.


When asked about the quality of the answer of an anti-counterfeiting solution, both experts agreed that a definite answer – whether the product is a counterfeit or not – would be a necessity. In contrast to that, the customs interview revealed that even an answer which gives a certain percentage level was satisfactory, since this would already constitute a better situation than before. The experts from the automotive industry, however, mentioned that a definite answer was important, especially due to liability issues.

Both experts appreciated the system’s possibility of bulk authentication, provided the authentication was reliable. They again uttered concerns in regards to products made from metal and interferences in the radio identification. According to one of the experts, bulk authentication should be performed everywhere in the supply chain.

Part IV – Outlook and Optional, Additional Questions

The last part of the interview guideline concerned itself with an outlook and optional questions. The experts were asked about counterfeiters’ countermeasures against the rule-based anti-counterfeiting framework. The first expert raised concerns in terms of attacks against the backend system. Counterfeiters could manage to hack into the data base and could generate “right events” or manipulate events, thus disguising their counterfeit products as genuine. Another concern was raised that if the system was self-learning, it could be taught to accept counterfeits or injections as correct paths, which would be a great disadvantage of the system. Therefore, additional anti-counterfeiting strategies would be good to support the initial counterfeiting suspicion. The second expert mentioned that counterfeiters could become a legitimate industry partner and inject their counterfeits into the supply chain. Moreover, attacks on the backend system could be used in order to blackmail genuine manufacturers, when all the genuine parts would be “marked as counterfeits”.

The last questions were about the problem domain and the supply chain strategies currently employed by counterfeiters. Concerning the counterfeiters’ supply chains, the first expert assumes that the counterfeit spare parts are directly sold to end customers; however, he also stated that the knowledge about these processes is still limited. The second expert mentioned that all small companies have greater interests in trading with counterfeit spare parts, selling them as genuine. According to his knowledge, counterfeiters ship their merchandise without any nametags to free zones, where they are provided with tags. The distribution channels could then be very diverse, ranging from the licit supply chain to flea markets. There was no knowledge available regarding the number of “organizational units” of the counterfeit organization.

For the evaluation of the rule-based anti-counterfeiting approach, we interviewed anti-counterfeiting experts from a luxury goods company and from a luxury watches association.

Luxury Goods Industry Evaluation

Part I – Evaluation of the Approach

Both interviewed experts considered the rule-based approach as partially helpful. The first expert noted that the approach has drawbacks in detecting cloned tags. The duplicate would still, according to its overall history, look still plausible. However, he stated that it would nevertheless help to detect inconsistencies. The second expert mentioned various drawbacks of the rule-based approach in this industry. He founded his estimation on the fact that there are many problems which are specific to his industry, such as the sales of


perceptive counterfeits, i.e., corrupted retailer would knowingly sell, and end customers would knowingly buy counterfeit products. Moreover, the supply chain in the luxury watch industry are generally very short, the volumes of luxury watches are small, and mostly there are only little or no intermediaries at all. Moreover, customers of luxury watches might be confused or sceptical when detecting an RFID tag on a (mechanical) luxury watch. When asked about the benefits of the approach, the experts mentioned the access to the history information of the tagged product, provided the information is shared between the supply chain partners. Moreover, the ability to track counterfeits back to their sources, the possibility to detect more counterfeits, and the possibility to keep the licit supply chain clean from counterfeits were mentioned as benefits of this approach. One expert, however, mentioned that this approach can only be used complementary to existing anti-counterfeiting approaches. In addition to the benefits, the experts were also asked about the potential difficulties of this approach: the first expert mentioned that an infrastructure (such as the EPCglobal network), which is not yet in place, is needed. Moreover, he mentioned the need to be online connected to this network for authentication, that a database needs to be managed, and that there is the need to be confident that the event data is correct (e.g., injected event data from counterfeiters or hackers). Since the data in the database is highly critical, it has to be made sure that the event data is not disclosed to unauthorized persons. In addition, a suitable way (algorithm) has to be found in order to distinguish genuine products, from suspicious produces, and from items being considered as counterfeit. Finally, when manipulations happen after the item has been handed over to the customer (after the last point in the controlled supply chain), the brand owner does not have any information on what happens afterwards. The second expert mentioned that due to the short supply chains in the luxury watch industry, the little number of products shipped, and that most counterfeits are bought perceptively (mostly outside licit supply chains), an electronically supported system such as the rule-based system, might be less suitable than customer education or customer awareness raising. The number of the supply chain partners in the supply chain depends very much on the company. Most supply chains in the luxury goods industry are fully integrated; most authenticated retailer also source directly from the brand owner / manufacturer. When asked to rank the following criteria according to their importance, the experts ranked “security of the solution”, “detection rate”, and “feedback speed” as equally important. Scalability and read/write performance were ranked as secondary, mainly because of the relatively little numbers of products traded in this industry (as compared to the consumer goods and retail industry, for example). One expert mentioned that the system should be able to provide the answer to the authentication within 3-5 seconds.


The experts mentioned that the “missing manufacturer event” would help to detect counterfeiters and most of the cases. This is due to the fact that most manufacturers deliver directly to the retailer and that the retailer system is quite selective. They argued, however, that a rule-set cannot be exhaustive and that only rough rules stating what should not happen can be specified.

The data to specify additional rules can be retrieved quite easily from the companies. Supply chain experts, for example, could specify these rules. In the luxury watch industry, however, not all companies have personnel which deal with the issue of counterfeiting.

When asked about the supply chain, the first expert stated that the supply chain and the business processes are dynamic and constantly changing, while the second expert estimated both to be rather stable in the luxury watch industry. The answers concerning the number of different paths for the products within the supply chain diverged also from 5-20; exceptions to the normal product handling occur rather seldom, since the number of products


traded and shipped in one shipment is rather small and that security measures for 10 watches worth 200.000 Euros, for example, are rather high.

