AOHDL: Adversarial Optimized Hybrid Deep Learning Design for Preventing Attack in Radar Target Detection

Abstract

In autonomous driving, Frequency-Modulated Continuous-Wave (FMCW) radar has gained widespread acceptance for target detection due to its resilience and dependability under diverse weather and illumination circumstances. Although deep learning radar target identification models have seen fast improvement, there is a lack of research on their susceptibility to adversarial attacks. Various spoofing attack techniques have been suggested to target radar sensors by deliberately sending certain signals through specialized devices. In this paper, we proposed a new adversarial deep learning network for spoofing attacks in radar target detection (RTD). Multi-level adversarial attack prevention using deep learning is designed for the coherence pulse deep feature map from DAALnet and Range-Doppler (RD) map from TDDLnet. After the discrimination of the attack, optimization of hybrid deep learning (OHDL) integrated with enhanced PSO is used to predict the range and velocity of the target. Simulations are performed to evaluate the sensitivity of AOHDL for different radar environment configurations. RMSE of AOHDL is almost the same as OHDL without attack conditions and it outperforms the earlier RTD implementations.

1. Introduction

The main processing mechanism of Frequency-Modulated Continuous-Wave (FMCW) radar functions transmitting a sequence of linearly modulated frequency signals over time is referred to as a frame. The received signal is combined with a duplicate of the broadcast signal sequence after the process of reflection from the target. This creates a sinusoidal wave whose frequency specifies the distance to the reflecting target [1]. Through the analysis of the phase shifts of this sinusoidal wave in various chirps, the system estimates the relative velocity of the target. In addition, an FMCW radar can determine the direction of an object by analyzing the phase shifts in the middle of elements and the array of antennas [2].

Radars operating using millimeter-wave (mmWave) signals have greatly enhanced radar accuracy [3], offering advantages over other sensors for implementation in train and test decision-based driver guiding system (Automated-DAS) and autonomous vehicle (AV) fields [4]. Automated DAS systems at present utilize radars for various functions such as versatile critical control, front crash avoidance, and lane tracing systems [5]. In more sophisticated systems, these radars can be utilized for a range of image tests by supplying three-dimensional coordinate data to computer vision systems contained by autonomous vehicles [4]. In addition to the vehicle industry, these radars can offer accurate sensing for built-up air transportation applications [6]. As the use of mmWave FMCW radar in automated systems continues to grow, it is imperative to ensure the security of these sensors against possible intimidations.

On the radar line-of-sight (LOS), the received complex signal wave energy’s addition in the manner of coherence from every single range of target scatters. This wave energy indicates the forecast of the complex and gives back echoes from the scattering center of the target against the radar array called “High-Resolution Range profiles-HRRP”. One of the most dynamic study fields in recent radar technology is HRRP-based RATR [7,8]. This is because HRRP encompasses a large quantity of target structural monograms. When it comes to HRRP-based RATR tasks, feature engineering is the most important component.

In 2014, Szegedy C et al. [9] made the initial discovery of an anomalous occurrence. An adversary can create an intentionally unnoticeable information injection by manipulating a single input sample. These examples of input are rather hostile [10]. Based on the arbitrary incorrect outcomes desired by the attacker, they can create a target recognition system using deep learning. Adversarial samples describe these hostile input samples. Both the unique deep learning methods they target and their highly transferable traits make these samples very dangerous. Much study and interest have been piqued by this finding. The process of creating malicious samples has been enhanced throughout time. Additionally, as demonstrated in [11], end-to-end learning communication systems utilizing deep neural network autoencoders are exceedingly susceptible to attacks since wireless communication is inherently open and allows attackers to more easily introduce perturbations. It also demonstrated that noise assaults are less effective against the classifier than artificial perturbation attacks.

Extensive work is being conducted in the fields of radar beamform refinement [9] and target detection adversarial attacks pose a significant security hazard to the usage of radars in automobile applications. For an autonomous car to operate on the road, it is essential to have precise object-detecting capabilities and regular upgrades [10]. It must exhibit a high level of performance reliability to prevent catastrophic accidents. Deep learning models are trained to classify objects; however, an adversarial approach can significantly reduce their ability to accurately classify objects [10]. Adversarial attacks cause artificial intelligence (AI) to make incorrect predictions by making modest changes to the input signal to deliberately incite this incorrect prediction. This is primarily noteworthy since it poses a security threat that is frequently overlooked by humans, or at the very least not identified as an assault due to its subtle nature and exclusive impact on AI algorithms. However, it is crucial to identify and prevent these threats [12].

In the present work, we are investigating the adversarial attack in radar target detection using deep learning design. The main contributions of the proposed work are as follows:

• We investigated the impact of hostile cases in compromising the security of vehicle radars by analyzing the vulnerability of radar-based deep learning.
• From the echo radar cube, two different feature maps are generated using two different deep learning architectures, named DAALnet and TDDLnet, in our proposed work, which are a coherent pulse map deep map and RD feature map, respectively.
• Adversarial learning networks are involved in these two networks, named Radar Generative Adversarial Network (RGAN). After the RGAN generator and discriminator, the features are fused to predict the target range and velocity using the Optimized Hybrid Deep Learning (OHDL) method. The experimental simulations for the proposed work are performed for the verification of adversarial attack prevention in the adversarial OHDL (AOHDL).

The remainder of the paper is structured as follows. Section 2 discusses the earlier implementations regarding these adversarial attacks in radar target detection, and Section 3 describes FMCW radar signal mathematical modeling and the adversarial learning network in deep learning-based RTD. In Section 4, we provide the performance comparison of simulation output. Last of all, Section 5 concludes the development of the proposed work.

2. Related Works

Machine learning classifiers are vulnerable to adversarial instances, which are deliberately crafted from raw data to deceive the classifier into misclassifying the input. These attacks pose a significant risk to the integrity of systems, particularly for applications that are crucial for safety. Numerous adversarial attacks have been created in recent years to compromise various application domains [13]. Although these works emphasized the susceptibility of ML systems to adversarial noise, only a small number of the attack scenarios they examined are feasible in real-world situations.

