RFID Privacy Risk Evaluation Based on Synthetic Method of Extended Attack Tree and Information Feature Entropy

Abstract

Evaluation of security risks in radio frequency identification (RFID) systems is a challenging problem in Internet of Things (IoT). This paper proposes an extended attack tree (EAT) model to identify RFID system's flaws and vulnerabilities. A corresponding formal description of the model is described which adds a probability SAND node together with the probability attribute of the node attack. In addition, we model the process of an RFID data privacy attack based on EAT, taking a sensitive information theft attack on an RFID tag as an example. To resolve the problem of assessing the risk probability of each node in EAT, we present the information feature entropy evaluation method for RFID privacy assessment. Finally, an evaluation is carried out to calculate the RFID privacy attack tree sequences and information feature entropy of the atomic node. Analysis shows that our scheme can calculate the overall risk evaluation result value for RFID privacy and comprehensively determine the risk of the weakest atomic node in RFID system.

1. Introduction

RFID is emerging as a promising technique in industry and academia with wide application in fields such as supply chain management, e-payment, environmental monitoring, smart labels, and detection. Thus, RFID is regarded as the foundation of Internet of Things. Unfortunately, it suffers from several drawbacks such as eavesdropping, relay attacks, unauthorized tag reading, and tag cloning attacks [1–3]. In particular, RFID privacy security risks are a concern as they can affect the RFID application [4, 5].

Risk management methods are composed of the following four relevant processes: risk evaluation, decision support, implementation control, and effectiveness assessment. The risk management process aims to reduce RFID system residual security risk to an acceptable degree so a review of RFID privacy risk evaluation technology is necessary.

The attack tree model [6, 7] is a feasible approach to depict behavioral characteristics of RFID privacy attacks. The complexity of constructing the model is reduced by dividing the attack procedure into several atomic attacks for system risk analysis, which are extensible and reusable. This model allows an administrator to identify system vulnerabilities, apply protective measures, and strengthen routine maintenance tasks.

However, the attack tree model has some limitations. It only portrays the attack procedure in a potential crisis but does not locate hidden risks, so it may not determine the protective measures that should be taken. Additionally, information feature entropy is a useful method to precisely decide the possibility of particular security vulnerability. This paper introduces information feature entropy to identify privacy risks based on the extended attack tree method.

The remainder of the paper is organized as follows. Section 2 introduces related work. In Section 3, we detail the extended attack tree model and give the formal description. In Section 4, we model the RFID privacy attack model based on EAT. Section 5 makes some evaluation and analysis on synthetic risks evaluation method of extended attack tree and information feature entropy. Section 6 concludes the paper.

2. Related Work

In order to determine system's flaws and identify the vulnerabilities with the highest risk, a security risk assessment should be undertaken. This enables the necessary safety measures to be identified and implemented, which can reduce the security risks of RFID systems to an acceptable degree. The current research on risk evaluations for RFID-based system can be classified into the following four methods.

The first model is the system security hierarchical evaluation model [8–10], which proposes an RFID system security assessment based on a fuzzy comprehensive method. This model divides the security levels into the object layer, criterion layer, and indicator layer. It then quantifies each factor and computes the evaluation results via fuzzy transformation rules. In addition, Lim et al. [11] created a multilevel attack model, which is used to check whether the system meets a series of RFID security attributes and computes the security level for each protocol.

The second evaluation model is based on traffic measurement [12] and utilizes a flow analysis method to identify RFID denial of service attacks. It extracts network attack features based on the collected data traffic, builds up an attack draft, and thereby enables RFID system security improvements to be made by revising RFID protocols.

The third model is based on indicator analysis [13], which determines security criteria and classifies these criteria into several subcriteria, with each one being represented by a quantized indicator. It then considers RFID security and privacy assessment through standard protocols and calculates the results by comparing the parameters of Electronic Product Code (EPC) standard, calculation costs, and data transfer rates.

The last evaluation model is based on the analysis of the working process [14] and applies the principle of queuing theory to determine the RFID attack efficacy. The issue of privacy in the RFID working process is considered individually for the tag, air interface, reader, network, and back-end parts. Privacy issues of RFID systems can be solved by dealing with individual privacy problems in each component.

Table 1 compares the four RFID system security evaluation models.

Table 1

Comparison of the four RFID system security evaluation models.