Both experts agreed that one person would be necessary in terms of resources in order to formulate rules and to constantly maintain the rule-set. In what concerns the investments into such a system, the first expert stated that a comparable tracking system is already in place, whereas the second expert mentioned that such a system would become more interesting in the future, since the quality of counterfeits is constantly increasing, making it even for experts more difficult to distinguish them from genuine products, and making it more probable that counterfeiters can inject their illicit merchandise even into the licit supply chain. It will become therefore more important to know the complete trace of each product in the licit supply chain.

Part III – Current Status Evaluation

Both experts confirmed that their company / association tackles the problem of counterfeiting by employing a significant number of persons in this field. While the first expert stressed on the fact that every employee does anti-counterfeiting as part of their everyday job, the second expert mentioned that they have people employed in the technical service (four persons who verify the authenticity of the products manually) and in the legal service (6 persons working on confiscating products and giving advices to affected companies. Moreover, a special “task force Internet” looks on websites for obvious counterfeits and asks the operator to delete these offers from its website.

Regarding the output format of the anti-counterfeiting solution, both experts agreed that a 100% answer, whether the product is genuine or not, is important. In case the system can only give a percentage wise notification, it should range between 80-100% and the user should be provided with additional information. Probabilities below 70% would only be useful for external parties, such as customs, in order to give first indications for counterfeit activities.

Bulk authentication would be helpful in distribution centers, during shipping and receiving of items in parcels. However, since the quantities in the luxury watch industry are quite low, bulk authentication would not be of great support.

Part IV – Outlook and Optional, Additional Questions

When asked about ways to trick or circumvent the system, the experts mentioned attacks against the backend system and a switch to other countries, where they can build unofficial supply chains. Unscrupulous retailers could sell these products in countries with less control, even in the European Union.

Most of the counterfeits are directly sold to the end consumer, via the Internet, at holiday destinations, or on flea markets. There is no information about counterfeits been detected in licit distribution channels. Counterfeits are often sent in (spare) parts, often via free trade zones, and assembled in their destinations. The distribution channels are often distributed, and the retailers only order small numbers of products, mostly from China (moonshine production of a no-name manufacturer, labelled with a brand).

Part I – Evaluation

Pharmaceutical Industry Evaluation

The interviewed expert from the pharmaceutical industry evaluated the rule-based anti-counterfeiting framework as helpful in the combat against counterfeiting, because it can, as a tool, pinpoint counterfeit products among the masses of circulating items. In addition to that,


further benefits can arise from the underlying track-and-trace infrastructure. Potential difficulties were also identified: rules need to be defined and definition errors could occur; it might moreover take some time until a rule-set is defined, since the necessary experience, which is still lacking, would still have to be made. The rules should not be too strict so that the free trade in the EU is not constrained. In addition, the amount of data required for this approach is huge. The expert mentioned that their supply chain consists of 4-5 wholesalers and a network with more than 10.000 pharmacies. Therefore, and due to the security relevance of the traded products, the security of the solution and its detection rate were rated as the most important criteria for the approach, followed by the scalability, since 1.4 billion items are produced every year, and approximately 6 million events would have to be handled per day (worldwide). Moreover, the system would have to be able to follow the normal chain of events, containing actions such as manufacturing, packaging (box, pallet), cleareance for shipping, shipping, receiving, unpacking, and sale.


When asked about the specification of anti-counterfeiting rules, the expert could immediately formulate two exemplary rules, specific to his company. The first rule to be defined deals with the order to events of “normal items” from manufacturing, to packaging (box, pallet), cleareance for shipping, shipping, receiving, unpacking, and sale. Every deviation from this order of events shall trigger an alert. The second rule takes advantage of the fact that the exact event order chain depends moreover on the product type. Moreover, there might be variations for products of the same type. The expert mentioned that the information to define such rules is in principle available. It is difficult, however, to gather the information in one central space in order to define the rules. He suggests to first identify the products for which rules should be specified, and to rank the products for which rules should be specified first. When asked whether there is a person who could specify such rules for the company or for the industry as a whole, he answered that it would be a cross organizational effort, which requires the collaboration of production, distribution and supply chain experts, together with local experts from various countries. The rules would be specified on the lowest level, e.g., production in Germany in facility XY. He moreover mentioned that every company would be able to specify such rules on its own. While the supply chains are quite stable, he however stated that this also depends on the markets and on competitive offers (regarding transportation, for example). Business processes are quite stable though. When asked about the number of different paths which exist for their products in the supply chain (from manufacturing to sales disposal) he answered that the there are 10 partners on the first stage of the supply chain, another 10 on the second stage of the supply chain, followed by other intermediaries and finally about 20.000 pharmacies (10*10*20.000*50 = 100 million paths). He also said that errors in product handling occur every day, even with the already deployed and tested matrix barcodes. Their goal is currently to reduce the error rate to a number below 1% of all tags (six sigma quality). When asked about the resources which would have to be used in order to formulate and to constantly maintain the rule set, he answered that the initial effort would be quite big, involving around 50-100 persons for one month, and that after that at least one supply chain expert to keep the rule base up to date and a local support would be needed. In the light of the many unknowns like missing standards for data carrier and tracking, the expert stated that the company will start to invest in serialization and point of sale verification first. Rule-based approaches may be considered as a second step, once the down-stream partners in the supply chain will agree to participate in product tracking. However, given the different interests of various supply chain players, this is only likely if a mandate is imposed or if there is a joint agreement across the industry and along all supply chain partners to use tracking.

Part II – Current Status Evaluation

The anti-counterfeiting expert from the pharmaceutical industry stated that compared to the current approaches in anti-counterfeiting, the bulk authentication would be a desired


necessity, since the currently implemented combination of 2D barcodes and tamper-proof packaging does not allow for authentication without a line of sight. An answer which does not state with a hundred percent probability whether a product is authentic or not might help in form of a ranking which pinpoints the most suspicious products. He considers a definite answer as too unrealistic. However, he makes a distinction between the output format for end consumers and for customs organization or the company itself. For end consumers, a definite answer / decision must be avoided as the consumers need to know that there will never be a 100% security, unless the customer purchases directly from the manufacturer, i.e. from a controlled source. However, as the latter one might be in contrast to the European principles of free trade, a prioritization of free trade over patient protection is required through the regulator.