In [14], the author introduces a unique adversarial assault on Ultra-Wide Band (UltraWB) radars. This approach involves an opponent deliberately injecting hostile radio noise into the wireless channel, failing to recognize obstacles. Initially, utilizing signals obtained from real-life settings, we demonstrate that traditional attacks are unable to produce durable noise in practical circumstances. The author [13] put forward a technique called Adversarial Radio Noise Attack, abbreviated as Adv-RNA, as a solution to address these problems. More precisely, Adv-RNA produces a disruptive disturbance that is effective even without coordination in the middle of the input signal and the disturbance. Furthermore, the noise generated by Adv-RNA is intentionally designed to be resistant to pre-processing and counteract the threat, for instance, defenses concerning the filtering method. Furthermore, Adv-RNA is not only focused on achieving detectability by restricting the amount of noise, but it is also effective when faced with advanced defenses in the spectral domain by establishing a budget for frequencies.

The design of MadRadar, a new black-box physical layer attack architecture for vehicle radars using mmWave FMCW, has been introduced in [15]. This work is distinct from prior studies, which only concentrated on inserting phony items into prey radar’s multidimensional data points. It is the first study to introduce an indication of wrong results for which a condition does not hold and translation assaults, which effectively eliminate or displace detections of existing objects in the prey radar’s multidimensional data points. In addition, all except one of the preceding spoofing attempts (which merely produced false positives) required prior knowledge of the victim radar’s specifications. In contrast, MadRadar can accurately estimate the victim’s chirp period, chirp slope, and frame duration, allowing for effective attacks to be implemented over 95% of the time. The viability and efficiency of the suggested attacks have been experimentally proven by the author [15] through the development of a real-time MadRadar prototype employing SDR platforms. Ultimately, we have showcased the practical applications of MadRadar through tangible case studies in real-world scenarios.

A goal-oriented approach toward achieving autonomous automobile vehicles is the precise sorting of range-dependent radar target detection using deep learning models [16]. Furthermore, the models have to be susceptible to adversarial attacks and possess the ability to truthfully categorize entities in such situations [17]. The creator of [18] utilized specific requirements and methodologies to gather data using FMCW radars. For categorization purposes, four types of structure designs were employed. These models consist of a self-designed CNN-based RadarNet, as well as three state-of-the-art deep learning models based on transfer learning. The evaluation focused on measuring the complexity and accuracy of these models. The models are subjected to FastGradient-SM adversarial attacks and their accuracy is compared to measure the extent of performance loss. Moreover, adversarial retraining has been implemented to alleviate the impact of FastGradient-SM attacks.

3. Proposed System Methodologies

3.1. Automotive FMCW Radar

Radar can be classified into two main categories: pulse radar and continuous-wave radar. Frequency-modulated continuous-wave radar is a modified version of the previous kind, using frequency modulation to enable simultaneous measurement of range and velocity. The FMCW radar is capable of determining both range and velocity by generating a continuous broadcast with a frequency that changes over time. The frequency can exhibit either a linear increase or decrease, or it can be modulated using a bespoke frequency modulation [19]. Typically, the signal undergoes modulation for a brief duration before being returned to the carrier frequency. A modulated transmission is often known as a chirp and has a duration of a chirp period, T_c. It will be demonstrated that a single chirp is sufficient to calculate distance, but numerous successive chirps are necessary to detect the velocity of the target. Therefore, a series of chirps covers a duration referred to as T_c. A prevalent kind of FMCW radar is Linear Frequency-Modulated radar, which usually operates at a carrier frequency (f_c) of around 24 GHz or 77 GHz. The frequency sweep of the transmitted LFM signal encompasses a bandwidth BW, which plays a crucial role in determining the characteristics of the radar. Figure 1 depicts a standard LFM chirp sequence within a certain time window.

The rate of the frequency modulation is the sweep rate R_s and is given by:

$$R_s={\displaystyle \frac{BW}{T_c}}$$

(1)

The broadcast signal propagates unless it attenuates owing to signal losses or reflects off a surface [20]. The full duplex radar range equation that includes noise can be used to define the transmitted signal’s range, and is given by:

$${Target}_R=\sqrt[4]{{\displaystyle \frac{P_t.{ H}^2.{ \lambda }^2. \phi . T_f}{{\left(4\pi \right)}^3. \eta . k.{ T}_e. F. L}}}$$

(2)

where L is the total losses due to attenuation, η is the signal-to-noise ratio, T_e is the effective noise temperature of the antenna, k is Boltzman’s constant, F is the noise figure, P_t is the peak transmitted power, λ is the carrier wavelength, φ is the radar cross section (RCS), H is the Tx and Rx antenna gain, and T_f is the time frame [21]. Furthermore, it can be shown that by rearranging Equation (2), the power received at the Rx antennas will be directly related to the reciprocal of the range raised to the fourth power. If the focus is just on the signal that is received at the RX antenna rather than the SNR, then the received power may be determined by [22]:

$$P_r={\displaystyle \frac{P_t{H}^2{\lambda }^2\phi }{{\left(4\pi \right)}^3({{Target}_R)}^4}}$$

(3)

As can be seen in Equation (3), the power received at the Rx antenna will also depend on the RCS of the target. The RCS of an object is mainly dependent on aspect angle, size, shape, and frequency. The effective area of the trihedral corner reflector is represented as:

$$A_{eff}={\displaystyle \frac{a^2}{\sqrt{3}}}$$

(4)

The RCS of a plane surface is denoted as:

$$\phi ={\displaystyle \frac{4\pi A_{eff}^2}{{\lambda }^2}}={\displaystyle \frac{4\pi a^4}{3{\lambda }^2}}$$

(5)

The time delay τ stems from the time-of-flight of the propagating signal from the Tx antenna to the target and then back to the Rx antenna. The delay is related to the target distance d and speed of light c as:

$$\tau ={\displaystyle \frac{2d}{c}}$$

(6)

The delay gives rise to a difference in frequency between the two signals, which is directly correlated to the sweep rate R_s:

$$R_{\tau }=R_s.{\displaystyle \frac{2d}{c}}$$

(7)

By introducing multiple chirps in a time frame, a phase shift between consecutive modulation periods will occur, which allows the radar to determine velocity. The model of FMCW is represented in the below content. The instantaneous phase of the transmitted signal is modeled as:

$$\mu \left(t\right)=2\pi {\int }_0^{t}f\left(t\right)dx+{\mu }_0=2\pi \left(f_{c}t+{\displaystyle \frac{R_s{t}^2}{2}}\right)+{\mathsf{\theta }}_0$$

(8)

where ${\mathsf{\theta }}_0$ is the initial phase and f(t) is the frequency at time t and it is given by:

$$f\left(t\right)=f_c+R_s.t$$

(9)

For the nth sweep, we have t = nT_c + t_s, where 0 < t_s < T_c. The transmitted signal x_tx (t) can then be written by:

$$x_{tx}\left(t\right)=A\cos \left(\mu \left(t\right)\right)=A\cos \left(2\pi \left(f_c\left(n{T}_c+t_s\right)+{\displaystyle \frac{R_s{t}_s^2}{2}}\right)+{\theta }_0\right)$$

(10)

where A is the amplitude of the signal.