Model	Technology	Advantages and disadvantages
System security hierarchical evaluation model	Hierarchy analytic method	In assessment system, internal indicators that interact with each other are interdependent, and even some high-level indicators are dominated by underlying indicators

Traffic measurement evaluation model	Automatic finite state machine method	Attack process is difficult to control and the malicious code is not obtained, since the attacker only needs to eavesdrop and repeat sending the data between the reader and the tag

Indicator analysis evaluation model	Indicator and weight analysis method	Accessibility of indicator selection ought to be reasonable, since indicators will affect the final results of the assessment, which could be a potential threat to the privacy risk assessment

Working process evaluation model	Phase correlation method	All the local problems are solved, so as to solve the whole problem. Nevertheless, its deficiency lies in the fact that it might only see the local, but not the whole system

In summary, for RFID privacy risk evaluation, it is necessary to establish an evaluation index system, to enable more scientific and rational assessment conclusions to be made. An improved model of RFID extended attack tree privacy risk evaluation is proposed which combines the advantages of the system security hierarchical evaluation model, indicator analysis evaluation model, and working process evaluation model, thus providing a method to identify RFID potential privacy risks. Furthermore, this method adopts information feature entropy to comprehensively identify the risk at the weakest atomic node, thus facilitating the development of appropriate security policies.

3. Extended Attack Tree Model

Definition 1 (EAT model).

The attack tree model was first proposed by Schneier [15] to enable analysis of the behavior of the system. It is mainly used in the form of a tree structure which represents the interdependence among attacks. Each node of the tree represents a subtarget attack: the root node represents the ultimate target, a node with no child is called an atomic node, and a node containing child nodes is called a subgoal node. There are two types of nodes in the traditional attack tree: “AND node” and “OR node.” In order to address the requirements of the RFID privacy attack model, our scheme proposes an extended attack tree model based on the traditional attack tree and includes three operational rules: “probability AND node,” “probability OR node,” and “probability SAND node.” Two additional properties are added: the attack probability and the attack time cost.

Definition 2 (“probability AND node” operational rule).

The target node $G_{0}$ can be successfully reached by attacking both of the child nodes $G_{1}$ and $G_{2}$ , and the overall probability is calculated according to the corresponding individual probabilities at both nodes. The presentation figure of a probability AND node is shown in Figure 1.

Figure 1

Probability AND node.

Definition 3 (“probability OR node” operational rule).

The alternative child node $G_{1}$ or $G_{2}$ is achieved according to their corresponding probability, so the target node $G_{0}$ can be successfully reached. Figure 2 shows the presentation of probability OR node.

Figure 2

Probability OR node.

Definition 4 (“probability SAND node” operational rule).

SAND stands for the operational rules for the “SAND,” which indicates a more accurate description of the relationship among aggressive behaviors. It obeys the accordance with the order to attack from the left child node $G_{1}$ and then transfers from $G_{1}$ to the right node $G_{2}$ , so that it achieves the target node $G_{0}$ , as shown in Figure 3. Furthermore, in order to better describe the intrinsic properties of the RFID privacy attacks tree nodes, this paper describes the probability and time cost of an attack.

Figure 3

Probability SAND node.

Definition 5.

Formal description of extended attack tree is represented as

\begin{matrix} EAT = \{G, E, T, θ, ρ\} . \end{matrix}

(1)

G represents a part of the nonempty finite set, in which an attacker needs to successfully break through before reaching the final attack goal. It consists of two types of nodes: the internal node (nonleaf node) and atomic node (leaf node). They may be represented as $G_{I}$ and $G_{L}$ , with $G_{I}$ being the internal node of the attack tree containing a tree root $G_{0}$ and $G_{L}$ refers to a leaf node. The relationship between $G_{I}$ and $G_{L}$ is shown in the following formula:

\begin{matrix} G_{0} \in G, \\ G_{L} \in G, \\ G_{I} \in G, \\ G_{L} \cup G_{I} = G, \\ G_{L} \cap G_{I} = ϕ . \end{matrix}

(2)

$E = G \times G$ stands for an edge of the finite set, where $〈u, v〉 \in E$ represents the transition states according to the attack, in which $u \in G$ is a child node called premise condition and $v \in G$ is a father node, namely, result state.

(3)

T refers to the time cost of a successful attack, which means the time required for $〈u, v〉 \in E$ edge state transition. The shorter the time required, the higher the probability of a successful attack. Thus, inversely proportional relationship between them, with formula (3), is described as follows:

\begin{matrix} U (T) = e^{- δ \cdot T} . \end{matrix}

(3)

In formula (3), the value δ is associated with safety performance of the system, which stands for the possibility of $〈u, v〉 \in E$ edge state transition, and the smaller the likelihood of a successful attack, the higher the value δ. In the extended attack tree model, such as RFID tag eavesdropping attacks, it requires not only analyzing the application layer protocol, but also resolving the channel between the reader and the tag in the physical layer, so that it belongs to a higher security performance system. According to the evaluation model criteria and for the sake of the convenience for computation, this paper takes the value of 0.5.