Part II – Outlook

When asked about counterfeiters’ countermeasures to the rule-based anti-counterfeiting framework, the expert answered that counterfeiters could try to enter and undermine the licit distribution channels, i.e. as suppliers, re-packagers, or even manufacturers. They could, however, also target other, less well protected products.

Part III – Optional, additional questions

The last block of questions dealt with questions regarding the current strategies of counterfeiters. According to his experience, counterfeiters are selling their products at all stages of the supply chain, including retailers and distributors. Reported cases show that counterfeits also surface in pharmacies. When asked about the employed strategies to evade detection and checks, he mentioned that it can be a mix of genuine and fake ingredients, transhipping, or the reuse of old packages.

Overall Summary of the Industry and Customs Organization Feedback

The industries’ feedback on the rule-based anti-counterfeiting framework was all-in-all positive. Anti-counterfeiting experts evaluate it as a good and efficient approach in the fight against counterfeiting, since industry- and company-specific rules can be defined in order to early detect and thus deter further propagation of counterfeits. Basic or general rules can be defined for industries or companies as a whole, which are then customized to the conditions of the companies. However, there are differences in the suitability / fit of the solution to the requirements of different industries, since specific properties such as the number of partners in the supply chain, its dynamism, its length, or legal mandates (towards track-and-trace) can differ between the industries. Customs organization especially emphasized the approach’s property to automate the authenticity checks. They do already uses “rules” (see description above). They would not invest in such an infrastructure though, since they consider it as the task of the copyright holder to do so. Detecting counterfeits early in the supply chain (with the support of customs organization) can help to stop the intrusion / diffusion of counterfeits.

4.4 Statistical Approaches

BRIDGE D5.4 detailed the two statistical approaches that are developed in WP5 for detecting cloned tags from track and trace data. These approaches are the so called Stochastic Supply Chain Model (SSCM) and the Hidden Markov Model (HMM). This subsection presents the evaluation of these approaches based on two simulation studies (Experiments I and II). The SSCM approach was improved based on results from the first experiment and the improved version of the SSCM approach was evaluated in the second experiment. The HMM approach was excluded from the second experiment due to its poor performance in the first experiment.


The focus of the presented experiments is on detection of cloned tags that appear in supply chains simultaneously with the corresponding genuine tags. Cloned tags that appear before the corresponding genuine products are manufactured or after they are consumed are not considered because they can be detected with simple rules. The experiments are detailed below.

• Experiment I: Preliminary evaluation of SSCM and HMM approaches based on a hypothetical supply chain. (Results published in International Workshop on Security for Spontaneous Interaction, IWSSI 2007 [20].)

• Experiment II: Detailed evaluation of the improved SSCM approach based on a real-world pharmaceutical supply chain, i.e. the BRIDGE WP6 supply chain. (Results published in 2009 IEEE International Conference on RFID [21].)

4.4.1 Experiment I

Figure 23. The first version of the Stochastic Supply Chain Model (SSCM)

To estimate the probability that an event is generated by a genuine tag (and not by a cloned tag), we train a discrete-time stochastic supply chain model (SSCM) based on traces of genuine products. This model captures the time and location statistics of the process how the underlying supply chain generates track and trace events and it is illustrated in Figure 23 (for details, see BRIDGE D5.4). The SSCM has two operating modes denoted c1 and c2. In mode c1 the final decision variable (confidence value) is calculated by multiplying all transition probabilities of a trace. The reasoning is that the transition probabilities of a trace that is corrupted by a cloned product have multiple unlikely elements. In mode c2 the decision variable is the minimum of all transition probabilities of a trace. The reasoning behind this operating mode is that a cloned tag is characterized by a single improbable event in a trace. In addition, the SSCM can either take into account the location information of a trace (L), the time information of a trace (T), or both of them (L & T). This leads to six different parameter settings that are all tested within the experiment (e.g. c1(T), c1(L), ...)


The statistical approaches are studied by simulating the flow of products in a generic pharmaceutical supply chain. The hypothetical pharmaceutical supply chain starts from the manufacturing level and ends to the patient who gets the drug product from retail level which consists of pharmacies and hospitals. Between these levels there are wholesalers who buy, sell and repackage the drug products. Furthermore, this experiment assumes that the tracing data is not complete: only half of the supply chain partners

capture and share it, and the assumed read rates are 98%.

The simulated supply chain is presented in Figure 24. Node 1 presents the production line where the products obtain unique ID numbers and node 2 the manufacturer’s warehouse. Nodes 3-10 present the wholesale level, including repackaging (node 6). We consider two levels of pharmaceutical wholesalers, central warehouse level (nodes 3-5) and regional warehouse level (nodes 7-10) [19]. Arrows indicate the possible ways how products can flow among the different players. When a product enters a node, it waits a random time between minimum and maximum waiting times that are specific to each node, and moves to a new node according to the node’s state transition probabilities. The average lead time from manufacturer to patient in the model is one and a half months.

Figure 24. The simulated supply chain in Experiment I. Node S1 represents the manufacturer and node S17 the consumer. The percentages represent reading rates in corresponding nodes.

We assume that the manufacturer and half of the supply chain partners share the location data. The assumed read rates of RFID readers are to 98%. In addition, we assume that 50% of products that enter the final node are observed, corresponding capturing and sharing the point-of-sales and point-of-use data.

We run simulations during a three month period (90 days), one time-step corresponding to one day. The manufacturer produces 30,000 genuine products during month one, 1000

EXPERIMENT I: FACT SHEET

Supply Chain: Hypothetical (pharmaceutical) Tracing Data Granularity: One event per supply chain location Time Step Granularity: One time step = 1 day Number of Products: 30,000 genuine, 600 counterfeit (2%) Simulated Time: 90 days Monte-Carlo Iterations:

10 (Matlab)


products a day. We inject 300 copied products randomly in the wholesale level during month 1 (Lot A) and month 2 (Lot B). All 600 copied products have different identities, copied from the genuine products. In about 10% of the cases, a genuine product and its clone are observed in two different locations during one time step. These collided products are omitted from the results.