If the target is located at a distance Target_R from the radar and is moving with relative radial velocity Target_v, then the delay in Equation (6) is remodeled as:

$$\tau ={\displaystyle \frac{2\left({Target}_R+{Target}_{v}t\right)}{c}}=\left({\displaystyle \frac{2\left({Target}_R+{Target}_v\left(n{T}_c+t_s\right)\right)}{c}}\right)$$

(11)

Then, the received signal at the reflected target is represented as:

$$x_{rx}\left(t\right)=Bcos\left(\mu \left(t-\tau \right)\right)=B\cos \left(2\pi \left(f_c\left(n{T}_c+t_s-\tau \right)+{\displaystyle \frac{R_s{\left(t_s-\tau \right)}^2}{2}}\right)+{\theta }_0\right)$$

(12)

The received signal is then mixed with x_tx to produce the IF tone. Thus, by performing the subsequent signal processing on a relatively low-frequency range, the processing circuit realization is simplified [23]. The intermediate frequency is then the subtractive term in simplified form, which is given by:

$$x_{IF}\left(t\right)={\displaystyle \frac{AB}{2}}\cos \left(2\pi \left(f_c\tau +R_{\tau }{t}_s-{\displaystyle \frac{R_s{\tau }^2}{2}}\right)\right)$$

(13)

By replacing τ with Equation (11), we obtain:

$$x_{IF}\left(n,t_s\right)={\displaystyle \frac{AB}{2}}\cos \left(2\pi \left({\displaystyle \frac{2R_s{Target}_R}{c}}{t}_s+{\displaystyle \frac{2f_c{Target}_v}{c}} n{T}_c\right)+{\displaystyle \frac{4\pi f_c{Target}_R}{c}}\right)$$

(14)

By acquiring the frequency of the IF signal, the range can be calculated since R_s is already known. The beat frequency f_b is obtained by performing a Fast Fourier Transform on the sampled input, as shown in Figure 2.

$$Targe{t}_R={\displaystyle \frac{f_{B}c}{2R_s}}$$

(15)

One chirp is enough to calculate the distance to a target, but at least two chirps are necessary to accurately measure the speed of the target in the direction towards or away from the observer. If a target is moving slowly with a velocity of just a few meters per second, the chirps will not be able to detect the small changes in beat frequency. This becomes problematic when trying to assess the velocity of the target. The resolution may be found in the phasor representation of a chirp. Each range-FFT will provide peaks that may be located at the same frequency, but their phase may differ if the target is in motion.

Just like the range-FFT, the frequency resulting from the phase shift between chirps may be determined using another FFT. The Doppler-FFT refers to the process of determining the angular rotation of a discretized and sampled signal that corresponds to a phasor spinning at a rate of ω rad/sample using the Fast Fourier Transform (FFT), as shown in Figure 3. The conversion of the phase shift rate ω to frequency is achieved by dividing it by 2πT_c. The term “Doppler frequency” pertains to the change in frequency induced by the Doppler shift resulting from the movement of an item. The velocity may be determined by relating the term f_d to the second term in Equation (14), resulting in the value of:

$$f_d=2{\displaystyle \frac{f_c\times Targe{t}_v}{c}}$$

(16)

$$Targe{t}_v={\displaystyle \frac{f_{d}c}{2f_c}}$$

(17)

3.2. Proposed AOHDL Methodologies

The proposed implementation workflow is illustrated in Figure 4. Multi-level deep learning along with an adversarial network is designed in this proposal for radar target detection. In our work, an echo data cube is considered as input. A coherent echo pulse is generated from this echo data cube and it is used to extract the deep features using DAALnet. An adversarial network is generated for these deep coherent pulse map features. From the echo data, FELLnet of the deep learning network produces the RD map image as output. From this RD map, we are extracting the deep features using the TDDLnet architecture. Again, we are also introducing the adversarial attack and prediction network into this TDDLnet. After the GAN design of both DAALnet and TDDLnet, we can obtain the fused features of both. Finally, hybrid optimized deep learning is used to detect the range and velocity of the radar signal using AHODnet. Optimization is performed using Enhanced Particle Swarm Optimization (EPSO). In the following section, we have detailed the adversarial network generation for this application.

3.2.1. Coherent Echo Pulse Map

Coherent processing intervals (CPIs) allow the radar to send out many pulses, and the echoes that come back are either integrated coherently or incoherently, allowing them to be analyzed as separate one-dimensional sequences. Discrete time sequences are processed using a variety of approaches, and these methods in turn determine the many kinds of input that detection networks take. Nonetheless, the original information included in the echo signal, known as a coherent pulse map, can be better utilized when employing complex radar data (real and imaginary) directly as opposed to alternative input formats.

3.2.2. DAALnet-Based Feature Map Using Coherent Echo Pulse

Based on the transfer learning concept, we defined a novel deep learning network of Deep Altered Architecture Learning (DAALnet). Transfer learning is a strategy in deep learning; it involves using a model that has been trained on one task to train on another task that is related to the first task. To do this, the trained model may either be utilized as an assigned feature extractor or the weights of the learned model can be fine-tuned to correspond with the new assignment. Transfer learning can potentially save time and money when compared with learning a model from scratch. Additionally, it has the potential to increase the effectiveness of the new model. Resnets have been more successful when used in conjunction with deep neural networks because they incorporate an identity function, which contributes to the achievement of favorable outcomes. For this application, we make use of a deep neural network that has been pre-trained on Resnet18 and apply it to a use case that has a smaller quantity of training data. To adapt ResNet-18 to the development of our DAALnet feature map, the fully connected layer was modified to include three outputs and a weight/bias learning rate factor that was ten times higher than the preceding layers. By making adjustments to this learning rate, we can train the newly created fully connected layer more quickly. The layered architecture of DAALnet is shown in Figure 5.