(4)

$θ = {A N D, O R, S A N D}$ is an internal node operational type set. For the operation $A N D$ (expressed as ×), it means that if and only if all the children nodes achieve the subgoal, the target node reaches the goal. And as to the operation $O R$ (expressed as ⊕), any child can trigger the target node achievement. With the operation $S A N D$ (expressed as ⊗), the target node is completed only under the circumstance that all the children nodes are executed according to the order from left to right.

(5)

ρ refers to the successful attack representation used to calculate the probability. Based on the system risk vulnerability, it firstly determines the attack success probability $P_{L}$ of each atomic node $G_{L}$ , according to the relevant algorithm as mentioned in $(4)$ to derive the nonleaf node $G_{I}$ attack success probability $P_{I}$ .

The improved attack tree model adds the “probability SAND node” and, together with the other operational rules, can conduct a more accurate formal description of how RFID systems behave against sophisticated attacks. In addition, a probability attribute of an attack at each node is added, enabling the associated risk assessment algorithm to calculate the success rate of each different path that can be used to implement a successful attack. Hence, this model allows assessments of the safety performance of the system, so that appropriate maintenance measures can be used where required.

4. RFID Privacy Risk Evaluation Model Based on EAT

4.1. RFID Privacy Data Flows and Secure Risks

A typical RFID system considers the RFID tags as the main front-end part of the system and regards the RFID reader and database as the back-end. The RFID tag contains an ID microchip and antenna components, and the communication between tags and reader is via radio frequency electromagnetic coupling, as shown in Figure 4. Security issues relating to RFID systems depend largely on the type of tag used. Although RFID system privacy and security problems have been highlighted, up until now RFID security solutions have not been implemented. This paper attempts to establish an RFID privacy data attack model to objectively determine the vulnerability of an RFID system, thereby solving privacy issues of RFID systems.

Figure 4

RFID system working principle.

In this paper, we model the process of an RFID data privacy attack, taking RFID theft attack of sensitive information as an example. We assume that the reader and tag use a security protocol to ensure the safety of data transmission through wireless channels and that an attacker can monitor and analyze the entire communication process through the relevant attack techniques. The stages may be summarized as follows: (1)

Determine if the tag is in active or passive mode. To conserve power supply, RFID tags have three working modes: passive, semipassive, and active modes. Tags in active mode surpass the passive mode in reading distance, stability, speed, and so on, which helps the attacker to determine the characteristics of the RFID system, as a different method of attack may be adopted depending on the type of tag.

(2)

Scan system working frequency. The working frequency of RFID systems can be divided into low frequency (125 KHz~135 KHz), high frequency (13.56 MHz), ultra high frequency (UHF) (866~868 MHz, 902~928 MHz), microwave (2.45 GHz, 5.8 GHz), and other categories. Low frequency is more resistant to noise when the transmission distance is short; however, it requires a larger antenna size. Determination of the system's working frequency is a prerequisite for RFID invasions.

(3)

Determine the tag communication distance. Depending on the communication distance, the tags are divided into four types: tightly coupled cards (reading range is less than 1 cm), near field coupled cards (reading range is less than 15 cm), sparse coupled cards (reading range is about one meter), and remote cards (reading range is from one meter to 10 meters or beyond) [16]. As the communication distance increases, RFID data is exposed to greater potential threats, including data tampering, erroneous data insertion, and data copying.

(4)

Analyze the tag working protocol. Tags at different frequencies use different protocols, with common standards such as ISO10536, ISO14443, ISO15603, and ISO18000.

(5)

Determine the data exchange rules. In order to steal private RFID data, it is necessary to understand the composition of the data exchange including the key exchange principle, data encryption method, and the system operation mode.

(6)

Estimate the time taken to implement an RFID privacy attack. Since the RFID reader time is limited, the quicker an attack can be performed, the higher the possibility of a successful attack.

Potential current threats in an RFID system include eavesdropping, relay attack, unauthorized tag reading, and tag cloning. Table 2 summarizes the various stages of RFID and potential threats. A range of potential threats that may occur at any working stage in the RFID system are described and are graded using five grades: grade 0 indicates no correlation and grade 4 indicates a strong correlation.

Table 2

Relationship between the RFID stages and potential security threats.

Potential threats	RFID stages
Potential threats	Tag active/passive	System working frequency	Tag communication distance	Protocol	Data exchange rule	Time cost
Eavesdropping	4	4	2	4	4	1
Relay attack	0	4	0	4	4	0
Unauthorized tag reading	4	4	1	3	2	2
Tag cloning	4	4	0	4	0	0
Trace attack	0	4	0	4	0	0
Replay attack	0	1	4	3	4	4
Tampering attack	4	0	0	4	4	4
System blocking	0	4	0	2	1	4
Back-end attack	0	0	0	0	0	4

4.2. Privacy Attack Model

Based on the extended attack tree, our scheme achieves efficient RFID privacy attacks model, by analyzing the aggressive behaviors that RFID tags could use in information theft. In this model, the root node represents the tag data leakage, while atomic node represents a possible attack or system feature that may be exploited by attackers. A variety of possible attacks primitives defined symbols and corresponding logical relationships are described in Box 1.