We train our models by data simulated by the same supply chain model that is used in testing phase. The results are presented as the hit rate (ratio of corrupted traces detected) versus the false alarm rate (ratio of uncorrupted traces classified as corrupted). The results are averaged from 10 Monte-Carlo iterations that include training the models. The simulator is implemented in Matlab using the HMM toolbox2

The parameters of the SSCM are trained from 300 products. The state transition probabilities are estimated by a priori state transition probabilities of the training data, and the waiting time distributions of each node are estimated by uniform distributions matched between the smallest and largest observed waiting times. A very small probability is given to state transitions and waiting times that are not observed in the training data. The HMM classifier is trained from 600 traces, including 300 uncorrupted traces and 300 traces corrupted by clones injected before, simultaneously, and after the production of the genuine products. 40% of the training data of HMM classifier is used in validation to find the optimal amount of training iterations.

.

3

Table 3. Hit rates for different lots of cloned tags (counterfeit products) from Experiment I at 1% false alarm rate

Approach Lot A (Month 1)

Lot B (Month 2)

Lot A+B

SSCM, c1(L) 8% 16% 12%

SSCM, c1(T) 16% 9% 13%

SSCM, c1(T & L) 20% 20% 20%

SSCM, c2(L) 46% 37% 42%

SSCM, c2(T) 29% 40% 35%

SSCM, c2(T & L) 27% 42% 35%

HMM 18% 26% 22%

The results of the simulator study are presented in Table 3. The general finding is that some of the cloned tags from incomplete trace data when the underlying process that generates the observations is modeled. In the SSCM approach, the mode that uses the minimum of the set of state transition and waiting time probabilities (c2) performed better than the mode that chains these probabilities (c1). This indicates that it is better to search for cloned tags by looking for single unlikely observations than multiple unlikely observations. Combining location and time information (T & L) yielded somewhat better results for detection of cloned

2 Kevin Murphy. Hidden Markov Model (HMM) Toolbox for Matlab. http://www.cs.ubc.ca/ murphyk/Software/HMM/hmm.html 3 We observed that the HMM classifier gave best results with five hidden states per model, suggesting that hidden states correspond to the levels of the modelled supply chain.


tags from Lot B and for the c1 mode in general, but overall time information could not be used to improve the detection rates in this experiment.

The HMM approach underperforms compared to the SSCM approach. Overall, being able to detect only about 22% of cloned tags within the experiment, the HMM classifier does not give satisfactory results, especially given its complexity and the bigger amount of training data compared to the SSCM approach. As a result, we conclude that HMM does not seem to be a suitable method for detecting cloned tags from track and trace data.

In this experiment, both methods appeared to be somewhat prone to false alarms – achieving high hit rates appeared to be possible only through high false alarm rates. It must be noted, however, that the poor general performance in this experiment is mostly caused by the assumed holes in the tracing data (only half of the supply chain partners capture and share events, read rate 98%).

4.4.2 Experiment II

In the improved SSCM, each physical location of the supply chain is represented by three states corresponding to receiving, internal, and shipping operations. The SSCM is trained from RFID traces and therefore only locations where products are scanned are present in the SSCM. The resulting model is flexible and intuitive and it has enough degrees of freedom to capture the essential statistics of how single products flow in supply chain networks. The

improved SSCM is exemplified in Figure 25.

It is worth noting that if the SSCM would use state transition probabilities from a state to itself to define the time a product stays in a state instead of the waiting time PDFs, the model would be a time-independent first-order discrete time Markov chain (DTMC). However, we have opted for defining the waiting time distribution because it allows for flexible modeling of the supply chain’s time dynamics (i.e. in DTMC the waiting time distribution is fixed while in SSCM it can have any form).

EXPERIMENT II: FACT SHEET

Supply Chain: Real world (pharmaceutical) Tracing Data Granularity: Three events per supply chain location Time Step Granularity: One time step = 3 hours Number of Products: 10,500 genuine, 224 counterfeit (2%) Simulated Time: 60 days Monte-Carlo Iterations:

10 (Matlab)


Figure 25. The improved Stochastic Supply Chain Model (SSCM)

The probabilistic reasoning behind the SSCM approach is revisited below. In general, the location-based authentication system evaluates transition probabilities (Ptr) between events. A transition probability stands for the probability that a genuine product makes the transition defined by two events. When we denote event i as Ei, the transition probability Ptr from Ei to a consecutive event Ei+1 can be presented as Ptr = Pr(Ei+1|Ei,Ei-1,…,E1). As a result, the authentication rule can be formalized as follows. Event Ei+1 is generated by a genuine product if:

ε>−+ ),...,,|Pr( 111 EEEE iii .

The transition probability of the first event (i = 1) in a product’s trace can be estimated by introducing a so called ”zero-event”. Like this, the transition probability of the first event is given by Pr(E1|E0). By limiting the locations where this probability is non-zero, the system defines a limited secure environment where new products are allowed to occur (e.g. a manufacturer’s packaging line).

By assuming that the transition probability depends only on the last event (no path dependency), that time and location of new events are mutually independent, that locations of new events do not depend on time of past events, that time delays are independent of the absolute time, and by denoting events as location and time pairs (E = (l,t)), the transition probability can be reformulated as follows:

trP )|Pr( 1 ii EE +=

),|,Pr( 11 iiii tltl ++=

),|Pr()|Pr( 11 iiiii tltll ++ ⋅=

),|Pr(),|Pr( 11 iiiiii tlttll ++ ⋅=

ε>−=∆⋅= ++ )Pr( 11, iiiii ttTP

For Ei, i > 1, SSCM enables evaluation of a location transition probability (Pi-1,i) and a time transition probability (P(ΔTi-1 = ti-ti-1)). We denote these methods as SSCML and SSCMT, respectively, and we compare their performance in a simulation study. For the first event in a


trace, E1, only the location transition probability is defined. Now the authentication rule can be rewritten in two new ways. Event Ei+1 is generated by a genuine product if:

SSCML: ε>+1,iiP

SSCMT: ε>−=∆ + )Pr( 1 iii ttT

The value of the ε defines the trade-off between the ratio of event of cloned tags that are detected (hit rate) and the ratio of events of genuine products classified as generated by cloned tags (false alarm rate). The value of ε can be optimized only by setting a cost for false alarms and a value for hits. In practice, minimization of false alarms might be wanted and hence ε can be set to the smallest transition probability of genuine products within the training data.