Each layer’s name and its corresponding dimension of activation function, weights, bias, offset, and scale are detailed in

Table 1. DAALnet layer description.

	Layer Type	Activations	Learnables	Layer Type	Activations	Learnables
	Image Input	224 × 224 × 3	-	Addition	28 × 28 × 128	-
	Convolution	112 × 112 × 64	Weights—7 × 7 × 3 × 64	ReLU	28 × 28 × 128	-
			Bias—1 × 1 × 64	ID Block 3	28 × 28 × 128	Weights—3 × 3 × 128 × 128
	Batch Normalization	112 × 112 × 64	Offset—1 × 1 × 64			Bias—1 × 1 × 128
			Scale—1 × 1 × 64	DS Block 2	14 × 14 × 256	Weights—1 × 1 × 128 × 256
	ReLU	112 × 112 × 64	-			Bias—1 × 1 × 256
	Max Pooling	56 × 56 × 64	-	Addition	14 × 14 × 256	-
ID Block 1	Convolution	56 × 56 × 64	Weights—3 × 3 × 64 × 64	ReLU	14 × 14 × 256	-
			Bias—1 × 1 × 64	ID Block 4	14 × 14 × 256	Weights—3 × 3 × 256 × 256
	Batch Normalization	56 × 56 × 64	Offset—1 × 1 × 16			Bias—1 × 1 × 256
			Scale—1 × 1 × 16	DS Block 3	7 × 7 × 512	Weights—1 × 1 × 256 × 512
	ReLU	56 × 56 × 64	-			Bias—1 × 1 × 512
	Convolution	56 × 56 × 64	Weights—3 × 3 × 64 × 64	Addition	7 × 7 × 512	-
			Bias—1 × 1 × 64	ReLU	7 × 7 × 512	-
	Batch Normalization	56 × 56 × 64	Offset—1 × 1 × 64	ID Block 5	7 × 7 × 512	Weights—3 × 3 × 512 × 512
			Scale—1 × 1 × 64			Bias—1 × 1 × 512
	Addition	56 × 56 × 64	-	Addition	7 × 7 × 512	-
	ReLU	56 × 56 × 64	-	ReLU	7 × 7 × 512	-
	ID Block 2	56 × 56 × 64	Weights—3 × 3 × 64 × 64	—Average Pooling	1 × 1 × 512	-
			Bias—1 × 1 × 64	Fully Connected	1 × 1 × 3	Weights—3 × 512
DS Block 1	Convolution	28 × 28 × 128	Weights—3 × 3 × 64 × 128			Bias—3 × 1
			Bias—1 × 1 × 128	Softmax	1 × 1 × 3	-
	Batch Normalization	28 × 28 × 128	Offset—1 × 1 × 128	Classification	-	-
			Scale—1 × 1 × 128
	ReLU	28 × 28 × 128	-
	Convolution	28 × 28 × 128	Weights—3 × 3 × 128 × 128
			Bias—1 × 1 × 128
	Batch Normalization	28 × 28 × 128	Offset—1 × 1 × 128
			Scale—1 × 1 × 128
	Convolution	28 × 28 × 128	Weights—1 × 1 × 64 × 128
			Bias—1 × 1 × 128
	Batch Normalization	28 × 28 × 128	Offset—1 × 1 × 128
			Scale—1 × 1 × 128

. In this table for each layer, the output dimensions will be denoted in the activations, especially in the fully connected layer, and we have 1 × 3 vector-sized probability for the classification of three categories.

3.2.3. FELLnet Design Methodologies

From the RTD input cube of radar echo data, we extract and analyze appropriate two-dimensional samples. The pulse repetition frequency and sampling frequency establish the sample points in the transverse direction (fast time domain), whereas the pulses in a CPI are enumerated in order in the longitudinal direction (slow time domain). In traditional radar signal processing, the range is determined by fast time domain echo data and velocity by slow time domain echo data, the latter of which represents Doppler bins. Utilizing the same logic, we employ the FELLnet architecture to slide convolution kernels of predetermined sizes to retrieve data from the frequency and time domains, utilizing rectangular samples as the RD map.

Utilizing a category-wise segmentation approach, the suggested methodology makes use of deep learning-based encoding and decoding strategies. All of the encoders in the design are equipped with their respective decoders, and they are directed towards the regression layer, which is referred to as the Feature Extraction Deep Learning Architecture (FELLnet). To encode the dense input pictures, a deep fully convolutional network is utilized, and a matching decoder is utilized to turn the input features into a pixel-wise regression layer. To provide a feature map that corresponds to the resolution of the input, the decoder is created with the architecture of the encoder being taken into consideration, as shown in Figure 6.

The network is made up of five convolutional layers, and the encoder portion has a kernel that is three layers by three layers. A max-pooling procedure is utilized, and a ReLU activation function is utilized in conjunction with a kernel of 2 × 2. Additionally, there are five transposed convolutional layers with a 3 × 3 kernel size and a 2 × 2 stride in the decoding region. When it comes to the decoding part, each convolutional unit is followed by a ReLU, just like it is in the encoder section. In conclusion, the regression layer is utilized in order to generate the RD map by utilizing the characteristics that were collected from the FELLnet model. Each layer of the FELLNet is detailed in

Table 2. FELLnet layer description.