Box 1: EAT model of RFID tag information theft primitives.

$G_{0}$ : RFID tag information theft

AND $G_{11}$ : Determine tag type

OR $G_{21}$ : Determine system working property

AND $G_{31}$ : Determine the tag is in active or passive mode

$G_{32}$ : Detect system working frequency

$G_{33}$ : Judge the tag communication distance

$G_{22}$ : Artificially identify the tag type

$G_{12}$ : Crack wireless channel protocol

OR $G_{23}$ : Obtain session secret key

$G_{24}$ : Analyze protocol between reader and tag

SAND $G_{34}$ : Sniffer air interface protocol

$G_{35}$ : Analyze internal circuit logical in the tag

$G_{13}$ : Unauthorized tag reading

AND $G_{25}$ : Set RFID reader frequency

$G_{26}$ : Set the communication interface between reader and back-end database

OR $G_{36}$ : Replay the data-gram between database and reader

$G_{37}$ : Obtain RFID database shell

$G_{14}$ : Estimate time cost for RFID privacy attack

SAND $G_{27}$ : RFID session tracking

$G_{28}$ : Invade unauthorized session

As can be seen from Box 1, to achieve the goal of RFID information theft, four branches should be passed, with each branch having its own subbranches. The dependencies of each attack behavior may be clearly revealed in the extended attack tree, and RFID tag privacy theft EAT model is shown in Figure 5.

Figure 5

RFID tag privacy theft EAT model.

4.3. Formal Description for RFID Tag Privacy Theft EAT Model

As for the RFID tag privacy theft EAT model, we give the formal description of $EAT = {G, E, T, θ, ρ}$ , where (1)

G represents a part of the nonempty finite set. And a specific node is alternative atomic node or internal node. Take Figure 5, for example; $[G_{31}, G_{32}, G_{33}, G_{22}, G_{23}, G_{34}, G_{35}, G_{25}, G_{36}, G_{37}, G_{27}, G_{28}] \in G_{L}$ , while $[G_{0}, G_{11}, G_{21}, G_{12}, G_{24}, G_{13}, G_{26}, G_{14}] \in G_{L}$ , so we can get $G_{I} \cup G_{L} = G$ and $G_{I} \cap G_{L} = ϕ$ .

(2)

E stands for an edge of the finite set; for example, $〈G_{31}, G_{21}〉 \in E$ , where $G_{31}$ is a child node and $G_{21}$ is a father node.

(3)

T refers to the time cost of a successful attack. Normalized time cost of the atomic node is presented by formula (3). And the factor δ is to adjust the distribution of the time cost depending on the RFID system.

(4)

θ is an internal node operational type set, used to calculate the attack sequence value according to Definitions 6 to 8. As for Figure 5, we may calculate the operation set as follows:

\begin{array}{l} [\begin{bmatrix} G_{31} \times G_{32} \times G_{33} \\ G_{22} \end{bmatrix}] \times [\begin{bmatrix} G_{23} \\ G_{34} \otimes G_{35} \end{bmatrix}] \times [G_{25} \times [\begin{bmatrix} G_{36} \\ G_{37} \end{bmatrix}]] \\ \times [G_{27} \otimes G_{28}] . \end{array}

(4)

In addition, there are eight possible attack sequences to achieve the final target, which are listed as follows:

\begin{matrix} [\begin{bmatrix} G_{31} \times G_{32} \times G_{33} \times G_{23} \times G_{25} \times G_{36} \times G_{27} \otimes G_{28} \\ G_{31} \times G_{32} \times G_{33} \times G_{23} \times G_{25} \times G_{37} \times G_{27} \otimes G_{28} \\ G_{31} \times G_{32} \times G_{33} \times G_{34} \otimes G_{35} \times G_{25} \times G_{36} \times G_{27} \otimes G_{28} \\ G_{31} \times G_{32} \times G_{33} \times G_{34} \otimes G_{35} \times G_{25} \times G_{37} \times G_{27} \otimes G_{28} \\ G_{22} \times G_{23} \times G_{25} \times G_{36} \times G_{27} \otimes G_{28} \\ G_{22} \times G_{23} \times G_{25} \times G_{37} \times G_{27} \otimes G_{28} \\ G_{22} \times G_{34} \otimes G_{35} \times G_{25} \times G_{36} \times G_{27} \otimes G_{28} \\ G_{22} \times G_{34} \otimes G_{35} \times G_{25} \times G_{37} \times G_{27} \otimes G_{28} \end{bmatrix}] . \end{matrix}

(5)

ρ refers to the successful attack representation used to calculate the probability. In Figure 5, it firstly considers the normalized value of the level of attack cost, level of technical difficulty, and level of attack discovered and then determines the possibility of the atomic node $G_{L}$ via the variation coefficient method. Finally, the possibility of $G_{I}$ is calculated according to the relevant algorithms mentioned as in the above operations.