Missing reads can trigger unwanted false alarms in the clone detection system and thus decrease the reliability of the results. As a partial solution, the SSCM can be used to detect missing reads in RFID traces with a data filtering technique developed in WP5. The logic behind the filtering algorithm is explained in the fact sheet below. The resulting data processing steps of the clone detection approach are following:

1. Train the supply chain model with training data,

2. Filter the testing data set to find missing reads,

3. Evaluate Ptr for all events in the filtered data, and

4. Raise an alarm if Ptr is below a threshold.

We evaluate the proposed methods with a simulation study of a real-world pharmaceutical supply chain. We measure the hit rate, i.e. how often events created by cloned tags are detected (system raises an alarm), versus the false alarm rate, i.e. how often alarms are triggered by events of genuine tags. The resulting trade-off is presented as a Receiver Operating Characteristics (ROC) curve that characterizes the selectivity of a classifier. In a real-world anti-counterfeiting application, only very small false alarm rates can be tolerated because the number of read events that the genuine products generate is very high.


Only the first events generated by the cloned tags are considered in the results. The reason is that the simulated supply chain handles both counterfeit and genuine products in an identical way, so the further events generated by cloned tags have identical statistics than events of genuine products. Thus the results indicate how reliably the cloned tags can be

detected as soon as they enter the supply chain. In addition, those events of genuine products that are directly preceded by events from cloned tags are neglected from the results.

The simulation study was conducted with a simulation model of the real-world pharmaceutical supply chain from BRIDGE WP6. This chain involves nine different organizations in the UK and Holland, including three manufacturers, a contract packer, distributors, a pre-wholesaler, and a wholesaler that supplies a hospital pharmacy in a major London hospital [22]. The products that flow through this supply chain are equipped with printed Data Matrix codes that store serialized ID numbers. Single packs are aggregated into cases and pallets that have both RFID tags and Data Matrix codes. The pallets are scanned in 20 read stations in different supply chain locations to generate track and trace events. The average lead time from production to hospital is about 40 days, varying between approximately one week and two months. The supply chain is illustrated in Figure 26.

FILTERING ALGORITHM TO DETECT MISSING READ EVENTS: FACT SHEET Reader devices that have a below 100% read rate create ”ghost routes” that are observed as small transition probabilities that do not correspond to real world transitions. A filtering algorithm detects when a product is moving along such a ”ghost route”.

When a transition probability is low (e.g. from A to C), the filtering algorithm can search for a more probable alternative route that is obtained by including a new read event between the existing events. If the probability of the new route (e.g. from A to B to C) is higher than a threshold, the new event (in B) is added to the trace. The number of missing consecutive read events that the filter can add is called the order of the filter. Filters of all orders can be described by three parameters: i) maximum transition probability (threshold) between the existing events, ii) minimum time difference (threshold) between the existing events, and iii) minimum geometric mean (threshold) of transition probabilities of the new route. The first two parameters define when the filter is allowed to add missing reads between existing events and the third parameter limits the addition of new routes that are too unlikely.


Figure 26. The simulated WP6 supply chain (R denotes a reader device)

In the studied supply chain, traces of products begin either at the manufacturer’s production line or at the contract packer’s packaging line. Products are shipped to the wholesaler in pallets and the wholesaler uses a ”pick, scan, and drop process” to fill boxes that fulfill the pharmacy’s orders. The wholesaler delivers products to the hospital pharmacy 2-6 times a day according to orders. The last event in a product’s trace occurs when it is scanned in to the hospital pharmacy’s inventory, after which the products are identified based on the non-serialized EAN-13 bar codes.

We have built a model of the WP6 supply chain in our own supply chain simulator. The simulator works with three hour long discrete time steps. The model is built based on documentation [22] and interviews and it has been validated with direct feedback and example track and trace data. In the simulator, each supply chain node is presented by three different locations corresponding to business steps of receiving, internal processes, and shipping. The time how long an object spends in these locations is given by a uniform distribution. If the product enters a location where there is a reader device, and no read error occurs, a track and trace event is generated. The transitions between the supply chain nodes are determined by transition probabilities. The transition times between the nodes are deterministic and estimated from the distances and transport methods (ship or truck).

The times that logistic units spend in different locations could not be accurate modeled since the real lead time distributions were not precisely known. However, more accurate modeling of the real-world lead times is not likely to affect the results. In addition, because we evaluate the transition probabilities without taking into account correlations among different products’ traces, the simulator treats all logistic units as independent from each other, which means that for example aggregation events are not modeled. One simulator run generates and analyzes one example set of RFID traces. In each run, all three manufacturers produce 500 tagged products per day during days 1 to 7. This creates 10,500 genuine products and more than 130,000 possible read events. During days 8 to 35, 8 counterfeit products are injected into randomly chosen non-manufacturer supply chain locations per day, constituting a total of 224 counterfeit products (resulting into a 2% counterfeit market share, a high but possible value for seriously infiltrated markets). The counterfeit products have ID numbers of randomly chosen genuine products so the events they generate appear in traces of 224


different genuine products. The simulation stops after 60 days. In some rare cases a counterfeit and a genuine product with the same ID are both scanned during the same time step. These cases are not considered in the results.