	Layer Type	Activations	Learnables		Layer Type	Activations	Learnables
	Image Input	32 × 32 × 1	-	Decoding Layers	Transposed Convolution	2 × 2 × 2	Weights—4 × 4 × 2 × 2
Encoding Layers	Convolution	32 × 32 × 32	Weights—3 × 3 × 1 × 32				Bias—1 × 1 × 2
			Bias—1 × 1 × 32		ReLU	2 × 2 × 2	-
	ReLU	32 × 32 × 32	-		Transposed Convolution	16 × 16 × 16	Weights—3 × 3 × 32 × 16
	Max Pooling	16 × 16 × 32	-				Bias—1 × 1 × 16
	Convolution	16 × 16 × 16	Weights—3 × 3 × 32 × 16		ReLU	16 × 16 × 16	-
			Bias—1 × 1 × 16		Transposed Convolution	8 × 8 × 8	Weights—3 × 3 × 16 × 8
	ReLU	16 × 16 × 16	-				Bias—1 × 1 × 8
	Max Pooling	8 × 8 × 16	-		ReLU	8 × 8 × 8	-
	Convolution	8 × 8 × 8	Weights—3 × 3 × 16 × 8		Transposed Convolution	4 × 4 × 4	Weights—3 × 3 × 8 × 4
			Bias—1 × 1 × 8				Bias—1 × 1 × 4
	ReLU	8 × 8 × 8	-		ReLU	4 × 4 × 4	-
	Max Pooling	4 × 4 × 8	-		Transposed Convolution	2 × 2 × 2	Weights—3 × 3 × 4 × 2
	Convolution	4 × 4 × 4	Weights—3 × 3 × 8 × 4				Bias—1 × 1 × 2
			Bias—1 × 1 × 4		ReLU	2 × 2 × 2	-
	ReLU	4 × 4 × 4	-		Regression Output	32 × 32 × 1	-
	Max Pooling	2 × 2 × 4	-
	Convolution	2 × 2 × 2	Weights—3 × 3 × 4 × 2
			Bias—1 × 1 × 2
	ReLU	2 × 2 × 2	-
	Max Pooling	1 × 1 × 2	-

, along with the activation size for that layer.

3.2.4. TDDLnet Formation

Target Data Detection Learning Network (TDDLnet) is the network model to extract the deep features from the RD map output from FELLnet. To make the system less complex, the number of layers used in this TDDLnet is much less and it is a series network, not the complex Directed Acyclic Graph (DAG) network type of deep learning. The layer design of TDDLnet is shown in Figure 7.

3.2.5. AHODnet Description

A unique met heuristic optimization technique of EPSO and regression by ensemble tree approach were utilized in our suggested deep learning model, which included optimization of hyperparameters. This was accomplished through the implementation of the deep learning model. As a result, the hybrid model of optimization-based deep learning adversarial network, also known as AHODnet, was developed. We can identify targets and make predictions regarding the range and velocity of all objects in the range-Doppler domain by utilizing our AHODnet. It is the active features from DAALnet and TDDLnet that are used as the input for the AHODnet. These hyperparameters include initial learning rate, learn rate schedule, learn rate drop factor, sequence length, gradient threshold method, type of solver, number of epochs, mini Batch Size, momentum, learn rate drop time, and other similar factors.

Learn Rate, Mini Batch Size, and Momentum are the three decision variables that we have chosen to maximize in the model that we have suggested using the Enhanced PSO (EPSO) algorithm. After optimizing the three parameters of deep learning, the activated features of DAALnet and TDDLnet are fused and reshaped to 32 × 32 × 3 image dimension to forward as input to AHODnet. After the fully connected features of the 1 × 150 vector are extracted from the AHODnet, the regression model is used to predict the range and velocity of the radar data cube given.

The flowchart of EPSO is given in Figure 8 and the AHODnet layers’ activation functions, weights, and bias dimensions are described in

Table 3. AHODnet layer description.

	Layer Type	Activations	Learnables	Layer Type	Activations	Learnables
	Image Input	32 × 32 × 3	-	CCUnit(2, 1)	16 × 16 × 32	Weights—3 × 3 × 16 × 32
	Convolution	32 × 32 × 16	Weights—3 × 3 × 3 × 16			Bias—1 × 1 × 32
			Bias—1 × 1 × 16	Addition	16 × 16 × 32	-
	Batch Normalization	32 × 32 × 16	Offset—1 × 1 × 64	ReLU	16 × 16 × 32	-
			Scale—1 × 1 × 64	CCUnit(2, 2)	16 × 16 × 32	Weights—3 × 3 × 16 × 32
	ReLU	32 × 32 × 16	-			Bias—1 × 1 × 32
Combined Convolutional Unit(1,1)	Convolution	32 × 32 × 16	Weights—3 × 3 × 16 × 16 Bias—1 × 1 × 16	Addition	16 × 16 × 32	-
	Batch Normalization	32 × 32 × 16	Offset –1 × 1 × 16	ReLU	16 × 16 × 32	-
			Scale—1 × 1 × 16	CCUnit(3, 1)	8 × 8 × 64	Weights—3 × 3 × 32 × 64
	ReLU	32 × 32 × 16	-			Bias—1 × 1 × 64
	Convolution	32 × 32 × 16	Weights—3 × 3 × 16 × 16	Addition	8 × 8 × 64	-
			Bias—1 × 1 × 16	ReLU	8 × 8 × 64	-
	Batch Normalization	32 × 32 × 16	Offset –1 × 1 × 16	CCUnit(3, 2)	8 × 8 × 64	Weights—3 × 3 × 64 × 64
			Scale—1 × 1 × 16			Bias—1 × 1 × 64
	Addition	32 × 32 × 16	-	Addition	8 × 8 × 64	-
	ReLU	32 × 32 × 16	-	ReLU	8 × 8 × 64	-
	CCUnit(1, 2)	32 × 32 × 16	Weights—3 × 3 × 16 × 16	Average Pooling	5 × 5 × 64	-
			Bias—1 × 1 × 16	Fully Connected	1 × 1 × 150	Weights—150 × 1600
	Addition	32 × 32 × 16	-			Bias—150 × 1
	ReLU	32 × 32 × 16	-	Softmax	1 × 1 × 150	-

.

The sequence of actions that must be carried out before the beginning of the primary EPSO iterations is referred to as the “Initialization”. All of the particles are formed for the multi-objective parameters at this step, with the lowest and maximum range values having been determined. Particle placements are created in a completely random manner. When it comes to this first particle location, the objective values are evaluated, and the particles are classified as either feasible or infeasible.

If a particle is feasible, the associated Objective Function (OF) vector is computed, and the particle’s present position is added to the pbest set as the sole member of the set. There is also a comparison made between the places in gbest and the OF vector. If there are no places in gbest that are dominant in the OF vector of a particle, the current position of the particle is assigned to gbest. Additionally, the places in gbest that are dominated by the present position are eliminated from consideration. EPSO briefly shifts the initialized particles in one principal direction at a time to be able to catch sensitivities that only exist in particular portions of the search domain. This is carried out in order to avoid performing only one evaluation for each direction in the search space.