4.4. Synthetic Risks Evaluation Method of Extended Attack Tree and Information Feature Entropy

4.4.1. Atomic Risk Value

In the EAT model created for RFID privacy attacks, the overall rating of the privacy risk is mainly calculated by combining the individual atomic node risk values. Therefore, an objective and effective indicator of each atomic node's risk assessment value is required. Based on the multiattribute utility theory, we propose three attributes to describe aggressive behavior at each atomic node: level of attack cost, level of technical difficulty, and level of attack discovered, as shown in Table 3. The relevant formula is used to obtain the atomic risk value. In practical applications, we mainly consider the following guidelines, and atomic node normalized attributes are shown in Table 4.

Table 3

Assessment grade of attack attributes.

Attack grade	Level of attack cost	Level of technical difficulty	Level of attack discovered
0.9	>10	Hard	Easy
0.7	7–10	Difficult	Simple
0.5	4–6	Mediate	Mediate
0.3	1–3	Simple	Difficult
0.1	<1	Easy	Hard

Table 4

Assessment grade possibility value of atomic node.

Atomic node	Level of attack cost	Level of technical difficulty	Level of attack discovered
$G_{31}$	0.1000	0.1000	0.5000
$G_{32}$	0.5000	0.1000	0.1000
$G_{33}$	0.3000	0.1000	0.3000
$G_{22}$	0.1000	0.3000	0.9000
$G_{23}$	0.7000	0.7000	0.1000
$G_{34}$	0.9000	0.9000	0.1000
$G_{35}$	0.9000	0.7000	0.5000
$G_{25}$	0.3000	0.5000	0.1000
$G_{36}$	0.3000	0.7000	0.5000
$G_{37}$	0.1000	0.9000	0.5000
$G_{27}$	0.5000	0.5000	0.7000
$G_{28}$	0.7000	0.3000	0.9000

In order to balance the fairness among the indexes, the variation coefficient method is adopted to determine the weight of each index by using the characteristics of the sample data. As for the data set $a_{1}, a_{2}, \dots, a_{n}$ , the coefficient of variation is defined as the ratio between standard deviation and the mean absolute value denoted as $V_{a}$ . Consider the following:

\begin{matrix} V_{a} = \frac{S_{a}}{|\bar{a}|}, \end{matrix}

(6)

where

\begin{matrix} \bar{a} = \frac{1}{n} \sum_{i = 1}^{n} a i, \\ S_{a} = \sqrt{\frac{1}{n - 1} \sum_{i = 1}^{n} {(a i - \bar{a})}^{2}} . \end{matrix}

(7)

For the given set of evaluation indicators $X_{1}, X_{2}, \dots, X_{n}$ , assuming that there are n sample data, and according to the variation coefficient formula, we can calculate the coefficient of evaluations for each indicator, which are recorded as $V_{1}, V_{2}, \dots, V_{m}$ .

Based on the coefficient of variation method, the weight of each indicator is defined as the following formula:

\begin{matrix} W_{i} = \frac{V_{i}}{\sum_{j = 1}^{m} V_{j}} i = 1,2, 3, \dots, m . \end{matrix}

(8)

Combined with the RFID tag privacy theft of the EAT model shown in Figure 5, we get the risk of each atomic node in RFID privacy tag with the following formula:

\begin{matrix} P_{L} = \sum_{i = 1}^{n} P_{i} \cdot W_{i}, \end{matrix}

(9)

where

P_{i}

is expressed as the possibility of atomic node, while

P_{L}

is represented as the impact of a successful attack to the system.

4.4.2. Overall Risk Value

The attack sequence refers to a collection of atomic nodes in the attack tree. In order to reach the final target, the attacker needs to successfully attack all atomic nodes in the set. In the EAT model, the probabilities are not the same for the different types of internal nodes. The specific probability of attack for each collection of atomic nodes is calculated as follows.

Definition 6 (probability AND sequence value).

Assuming that a probability AND node contains m children nodes $N_{1}, N_{2}, \dots, N_{m}$ , the probability of the attack sequence value is calculated with the following formula:

\begin{matrix} P^{AND} = P (N_{1}) \times P (N_{2}) \times \dots \times P (N_{m}) . \end{matrix}

(10)

Definition 7 (probability OR sequence value).