The results are calculated from the average ROC curves of 10 Monte Carlo iterations (i.e. simulator runs). Every iteration yields a number of discrete points in the ROC curve and a continuous curve is drawn by interpolating. The SSCM is trained in every iteration from the training data set and the waiting time distributions in the SSCM are uniform distributions between the smallest and biggest observed waiting times in that business location. The following tests are performed:

• Test 1: The performance of filtering algorithm in finding missing reads from trace data without cloned products with read rates 99.9%, 99.0%, 95%, and 90%, with training data size of 1000 traces.

• Test 2: The performance of SSCML and SSCMT with read rates 99.9%, 99.0%, 95%, and 90%, with training data size of 300 traces.

• Test 3: The performance of SSCML with training data size 1000, 300, 100, and 50 traces, and read rates 99.9% and 99%.

• Test 4: The performance of filtering and SSCML with 99% read rate and with training data size of 300 traces.

Results of Test 1 show that our filtering algorithm is able to detect up to 86% of missing read events, depending on the read rate and the filter order (cf. Table 4). In practice it means, for example, that effective read rate can be increased from 99.0% to 99.84%. Second order filter is able to detect more missing reads than the first order filter when the read rate decreases because of the greater number of consecutive read errors. Moreover, the filter parameters were defined empirically, which leaves room for optimization.

Table 4. Number of missing read events with different filters

Read Rate No Filter 1. Order Filter 2. Order Filter

99.9% 160 (100%) 23 (14%) 23 (14%)

99.0% 1392 (100%) 246 (18%) 228 (16%)

95.0% 6875 (100%) 1541 (22%) 1207 (18%)

90.0% 13920 (100%) 4262 (30%) 2821 (20%)

Results of Test 2 show that that the location-based SSCML is much more reliable in detecting cloned tags than the time-based SSCMT (Figure 27). Overall, SSCML provides reliable detection results, though the hit rates at zero false alarm rate are less than 30%. Analysis of false alarms of SSCML reveals that in cases when the cloned tag is injected into the location where the genuine product is expected, the cloned tag was not detected (miss) and the genuine product generated a false alarm. The tested SSCMT method is very prone to false alarms and thus it is not suitable in the studied clone detection application, but the form of the ROC curve confirms that also the transition times carry information that distinguishes events generated by cloned tags from normal events. The results of Test 2 also confirm that missing reads decrease the performance of the studied clone detection methods.


Figure 27. Results of Test 2: ROC curves for SSCML (left) and for SSCMT (right) based clone detection. The curves show that SSCML is much more reliable than SSCMT in detecting cloned tags, and that missing reads decrease the performance of both these methods. (note the different scales in x-axis)

Figure 28. Results of Test 3: ROC curves for SSCML with 99.9% (left) and 99% (right) read rates. The curves show that increasing the amount of training data (more accurate modeling of the supply chain) is important for reliable detection of cloned tags as the number of missing reads increases.

Figure 29. Results of Test 4: ROC curves (left) and posterior distributions (right) of non-filtered and filtered traces for SSCML with 99% read rate. The curves show that our filtering algorithm that detects missing reads can provide a dramatic increase to the hit rate with small false alarm rates.

Results from Test 3 show that increasing the amount of training data improves the reliability of SSCML in the presence of missing reads (Figure 28). When the number of


missing reads is small, a small amount of training data is enough for accurate modeling of the underlying supply chain. When the number of missing reads increases, more and more ”ghost routes” appear and more training data is needed to capture them. This indicates that precise modeling of the supply chain contributes to reliable detection of cloned tags.

Results from Test 4 show that our filtering algorithm decreases the number of false alarms caused by missing reads, increasing the hit rate at zero false alarm rate from zero to ca. 80% (Figure 29). Analysis of misses reveals that in some rare cases the filter adds an event before the first event of a cloned tag, causing the miss. However, the overall effect of filtering is clearly positive. The posterior distribution in Figure 29 proofs this by showing that the filtering algorithm increases the probability that an alarm is generated by a counterfeit product by about 50% in small false alarm rates.

4.4.3 Discussion and Limitations

Compared to other published results, the achieved above-95% hit rates at below-0.2% false alarm rates (cf. Figure 27) indicate reliable detection of cloned tags. In an RFID-based access control system, cloned tags were detected with hit rates of 76%-46% at false alarm rates of 8.4%-2.5% [18]. The results of our simulation study confirm that the majority of cloned tags appear as abnormal events in RFID traces as soon as the tags enter the supply chain. This means that anomaly-based intrusion detection system techniques that are widely used to secure IT systems can be applied to detecting counterfeit products from track and trace data. Also missing reads that are common in today’s RFID systems cause abnormal events and thus create false alarms, but they can be mitigated by our filtering algorithm that is able to detect up to 84% of missing reads. Moreover, our study shows that accurate modeling of the underlying supply chain contributes to reliable detection of cloned tags. The time transition probabilities did not perform well in clone detection, but we still believe that event times include information that an optimal location-based authentication system should make use of.

The training data set needs to have an adequate quality by including all allowed transitions and no cloned tags. Instead of training the SSCM, a supply chain manager could alternatively set up the SSCM manually by selecting all allowed transitions and estimating the time distributions.

The concept of location-based authentication is not without limitations. If two products with the same ID are in the same location, a location-based authentication system cannot conclude which product is the genuine one. In addition, the system can generate false alarms that end-users need to deal with. Despite these limitations, the presented method presents a major complication to counterfeiters who want to inject counterfeit products into a licit supply chain. Most importantly, this countermeasure is based on processing of track and trace data, which does not increase the tag price and the tag reading time.

4.4.4 Summary

This subsection presents evaluation of statistical approaches to detect cloned tags from RFID traces. The presented techniques enable detection of counterfeit products in supply chains where single products are traced. The results of our simulation study of a real-world


pharmaceutical supply chain of BRIDGE WP6 confirm that only in very exceptional cases cloned tags do not create unexpected events that can be detected. This finding implies that detection-based security measures have a very big potential to reliably detect cloned tags in supply chains. Furthermore, we present a high-level event filtering technique to detect missing reads that constitute the biggest cause of false alarms in our clone detection application. Overall, the presented methods provide a considerable level of protection against serialized counterfeit products that enter a supply chain, without the need for cryptographic tags.