3.2.6. Adversarial Attack

Our objective is to create FMCW radar adversarial samples to mislead the FMCW radar-based RTD system. The function A design procedure of the FMCW radar-dependent RTD system takes the input as the FMCW radar signal and produces the foretold activity class with the reference of the probability notch p for all the registered classes of activity. Different types of adversarial attacks are listed in

Table 4. Types of adversarial attack.

Adversarial Attack Types	Description	Function
Untargeted Attack	Sample-specific attack design. Aim to confuse prediction state from the original duplicate.	A(i + ψ) ≠ o
		A is the deep learning model, i is the original sample, $\psi$ is generated adversarial perturbation, and o is the original prediction.
Targeted Attack	Sample-specific attack design. Aim to make the system predict the desired category.	A(i + ψ) = m
		m is a predefined category
Universal Attack	Well-designed general perturbation. Inserting perturbation into unseen samples.	A(iu + ψ) = m
		Iu is a different sample from the same class
Black-Box Attack	Attacking an unknown ML model. Perturbation of one model applied to another model.	Ab (ib) = A(ib)
		Ab is another model than A and ib is adversarial samples produced using model A
White-Box Attack	Attacking a Known ML model. Perturbation is added to increase the loss.	A(ib+ψ*sign(Δ(ib)) = A(ib)
		Δib is the magnitude of the gradient of the sample

[24].

$A \mathrm{is} \mathrm{the} \mathrm{deep} \mathrm{learning} \mathrm{model}, i \mathrm{is} \mathrm{the} \mathrm{original} \mathrm{sample}, \psi$

3.2.7. Adversarial Attack Networks

In order to comprehensively evaluate our attack strategy, we must take into account together the efficiency of our attack and the degree of distortion caused by the perturbations. To precisely express this evaluation, we formally define the objective function as minimizing $\mathcal{T}\left(i,i+\psi \right)$. $\mathcal{T}$ represents the distance metrics $‖{\psi }_p‖$ that assess the magnitude of the disruption produced. Nevertheless, as mentioned in prior research [25], finding a direct solution to this challenging non-linear restricted non-convex problem is arduous. Therefore, we redefine the objective function as an instance of optimization based on gradients.

$$minimize \mathcal{L}\left(i+\psi \right)+\lambda \times \mathcal{T}\left(i,i+\psi \right)$$

(18)

Measuring the likelihood of initiating adversarial attacks positively known as adversarial loss denoted by $\mathcal{L}$, the total perturbation size is calculated by using the perturbation loss, denoted as T in the Equation (18).

Adversarial loss is defined as:

$$\mathcal{L}=\max \left( \left[\mathcal{Z}{\left(i+\psi \right)}_r-\underset{f\ne r}{\max }\mathcal{Z}{\left(i+\psi \right)}_f\right],-\mathrm{k}\right)$$

(19)

where $\mathcal{Z}{\left(i+\psi \right)}_r$ is a probability of estimating i as the original class, $\mathcal{Z}{\left(i+\psi \right)}_f$ is the probability of estimating i as another class, and k is a controlling configuration metric of adversarial attack.

Perturbations refer to the discrepancies in the middle of the real activity sample and the adversarial. The L2 Norm, a widely used metric for evaluating adversarial perturbations, determines the Euclidean distance in the middle of two sets [26]. Perturbation loss can be derived as:

$$\mathcal{T}={‖{\psi }_p‖}_2^2$$

(20)

Intending to ratify the efficacy of the perturbation and advance the efficiency of perturbation followers, we define the dynamic threshold ξ to ensure the target sample:

$${‖{\psi }_p‖}_2^2<\xi , s.t A\left(i+\psi \right)=m$$

(21)

Conventional Deep Learning Network (DLN) security assessment techniques neglect to assess model security and dependability in favor of concentrating mainly on the DLN model classification accuracy [27]. Numerous protections have been presented in recent research to increase the security and robustness of DLN models in order to overcome this issue [28]. To evaluate DLN security, two main concepts describe DNN resistance to adversarial attacks:

• The first idea is the robustness of the DLN model. This indicates that under this paradigm, the DLN model knows the least perturbation required to transform picture x into an adversarial attack image $\overline{x}$.
• Adversarial risk, or the gradient descent loss function of the DLN model, is the second property. By reducing errors concerning the input picture, the model aims to improve its prediction score during the DLN learning process. Therefore, the adversary tries to maximize the loss function in order to produce an adversarial picture. To accomplish this, locate the location within x’s neighborhood bounds that can trick the DLN model [29].

One of the main obstacles in this field of study is DLN security and resilience in autonomous cars [30]. The danger of adversarial assaults is one of the most important security problems with DLNs. Creating an adversarial assault, whether it be a white-box or black-box attack, is a difficult undertaking. Developing a white-box assault becomes challenging if the DLN model architecture is intricate and obscures crucial model characteristics that may be utilized to produce the attack.

Moreover, creating a black-box assault is more challenging. This is because black-box assaults may be created using physical or digital techniques, such as altering the surroundings without being aware of the vehicle’s classification architecture, or by poising an attack. Furthermore, every defense that is offered is intended to stop a particular attack.

The low probability of intercept (LPI) characteristics of the frequency-modulated continuous-wave (FMCW) radar make it challenging for an ineffective receiver to differentiate the transmitted waveform from ambient noise [31]. Once acquired, the intercept module has the capability to store the signal in a DRFM (Digital Radio Frequency Memory) and then broadcast a waveform that mimics an echo with certain delay and phase characteristics, corresponding to a particular velocity and range.

The notion is depicted in Figure 9. The impersonating signal would be indistinguishable from a genuine reflection off a target, thereby obtaining a coherent gain when combined with the reference signal. In addition, the resent spoof signal would only experience attenuation due to one-way atmospheric losses, as described by Equation (6), but the actual echo would be affected by two-way losses. Therefore, a falsified signal would possess a significantly greater amount of energy reaching the receiver of the FMCW radar compared to the actual reflection. However, providing too much energy toward the RX antenna might potentially harm the electronics, thereby undermining any false motives.