As to a probability OR node with m children nodes $N_{1}, N_{2}, \dots, N_{m}$ , the probability of the attack sequence value is the maximum probability OR node value as shown in the following formula:

\begin{matrix} P^{OR} = P (N_{1}) \oplus P (N_{2}) \oplus, \dots, \oplus P (N_{m}) . \end{matrix}

(11)

Definition 8 (probability SAND sequence value).

When computing a probability SAND node with m children nodes $N_{1}, N_{2}, \dots, N_{m}$ , one exploits the conditional probability formula, and the probability of the attack sequence value is shown in the following formula:

\begin{matrix} P^{SAND} = P (N_{1}) \otimes P (N_{2}) \dots \otimes P (N_{m}) . \end{matrix}

(12)

4.4.3. Information Feature Entropy Evaluation

Entropy in an information system is considered as a characterization of the uncertainty of things. Assessments based on entropy are often adopted and can describe the information exchange intuitively. In order to resolve the problem of assessing the risk probability of each node in the EAT model with accuracy and provide a basis for a security engineer to assess the RFID privacy risk, we propose the information feature entropy evaluation method for RFID privacy assessment.

It calculates the entropy $E (n)$ with the following formula of a measure value, which is considered as the base of assessment value of a certain characteristic index:

\begin{matrix} E_{i} (n) = \sum_{j = 1}^{n} P_{i j} (n) \cdot \log_{2} \frac{1}{P_{i j} (n)} . \end{matrix}

(13)

Then, it balances the link between different evaluation indicators with formula (14), so as to weigh the indicators at the same level. In the following formula, the value m represents the number of character indicators:

\begin{matrix} v_{i} (n) = \log_{2} m - E_{i} (n), \\ w_{i} (n) = \frac{v_{i} (n)}{\sum_{j = 1}^{m} v_{i} (n)} (i = 1,2, \dots, m) . \end{matrix}

(14)

Finally, it calculates accurate information feature entropy evaluation for RFID privacy risk, which synthetically considers the entropy value, corresponding weight value, and attack time cost as well:

\begin{matrix} H (n) = \sum_{i = 1}^{m} (E_{i} (n) * w_{i} (n) * T_{i} (n)) . \end{matrix}

(15)

5. Evaluation and Analysis

5.1. Attack Tree Sequences

According to the EAT model described in Figure 5, we evaluate the RFID privacy risk possibility based on the formula mentioned in Section 4. Consider

\begin{array}{l} G_{0} = G_{11} \times G_{12} \times G_{13} \times G_{14} \\ = [\begin{bmatrix} G_{21} \\ G_{22} \end{bmatrix}] \times [\begin{bmatrix} G_{23} \\ G_{24} \end{bmatrix}] \times [G_{25} \times G_{26}] \times [G_{27} \otimes G_{28}] \\ = [\begin{bmatrix} G_{31} \times G_{32} \times G_{33} \\ G_{22} \end{bmatrix}] \times [\begin{bmatrix} G_{23} \\ G_{34} \otimes G_{35} \end{bmatrix}] \\ \times [G_{25} \times [\begin{bmatrix} G_{36} \\ G_{37} \end{bmatrix}]] \times [G_{27} \otimes G_{28}] . \end{array}

(16)

As can be seen from formula (16), there are eight relevant sequences that may be used to reach the final goal, with the atomic node probability, probability of the secondary node, first level probability, and the probability of RFID privacy risk calculated in Table 5. For instance, the atomic node possibility in Table 5 is calculated via variation coefficient method with formulas (6) to (9), considering the four related parameters that are level of attack cost, level of technical difficulty, level of attack discovered, and time cost. And according to formulas (10) to (12), the probability AND operation in Table 5 is represented as “×,” the probability OR operation is expressed as “⊕,” and the probability SAND operation is expressed as “⊗.” When an attack occurs, the greater the possibility of the attack sequence, the greater the vulnerability to the system; thus measures should be taken to protect the RFID system at the identified nodes. As can be seen from Table 5, $G_{12}$ is the sequence most likely to be used in an attack, followed by $G_{11}$ , $G_{13}$ , and $G_{14}$ . Therefore, the most vulnerable sequence of the model is $G_{12}$ , indicating that an attacker is most likely to succeed in reaching the attack's final goal via sequence $G_{12}$ . Using the EAT model, we can calculate that the overall risk evaluation result value for RFID is 0.0035.

Table 5

Computing table of RFID risk possibility.

