the response signal.Due to manufacturing imperfection,BLF and wireless environment can be regarded unchanged.So we varies among different tags.Therefore,it is suitable to combine can extract the physical-layer feature directly from the RN16 the two features to detect the motion status of tags.Moreover, and omit the EPC-ID signal. we recover each tag response according to the geometrical 800 JQUERY ACK characteristic of the collision signals in I-Q plane,and extract the aforementioned physical-layer features. EPCID Tag inventory phase Extract Features Physical-layer Fingerprints 10 15 Tag Signal Time(ms) nnnnnnAn BLF Fig.2:A typical singleton slot in RFID systems Continuous pooling B.Phase Profile Collision Signal In RFID systems,the tag transmits data using backscattering modulation.Hence,the received signal of one tag is: Fig.1:System framework y(t)=(A1+r(t)A2·cos(2πfit+8))-cos(2πfet+B)+n(t) (1) As for detecting the motion status of tags,we propose a where A1·cos(2πfct+B)is the signal of carrier,.x(t)A2· two-phase monitoring scheme,including the tag inventory and cos(2πfit+a)·cos(2πfet+)is the signal of tag and n(t) continuous polling phase,to efficiently extract the physical- is the ambient noise.Here,x(t)is the binary bits sent by the layer features for detection.In the tag inventory phase,the tag.After converting the signal to baseband by the removing reader issues multiple query cycles to extract the physical-layer carrier cos(2mfet),the baseband signal can be represented as: features of all the tags in stationary status.In the continuous polling phase,the reader continuously issues multiple query s(t)=Ajei+(t)Azei()+i(t).(2) cycles to extract physical-layer features of tags in real-time.By Therefore,the actual received signal is a superposition of comparing the real-time features with the stationary features, carrier wave and backscattered signal. we utilize a Graph Matching Method (GMM)to detect the Intuitively,we can model the received signal from a single motion status of tags in every query cycle of continuous tag response in I-Q plane as shown in Fig.3.The received polling phase.The continuous polling phase contains multiple signal consists of two parts:1)leakage signal:the constant real-time query cycles to amortize the time spent in the carrier signal (i.e.,CW),2)backscattered signal:the modu- inventory phase.We show the whole framework in Fig.1. lated tag signal.As for the phase value of the backscattered signal,it can be represented as: IV.PHYSICAL-LAYER FEATURES In this section,we demonstrate the concept of our physical- 0=Φ-6. (3) layer features via realistic experiments.We implement a which is the difference between the carrier signal phase B and software defined reader (SDR reader)according to the Gen2 the backscattered signal phase in Fig.3.We call the phase project [14].Specifically,we operate the Gen2 project on profile of the tag in this work. our USRP platform with two FLEX-900 daughter boards and two Larid S9028 antennas on each board for transmitting and Backscattere receiving respectively.For the receiving module,we set the signal sampling rate to 2MHz,which represents 0.5us per sample. Leakage A.The Response of a Normal Singleton Slot Fig.2 illustrates a typical slot in RFID systems,which is collected from USRP.The reader sends a QUERY/QRep Fig.3:Model of the received signal of a single tag command to start a slot.All the tags that select this slot, We carry out trace-driven evaluations to study the property will transmit its RN16 to the reader.If the reader succeeds in of the phase profile.Firstly,we evaluate the stability by decoding the RN16 bits,it then sends an ACK to the tag,that conducting an empirical experiments on 50 tags with random tells the tag to transmit its EPC-ID.During the tag response, deployments.For each setting,we measure 100 phase values the reader keeps transmitting continuous wave(CW)to supply by querying each tag 100 times.The results are normalized power.Hence,there are two kinds of tag response generally:1) by subtracting the average phase value of each result set.As RN16 period,responding the QUERY or QRep command from shown in Fig.4(a),the phase profile varies from-5 to 5 the reader,2)EPC-ID period,answering the ACK command. following a typical Gaussian distribution.So we can treat the In fact,both the RN16 signal and the EPC-ID signal contain phase profile as a stable feature for motion detection. preamble,data bits and check bits.As a result,the time of Secondly,we compare the phase profile of SDR reader with the EPC-ID period is about 4 times longer than that of the the phase value of commercial reader(ImpinjR420)by issuing RN16 period as shown in Fig.2.Meanwhile,since the time the same tag.We vary the distance between the antenna and the interval between the two responses is so small,the position tag,which ranges from 20cm to 70cm stepping by 1cm.Forthe response signal. Due to manufacturing imperfection, BLF varies among different tags. Therefore, it is suitable to combine the two features to detect the motion status of tags. Moreover, we recover each tag response according to the geometrical characteristic of the collision signals in I-Q plane, and extract the aforementioned physical-layer features. !"