Figure 9 illustrates the operational concept of a spoofing assault on radar. Figure 9b depicts an adversarial system that transmits a signal that is in phase and aligned with the victim radar. The opponent uses delay and phase compensation techniques to generate a deceptive target with a specific range and velocity, with the intention of misleading the target’s radar system [32]. Furthermore, the hostile signal has unidirectional losses, resulting in a more potent signal compared to the reflected echo.

3.2.8. Radar Generative Adversarial Networks (GANs)

In our proposed model, we used a Generative Adversarial Network (GAN) to prevent radar target detection from adversarial attacks, named RGAN. Generative Adversarial Networks (GANs) have the ability to produce new data samples that possess certain properties by gaining information around the distribution of training samples. Generator G and discriminator D are two major mechanisms involved in a GAN. To understand how adversarial assaults in a radar environment are modelled probabilistically, Radar Generative Adversarial Networks (RGANs) employ a generator to train a generative model. The discriminator compares the generated signal to the real signal in the dataset [33]. One way to use a model that aims to differentiate between actual and fraudulent signals is through the use of a discriminator.

The generator aims to transform dormant information z, which follows the giving out p_z(z), hooked on a fresh sample that is supposed to follow the giving out p_g. It is desirable for p_g to closely approximate the actual data distribution p data. Afterward, the artificially generated sample and a real sample are together submitted to the discriminator, which aims to distinguish the generated sample from the authentic samples, in addition to ascertaining the corresponding level of confidence [34]. Put simply, the generator produces samples with the intention of perplexing the discriminator, while the discriminator endeavors to properly differentiate between actual and produced samples. The whole framework is trained using an adversarial method, which is characterized by the subsequent cost function:

$$\underset{G}{\min }\underset{D}{\max }{L}_{RGAN}\left(D,G\right)=E_x\left[\log D\left(x\right)\right]+E_z\left[\log \left(1-D\left(G\left(z\right)\right)\right)\right]$$

(22)

The function L_RGAN (D, G) represents the standard cross-entropy loss. The mutable x signifies an unaffected sample extracted out of distribution p data, while z embodies hidden noise obtained from distribution p_z (z). During the phase of training, G and D are enhanced alternately via a zero-sum game framework [35]. This technique is iterated indefinitely until the model reaches convergence. If D and G are mutually well constructed and possess suitable constructions, they will theoretically achieve Nash equilibrium at the completion of the training procedure. By the side of this juncture, the counterfeit samples produced by G will be indistinguishable from genuine samples, rendering D unable to discern whether the sample originates from the generator or the actual world.

A generator in RGAN serves as a masking purpose denoted as G, which takes a noisy input and generates a clean mask output according to the noisy input. During the training phase, RGAN is provided with clean signals and generated noise from the generator network [36] with a defined standard deviation, which consists of noisy signals and their matching ground truth. The generator maps the adversarial attack as input to the discriminator. The discriminator D differentiates between the generated signal and the matching ground truth (xclean). The adversarial training procedure enhances the closeness of the produced signal to the ground truth, which refers to the actual uncontaminated signal. The training procedure concludes that the minute of the discriminator is no longer able to distinguish between a genuine signal and one that has been created by the generator. Currently, the RGAN settings are set, and the generator is capable of improving the signal-to-noise ratio (SNR) of adversarial signals [37]. During the testing phase, each signal with noise is generated from G, resulting in the retrieval of the equivalent signal without noise. The block diagram of RGAN is shown in Figure 10.

Adversarial Generator Network

Using the signal-to-map translation, the generator G diminishes the difficulties of converting the noisy signal into an improved concealing signal G(x_noise,z). The goal remains to create a mask that closely resembles the actual signal map, rendering it unrecognizable from the original by the discriminator D. In the RGAN model, it is necessary for the generated signal to preserve the desired information while minimizing the presence of unwanted noise [26]. The convolutional layer operates as:

$$x_j^h\left(x,y\right)=f(\sum _{i=1}^m\sum _{u=0}^{S-1}\sum _{v=0}^{S^{\prime }-1}{k}_{ji}^h\left(u,v\right).x_i^{h-1}\left(x+u,y+v\right)+b_j^h)$$

(23)

The parameter h represents the layer index, the size of the kernel is denoted as S’, and the previous layer’s ith input feature map is expressed as ${ x}_i^h\left(i=\mathrm{1,2},3,\dots .m\right),$ the current layer’s jth outcome feature map is $x_j^h\left(i=1, 2, 3,\dots .n\right)$, the convolutional kernel of $k_{ji}^h$ is used to establish the connection of the ith feature map to the jth feature map, and the jth feature map bias is denoted as $b_j^h$. The kernels and pace in each layer are configured as 2 × 1 and 2, respectively, as stated in this study. The “leaky ReLU” activation function, denoted as f(x), is a nonlinear activation function:

$$\mathrm{LReLU}\left(x\right)=\left\{\begin{array}{c}x ,x\ge 0\\ \alpha x,x<0\end{array}\right.$$

(24)

where α is the hyperparameter used to regulate the sparsity of the network and has been assigned a value of 0.01 in this research study.

In network G, which serves as a generator, the random vectors of size 100 are transformed into 4-by-4-by-512 arrays using a projection and reform operation. Subsequently, the resulting arrays are increased to 64-by-64-by-3 arrays using a sequence of transposed convolution layers with batch normalization and ReLU layer. In total, four transposed convolutional layers are connected in the network in a series manner. The network utilizes transposed convolution layers with a setup that includes 5-by-5 filters, a diminishing quantity of filters for every single layer, a pace of 2, and in addition, cropping of the outcome takes place in every single edge. Select three 5-by-5 filters for the final transposed convolution layer, corresponding to the three RGB channels of the created pictures, and also select the output size of the preceding layer. Include a hyperbolic tangent (tanh) layer at the end of the network.

Adversarial Discriminator Network

This network aims to categorize observations as either “real” or “attack” by using batches of data that include notes starting together with the training data and the generated data produced by the generator [38]. The discriminator network receives 64-by-64-by-3 pictures as input and generates a single forecast score by the use of a sequence of convolution layers through batch normalization and leaky ReLU layers. Apply the dropout technique to introduce noise into the input pictures. A dropout probability of 0.5 is specified for the dropout layer. The convolution layers are set up with 5-by-5 filters, and the number of filters increases for each layer. The stride and padding of the output are also taken into consideration. The Leaky ReLU activation function is employed with a scale constraint of 0.2. In order to generate probabilities within the range of 0 to 1, a convolutional layer is defined using a single 4-by-4 filter, which is then followed by a sigmoid layer.