Atomic node	Possibility	Second level node	Possibility	First level node	Possibility	RFID risk evaluation
$G_{31}$	0.3807	$G_{21} = G_{31} \times G_{32} \times G_{33}$	0.0274	$G_{11} = G_{21} \oplus G_{22}$	0.3660	$\begin{matrix} S = G_{11} \times G_{12} \times G_{13} \times G_{14} = 0.0035 \end{matrix}$
$G_{32}$	0.2505
$G_{33}$	0.2868
—	—	$G_{22}$	0.3660
—	—	$G_{23}$	0.3966	$G_{12} = G_{23} \oplus G_{24}$	0.3966
$G_{34}$	0.6212	$G_{24} = G_{34} \otimes G_{35}$	0.1705
$G_{35}$	0.5490	$G_{24} = G_{34} \otimes G_{35}$	0.1705
—	—	$G_{25}$	0.3699	$G_{13} = G_{25} \times G_{26}$	0.1680
$G_{36}$	0.4159	$G_{26} = G_{36} \oplus G_{37}$	0.4541
$G_{37}$	0.4541	$G_{26} = G_{36} \oplus G_{37}$	0.4541
—	—	$G_{27}$	0.4810	$G_{14} = G_{27} \otimes G_{28}$	0.1452
—	—	$G_{28}$	0.6035	$G_{14} = G_{27} \otimes G_{28}$	0.1452

5.2. Information Feature Entropy of RFID Privacy

The EAT method exhibits strong performance in terms of measuring the overall RFID privacy risks and requires that all nodes must be involved in the calculation of risk probability. However, it lacks the ability to locate potential threats. To make it easier to understand the risk probability of each node, we propose calculation of the entropy of each node. Based on the information feature entropy method, Table 6 shows the calculating process of entropy values listed in Table 4.

Table 6

Information feature entropy of the EAT node.

Atomic node	Level of attack cost	Level of technical difficulty	Level of attack discovered	Time cost $T_{i} (n)$	Original risk $E_{i} (n)$	Risk weight $w_{i} (n)$	Information feature entropy $H (n) * 100 %$
$G_{31}$	0.1000	0.1000	0.5000	0.3012	1.1644	0.0818	2.8700
$G_{32}$	0.5000	0.1000	0.1000	0.5488	1.1644	0.0818	5.2300
$G_{33}$	0.3000	0.1000	0.3000	0.4493	1.3744	0.0747	4.6100
$G_{22}$	0.1000	0.3000	0.9000	0.2019	0.9901	0.0877	1.7500
$G_{23}$	0.7000	0.7000	0.1000	0.0743	1.0526	0.0856	0.6700
$G_{34}$	0.9000	0.9000	0.1000	0.8187	0.6058	0.1008	5.0000
$G_{35}$	0.9000	0.7000	0.5000	0.1108	0.9970	0.0875	0.9700
$G_{25}$	0.3000	0.5000	0.1000	0.5488	1.3533	0.0754	5.6000
$G_{36}$	0.3000	0.7000	0.5000	0.1653	1.3813	0.0745	1.7000
$G_{37}$	0.1000	0.9000	0.5000	0.3012	0.969	0.0884	2.5800
$G_{27}$	0.5000	0.5000	0.7000	0.2466	1.3602	0.0752	2.5200
$G_{28}$	0.7000	0.3000	0.9000	0.5488	1.0181	0.0868	4.8500

Figure 6 shows a more intuitive information feature entropy value of each atomic node in Table 6, in which we may find out that for each atomic node the risk of attack is not the same. As can be seen from Figure 6, the most vulnerable node $G_{25}$ (information feature entropy value is 5.6000) with the corresponding RFID weakness is “set RFID reader frequency.” In addition, the risk of nodes $G_{32}$ and $G_{34}$ is greater and the nodes' corresponding RFID weaknesses are “detect system working frequency” and “sniffer air interface protocol.” This highlights that the security of the RFID system should pay more attention to these weaknesses, and an information feature entropy method can be used to accurately determine the probability of occurrence of RFID system security risks. On the basis of the conclusions of the EAT model, it is recommended that the entropy method should be used to reduce privacy risk measures, illustrating the effectiveness of the proposed method.

Figure 6

Information feature entropy value of each atom node.

6. Conclusion

On the basis of the traditional attack tree, we presented a secure and flexible extended attack tree model, in which we added a new logical operation and a new probability of success attribute. The RFID tag information theft example was taken, characteristics of the invasion were extracted, and an RFID privacy aggressive behavior EAT model was eventually established. This model applies multiattribute utility theory to calculate the risk value of all atomic nodes and thus computes the total risk value of the probability of successful attack sequences. Finally, it combines the advantages of information feature entropy to determine atomic node privacy risks and gives the relevant attack defense proposals.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The subject is sponsored by the National Natural Science Foundation of China (no. 61170065, no. 61373017, and no. 61203217), the Natural Science Foundation of Jiangsu Province (no. BK20140886, no. BK20140888), Scientific & Technological Support Project of Jiangsu Province (no. BE2012183, no. BE2012755), Natural Science Key Fund for Colleges and Universities in Jiangsu Province (no. 12KJA520002), Jiangsu Planned Projects for Postdoctoral Research Funds (no. 1302090B, no. 1401005B), China Postdoctoral Science Foundation (no. 2014M551636, no. 2014M561696), and NUPTSF (no. NY214061, no. NY213034, and no. NY214060).