5 Summary and Outlook This report presents a comprehensive evaluation of the RFID and track-and-trace based anti-counterfeiting solutions developed and prototyped within this work package. Five anti-counterfeiting solution approaches were evaluated using various evaluation criteria, ranging from feedback speed and scalability criteria, over simulation studies, and finally to interviews conducted with customs organization and affected companies.

The findings show that detecting cloned RFID tags appears attractive for securing commercial RFID applications, since it does not require more expensive and energy thirsty cryptographic tags. Serialized Tag ID (TID) numbers currently provide a practical hurdle against cloning, but this is not real protection and can be overcome with a 10 EUR impersonation device. Serialized TID numbers do not provide any sustainable long-term solution for tag cloning, but only a temporary solution before stronger tag authentication techniques. In the so-called war of escalation between counterfeiters and anti-counterfeiters, the next stage of protecting the licit supply chain from fake products could be statistical anti-counterfeiting approaches. With these approaches in place, the majority of cloned tags appear as abnormal events in RFID traces as soon as the tags enter the supply chain. Our filtering algorithm is able to detect the majority of missing reads. As a result detection-based security measures have a very big potential to reliably detect cloned tags in supply chains, but the system can generate false alarms. From the simulation study of the Synchronized Secrets Prototype we learned that the number of manual verifications with the synchronized secrets method would be very small, the overhead time can limit the usability of the presented method, only very few cloning attacks would go completely unnoticed, but if scan rate is low, the counterfeit product can already be consumed before the alarm is triggered. The rule-based anti-counterfeiting framework proved to be a scalable and fast approach to help customs organization and affected companies to enable mass authentication and to give counterfeit indications, therefore supporting anti-counterfeiters to “find the needle in the haystack”. However, the approach depends on anti-counterfeiting rules, created and maintained by the company/industry. According to findings from the industry interviews, this is also where it strengths lies, since the rules can be defined to fit the company’s or industry’s requirements.

The overall findings show that brand owners can gain a considerable edge against counterfeiting while using the presented solution approaches. Though we cannot entirely prevent counterfeit insertions, our solution makes it much less attractive. In fact, counterfeits can only be injected if they carry an RFID tag that is indistinguishable from a valid tag. Creating two indistinguishable tags can be achieved by tag cloning, that is, copying a valid EPC from one tag to another, rendering two tags with the same EPC. Even in the protected supply chain, an illicit actor can replace original products by counterfeits that carry RFID clones of the originals. But since the protected supply chain detects duplicate EPCs, an illicit actor could only pass on either the counterfeit or the original product, but never both. Therefore, the only way for an illicit actor to realize a profit out of counterfeit insertions is to sell the original products to illicit, unprotected markets, were no product traces are recorded. Such markets are likely to render less profit and may require more effort. In the trade-off


between risk, profit, and effort, protected supply chains become much less attractive to illicit actors. In the next deliverable, Application Guideline and Implementation Roadmap, we will provide companies affected by counterfeiting with a comprehensive manual of how to deploy the presented RFID and track-and-trace solutions for the combat against counterfeiting. Affected companies will moreover learn how to fight in the “war of escalation” using the different presented solution approaches.

References [1] Asanghanwa, E.: Product Counterfeiting Made Easy. And Why it’s so Difficult to

Prevent. Atmel White Paper. http://www.rsaconference.com/uploadedFiles/ RSA365/Security Topics /Deployment Strategies/White Papers/Atmel/doc5280.pdf (2008). Accessed 15 November 2008.

[2] Weingart, S.: Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defense. In Cetin Kaya Koc and Christof Paar, editors, Proceedings of Cryptographic Hardware and Embedded Systems CHES 2000, volume 1965 of Lecture Notes in Computer Science, 302–317. Springer-Verlag (2000).

[3] Anderson, R. and Kuhn, M.: Low cost attacks on tamper resistant devices. IWSP: International Workshop on Security Protocols, LNCS (1997).

[4] Haythornthwaite, R., Nxumalo, J. and Phaneuf, M.: Use of the focused ion beam to locate failure sites within electrically erasable read only memory microcircuits. J. Vac. Sci. Technol. A 22.3., May/Jun (2004).

[5] Koemmerling, O. and Kuhn, M.: Design Principles for Tamper-Resistant Smartcard Processors. Proceedings of the USENIX Workshop on Smartcard Technology (Smartcard ’99), Chicago, Illinois, USA, May 10-11, USENIX Association, 9–20 (1999).

[6] Poll, E: Smartcard attacks: invasive attacks. http://www.cs.ru.nl/˜erikpoll/ hw/slides/smartcards_invasive_attacks.pdf (2007). Accessed 5 December 2008.

[7] Aigner, M., Plos, T., Feldhofer, M., Tutsch, C., Ruhanen, A., Na, Y., Coluccini, S., and Tavilampi, M.: D4.2.1 - Report on first part of the security WP: Tag security. BRIDGE project, no. 033546 (2008).

[8] Barnett, R., Balachandran, G., Lazar, S., Kramer, B., Konnail, G., Rajasekhar, S. and Drobny, V.: A Passive UHF RFID Transponder for EPC Gen 2 with -14dBm Sensitivity in 0.13m CMOS. Solid-State Circuits Conference 2007, ISSCC 2007. Digest of Technical Papers. IEEE International. 11-15 Feb., 582–623 (2007).

[9] Mitsugi, J.: Multipurpose sensor RFID tag. In APMC 2006 workshop on Emerging Technologies and Applications of RFID, WS04-4, 143–148 (2006).

[10] SecureRF Corporation: LIME Tag. www.securerf.com/pdf/-SecureRF LIME Tag product sheet.pdf (2008). Accessed 15 November 2008.