#$%&'(&)*+,$ -."/( !"#$%&#'"( 0*&)%&1*1/$-**2%&#$ -."/( )*((&+&*'$%&#'"( ,-./"0.$$12".3/2+ ,-./"0.$12".3/2+ 45"+2 671 8/"95$:".05&'#$;"+2<$ ,+.&=".&*'$:2.5*< 45>+&0"(?(">2/$ 1&'#2/9/&'.+ Fig. 1: System framework As for detecting the motion status of tags, we propose a two-phase monitoring scheme, including the tag inventory and continuous polling phase, to efficiently extract the physical￾layer features for detection. In the tag inventory phase, the reader issues multiple query cycles to extract the physical-layer features of all the tags in stationary status. In the continuous polling phase, the reader continuously issues multiple query cycles to extract physical-layer features of tags in real-time. By comparing the real-time features with the stationary features, we utilize a Graph Matching Method (GMM) to detect the motion status of tags in every query cycle of continuous polling phase. The continuous polling phase contains multiple real-time query cycles to amortize the time spent in the inventory phase. We show the whole framework in Fig. 1. IV. PHYSICAL-LAYER FEATURES In this section, we demonstrate the concept of our physical￾layer features via realistic experiments. We implement a software defined reader (SDR reader) according to the Gen2 project [14]. Specifically, we operate the Gen2 project on our USRP platform with two FLEX-900 daughter boards and two Larid S9028 antennas on each board for transmitting and receiving respectively. For the receiving module, we set the sampling rate to 2MHz, which represents 0.5µs per sample. A. The Response of a Normal Singleton Slot Fig. 2 illustrates a typical slot in RFID systems, which is collected from USRP. The reader sends a QUERY/QRep command to start a slot. All the tags that select this slot, will transmit its RN16 to the reader. If the reader succeeds in decoding the RN16 bits, it then sends an ACK to the tag, that tells the tag to transmit its EPC-ID. During the tag response, the reader keeps transmitting continuous wave (CW) to supply power. Hence, there are two kinds of tag response generally: 1) RN16 period, responding the QUERY or QRep command from the reader, 2) EPC-ID period, answering the ACK command. In fact, both the RN16 signal and the EPC-ID signal contain preamble, data bits and check bits. As a result, the time of the EPC-ID period is about 4 times longer than that of the RN16 period as shown in Fig. 2. Meanwhile, since the time interval between the two responses is so small, the position and wireless environment can be regarded unchanged. So we can extract the physical-layer feature directly from the RN16 and omit the EPC-ID signal. !"#$% $&'( )*+ #,*-. /////////01234256 ///////7 ////'8 ////'7 )29:1;<=3 Fig. 2: A typical singleton slot in RFID systems B. Phase Profile In RFID systems, the tag transmits data using backscattering modulation. Hence, the received signal of one tag is: y(t)=(A1 +x(t)A2 · cos(2πflt+θ))· cos(2πfct+β) +n(t), (1) where A1 · cos(2πfct + β) is the signal of carrier, x(t)A2 · cos(2πflt + θ) · cos(2πfct + β) is the signal of tag and n(t) is the ambient noise. Here, x(t) is the binary bits sent by the tag. After converting the signal to baseband by the removing carrier cos(2πfct), the baseband signal can be represented as: s(t) = A1ejβ + x(t)A2ej(2πfl t+θ+β) + ˆn(t). (2) Therefore, the actual received signal is a superposition of carrier wave and backscattered signal. Intuitively, we can model the received signal from a single tag response in I-Q plane as shown in Fig. 3. The received signal consists of two parts: 1) leakage signal: the constant carrier signal (i.e., CW), 2) backscattered signal: the modu￾lated tag signal. As for the phase value of the backscattered signal, it can be represented as: θ = Φ − β, (3) which is the difference between the carrier signal phase β and the backscattered signal phase Φ in Fig. 3. We call θ the phase profile of the tag in this work. ! " #$%&%'$( )*'+%,  -%.&).%//$0$1( )*'+%,    Fig. 3: Model of the received signal of a single tag We carry out trace-driven evaluations to study the property of the phase profile. Firstly, we evaluate the stability by conducting an empirical experiments on 50 tags with random deployments. For each setting, we measure 100 phase values by querying each tag 100 times. The results are normalized by subtracting the average phase value of each result set. As shown in Fig. 4(a), the phase profile varies from −5◦ to 5◦, following a typical Gaussian distribution. So we can treat the phase profile as a stable feature for motion detection. Secondly, we compare the phase profile of SDR reader with the phase value of commercial reader (Impinj R420) by issuing the same tag. We vary the distance between the antenna and the tag, which ranges from 20cm to 70cm stepping by 1cm. For