References

Habibi

M. H.

Aref

M. R.

Attacks on recent RFID authentication protocols

Journal of Signal Processing Systems 2013 72 1 1 13

2-s2.0-84883766700

10.1007/s11265-013-0844-1

Monahan

Fisher

J. A.

Implanting inequality: empirical evidence of social and ethical risks of implantable radio-frequency identification (RFID) devices

International Journal of Technology Assessment in Health Care 2010 26 4 370 376

10.1017/s0266462310001133

2-s2.0-78649980089

X.-D.

Wang

Y.-F.

Bai

J.-B.

Wang

H.-Y.

Chu

C.-H.

RFId application challenges and risk analysis

Proceedings of the 17th International Conference on Industrial Engineering and Engineering Management (IE & EM '10)

October 2010

Xiamen, China

1086 1090

10.1109/icieem.2010.5646426

2-s2.0-78650592404

Vivo

M. C.

Polzonetti

Tapanelli

RFID privacy and security risks: Italian case study

Advances in Information Technology: Proceedings of the 6th International Conference, IAIT 2013, Bangkok, Thailand, December 12-13, 2013 2013 409

Cham, Switzerland

Springer

173 183 Communications in Computer and Information Science

10.1007/978-3-319-03783-7_16

Gandino

Montrucchio

Rebaudengo

Tampering in RFID: a survey on risks and defenses

Mobile Networks and Applications 2010 15 4 502 516

10.1007/s11036-009-0209-y

2-s2.0-77956610822

Jiang

Luo

Wang

X. P.

An attack tree based risk assessment for location privacy in wireless sensor networks

Proceedings of the 8th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM '12)

September 2012

Shanghai, China

1 4

10.1109/wicom.2012.6478402

2-s2.0-84876059826

Karpati

Redda

Opdahl

A. L.

Sindre

Comparing attack trees and misuse cases in an industrial setting

Information and Software Technology 2014 56 3 294 308

10.1016/j.infsof.2013.10.004

2-s2.0-84892592845

Luo

H. F.

Liu

R. Q.

Wang

Y. K.

The security evaluation index architecture and evaluation model with RFID system

462-463

Proceedings of the International Conference on Mechatronics and Information Technology, Applied Mechanics and Materials

October 2014

Guilin, China

399 404

Morsi

Elsherief

El Zawawi

A security system and employees performance evaluation using RFID sensors and fuzzy logic

Proceedings of the Computation World: Future Computing, Service Computation, Adaptive, Content, Cognitive, Patterns

November 2009

Athens, Greece

597 602

10.1109/computationworld.2009.112

2-s2.0-77951020520

10.

Chang

T.-H.

Hsu

S.-C.

Wang

T.-C.

A proposed model for measuring the aggregative risk degree of implementing an RFID digital campus system with the consistent fuzzy preference relations

Applied Mathematical Modelling 2013 37 5 2605 2622

10.1016/j.apm.2012.06.029

MR3020442

2-s2.0-84872497759

11.

Lim

T.-L.

A security and performance evaluation of hash-based RFID protocols

Information Security and Cryptology: Proceedings of the 4th International Conference, Inscrypt 2008, Beijing, China, December 14–17, 2008, Revised Selected Papers 2009 5487

Berlin, Germany

Springer

406 424 Lecture Notes in Computer Science

10.1007/978-3-642-01440-6_30

12.

Ling

Shen

New defending ultra-lightweight RFID authentication protocol against DoS attacks

Proceedings of the 3rd International Conference on Consumer Electronics, Communications and Networks (CECNet '13)

November 2013

Xianning, China

423 426

10.1109/cecnet.2013.6703360

2-s2.0-84894169025

13.

Zavvari

Patel

Critical evaluation of RFID security protocols

International Journal of Information Security and Privacy 2012 6 3 56 74

10.4018/jisp.2012070103

2-s2.0-84871872748

14.

Rotter

A framework for assessing RFID system security and privacy risks

IEEE Pervasive Computing 2008 7 2 70 77

2-s2.0-42549157259

10.1109/MPRV.2008.22

15.

Schneier

Attack trees: modeling security threats

Dr Dobb's Journal 1999 24 12 21 29

16.

Todd

Burleson

Tessier

The design and assessment of a secure passive RFID sensor system

Proceedings of the IEEE 9th International New Circuits and Systems Conference (NEWCAS '11)

June 2011

Bordeaux, France

494 497

10.1109/newcas.2011.5981327

2-s2.0-80052547532