[11] Center for Systems and Software Engineering: Basic COCOMO-model. http://sunset.usc.edu/csse/research/COCOMOII/cocomo81.htm (2008). Accessed 5 December 2008.

[12] Roberti, M.: The Price of EPC Gen 2. RFID Journal. http://www.rfidjournal.com/article/articleview/1609/1/2/ (2005). Accessed 5 December 2008.

[13] Juels, A.: Minimalist cryptography for low-cost RFID tag. In: Blundo, C., Cimato, S. (eds.) International Conference on Security in Communication Networks SCN 2004. LNCS, Vol. 3352, 149–164, Springer, Heidelberg (2004).

[14] HM Customs and Excise: Annual report 2003-2004. The Commissioners of HM Customs and Excise, London. (2004).

[15] Action on Smoking and Health: ASH Factsheet No:18 - The UK tobacco industry. ttp://old.ash.org.uk/html/factsheets/html/fact18.html (2007). Accessed 5 December 2008.

[16] European Commission Taxation and Customs Union: Summary of Community Customs Activities on Counterfeit and Piracy. Results at the European Border 2006. http://ec.europa.eu/taxation customs/customs/customs controls/counterfeit piracy/statistics/index en.htm (2006). Accessed 5 December 2008 .

[17] Mirowski, L., Hartnett, J., Williams, R., Gray, T.: A RFID Proximity Card Data Set. Tech. Report University of Tasmania (2008), http://eprints.utas.edu.au/6903/1/a_rfid proximity_card_data_set.pdf.

[18] Mirowski, L., Hartnett., J.: Deckard: A System to Detect Change of RFID Tag Ownership. International Journal of Computer Science and Network Security, 7(7) (2007).

[19] A. Weis and A. Josten, ”Effective Brand Protection in the Pharmaceutical Industry Needs Efficient Supply Chain Management.” Pharmaceutical Manufacturing and Packing (PMPS), Autumn 2002.

[20] Lehtonen, M., Michahelles, F., Fleisch, E.: Probabilistic Approach for Location-Based Authentication. In 1st International Workshop on Security for Spontaneous Interaction IWSSI 2007, organized in 9th International Conference on Ubiquitous Computing, Austria, September 2007.

[21] Lehtonen, M., Michahelles, F., Fleisch, E.: How to Detect Cloned Tags in a Reliable Way from Incomplete RFID Traces. In 2009 IEEE International Conference on RFID, Orlando, Florida, April 27-28, 2009, pp. 257 – 264.

[22] John Jenkins Associates: Pharma traceability pilot – requirements analysis. Deliverable D6.2 of EU-BRIDGE Project. http://www.bridgeproject.eu (2007). Accessed 15 September 2008.

[23] Lehtonen, M., Ruhanen, A., Michahelles, F., Fleisch, E.: Serialized TID Numbers – A Headache or a Blessing for RFID Crackers? In 2009 IEEE International Conference on RFID, Orlando, Florida, April 27-28, 2009, pp. 233 - 240.


[24] Schechter, S. E.: Quantitatively differentiating system security. In the First Workshop on Economics and Information Security, University of California, Berkeley, May 2002.

[25] ISO/IEC 17799:2005 - Information technology -- Security techniques -- Code of practice for information security management.

[26] Bondi, A.B.: Characteristics of scalability and their impact on performance. In Proceedings of the 2nd international workshop on Software and performance, Ottawa, Ontario, Canada, 2000, ISBN 1-58113-195-X, pp. 195 - 203.

[27] Hill, M.D.: What is scalability? In ACM SIGARCH Computer Architecture News, December 1990, Volume 18 Issue 4, pp. 18-21, (ISSN 0163-5964).

[28] Duboc, L., Rosenblum, D.S., Wicks, T.: Doctoral symposium: presentations: A framework for modelling and analysis of software systems scalability. In Proceedings of the 28th international conference on Software engineering ICSE '06, May 2006, pp. 949 - 952.

http://en.wikipedia.org/wiki/Special:BookSources/158113195X�


Appendix A - Data of the Rule-Based ACF Framework Performance Tests Measured values for Scalability test of Rule Based Engine

Trace Size

Aggregation Levels RE (ms)

EGL (ms)

Others (ms)

Overall (ms)

10 0 3.00 47.00 152.00 202 1 4.00 64.00 158.00 226.00 2 4.00 77.00 158.00 239.00 3 7.00 106.00 155.00 268.00

20 0 6.00 75.00 153.00 234.00 1 4.00 80.00 155.00 239.00 2 5.00 100.00 156.00 261.00 3 7.00 138.00 158.00 303.00

50 0 8.00 180.00 159.00 347.00 1 8.00 186.00 155.00 349.00 2 9.00 201.00 159.00 369.00 3 10.00 223.00 161.00 394.00

100 0 14.00 339.00 176.00 529.00 1 14.00 349.00 183.00 546.00 2 13.00 379.00 165.00 557.00 3 14.00 421.00 176.00 611.00

250 0 43.00 857.00 195.00 1095.00 1 38.00 933.00 185.00 1156.00 2 38.00 943.00 188.00 1169.00 3 44.00 1130.00 205.00 1379.00

500 0 140.00 1830.00 234.00 2204.00 1 133.00 1914.00 224.00 2271.00 2 135.00 1966.00 226.00 2327.00 3 141.00 2175.00 221.00 2537.00

Level of aggregation = 0 Level of aggregation = 1


Level of aggregation = 2



-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)


-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)


-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)


-500,00

0,00

500,00

1000,00

1500,00

2000,00

2500,00

3000,00

0 100 200 300 400 500 600

Tim

e (m

s)

Trace Size

Others

EGL

RE

Overall

Linear (Others)

Linear (EGL)

Linear (RE)

Linear (Overall)


Appendix B - Interview Guideline


Appendix C - Implemented Synchronized Secrets Protocol

Figure 30. Implemented synchronized secrets protocol

anti-counterfeiting prototypes evaluation report · 2012. 1. 25. · building radio frequency...

Documents