Cost Function of RGAN

On the other hand, RGAN may have difficulties in achieving optimal training due to the implementation of weight clipping, which enforces the satisfaction of the Lipschitz constraint. Consequently, a gradient penalty element is incorporated into the cost function of RGAN.

$$L_{GP}=E_{\widehat{x}}\left[{\left({‖\nabla D\left(\widehat{x}\right)‖}_2-1\right)}^2\right]$$

(25)

$\widehat{x}$ is the random line mixture of the actual sample x and the spawned sample $G\left(z|x_{noisy}\right)$, derived as:

$$\widehat{x}=\omega \times x_{clean}+\left(1-\omega \right)\times G\left(z \right|x_{noisy})$$

(26)

where ω, a uniform distribution over the interval [0, 1], is sampled in a random manner. In addition, generator G is restricted to producing samples that are similar to the real samples by incorporating L1 and L2 regularization terms into the cost function:

$$L_{L_1}=E_{x_{noisy},x_{clean},z}\left[\left({‖x_{clean}-G\left(z|x_{noisy}\right)‖}_1\right)\right]$$

(27)

$$L_{L_1}=E_{x_{noisy},x_{clean},z}\left[\left({‖x_{clean}-G\left(z|x_{noisy}\right)‖}_2\right)\right]$$

(28)

The final cost function of RSEGAN is the combination of L_RGAN, L_GP, L_L1, and L_L2, given by:

$$L_{final}=\underset{G}{\min }\underset{D}{\max } L_{\mathrm{RGAN}}+{\lambda }_{\mathrm{GP}}\times L_{\mathrm{GP}}+{\lambda }_{L_1}\times L_1+{\lambda }_{L_2}\times L_2$$

(29)

The coefficient of the gradient penalty is denoted as λ_GP, the coefficient of L1 regularization is denoted as λ₁, and the coefficient of L2 regularization is denoted as λ₂ [39]. More precisely, RGAN utilizes an alternative optimization technique throughout the training process. The discriminator cost functions and generator can be stated separately, as seen in Equation (29), as follows:

$$\underset{D}{\min } L_{D-loss}\left(D,G\right)=E_{x_{noisy},x_{clean}}\left[D\left(x_{noisy}|x_{clean}\right)\right]+E_{x_{noisy},z}\left[D\left(G\left(z|x_{noisy}\right)\right)\right]+{\lambda }_{GP}.E_{\widehat{x}}\left[{\left({‖\nabla D\left(\widehat{x}\right)‖}_2-1\right)}^2\right]$$

(30)

$$\begin{array}{c}\hfill \underset{G}{\min } L_{G-loss}\left(D,G\right)=-E_{x_{noisy},z}\left[D\left(G\left(z|x_{noisy}\right)\right)\right]+{\lambda }_{L_1}\times E_{x_{noisy},x_{clean},z}[{‖x_{clean}-G\left(z|x_{noisy}\right)‖}_1+\\ \hfill {\lambda }_{L_2}\times E_{x_{noisy},x_{clean},z}\left[{‖x_{clean}-G\left(z|x_{noisy}\right)‖}_2\right]\end{array}$$

(31)

4. Results and Discussion

In this section, we perform the simulation of the proposed AOHDL-based radar target detection, and the results are compared with the earlier works of the same. For the simulation of the work, we use a simulation tool of MATLAB 2021a in an Intel^® Core™ i7-12700, 2100 Mhz, 12 Core(s) CPU of 16 GB RAM, with a 64-bit operating system.

The sawtooth chirp waveform is generated in FMCW radar signal generation with a chirp duration of 32 microseconds and a chirp cycle of 64. The radar frequency is fixed at 76.5 GHz and the sampling frequency is 5 MHz. The Sweeping Bandwidth is configured as 0.2 GHz. Radar targets of three categories were taken for the simulation, such as cars, bikes, and synthetic objects positioned 0.5 m above the street. Signal characteristics of 10 dBm transmit power, 17 dB transmit gain, and 15 dB receiver gain are assigned. In the channel configuration, the −130 dB noise floor and 10 dB receiver noise figure are fixed. The reception angle for radar is 160° in two receive antennas of 15 dB variance amplitude. For training, we created our dataset of echo radar data cubes with a size of 160 × 64 × 8 in seven different SNR ranges from 0 dB to 30 dB in the count of 21,000 samples. Out of this, 85% of samples were used for training and 5% for validation. The remaining 10% is for testing in the deep learning of RTD. We created a dataset consisting of recognized targets in various locations, moving at variable speeds. The focus is on three types of targets: a car, a bike, and synthetic points, utilizing automotive FMCW radar systems. Figure 11 displays the sample images of the radar echo cube.

To prove the efficiency of adversarial attack prevention, the performance of RMSE for different scenarios is created and analyzed. The OHODnet is verified without any adversarial attack and evaluated for case 1. For the second case, with an adversarial attack, the OHODnet is evaluated. Finally, for the third case, the AOHODnet with adversarial attacks, and the RMSE of range and velocity target predictions are calculated and compared.

The generated images and training of adversarial attacks in DAALnet and TDDLnet are shown in Figure 12 and Figure 13, respectively. In both figures, section (a) depicts the generated image slices of corresponding deep learning model feature maps, and section (b) illustrates the training progress of several iterations versus score convergence in both the generator network and discriminator network. It provides a comparative analysis of how each network’s performance evolves over time. By analyzing, we can gain insight into the stability and efficiency of the training process. Furthermore, observing the convergence patterns helps in understanding the dynamic interplay between the generator and discriminator, important for optimizing the overall model performance.

Figure 14 illustrates the performance comparison of RMSE in the range parameter estimation using the proposed OHDL with and without adversarial network and different earlier works of EDACM [40], DAE [41], ‘IYoLov4-tiny’ [42], ‘SALA-LSTM’ [43], ‘CNN’ [44], ‘RNN’ [45], ‘FFT’ [46], and ‘CFAR’ [47]. In all the curves, as SNR increased, the RMSE was reduced. At 0 dB of SNR, the RMSE value for OHDL with and without adversarial network attains 1.3858 and 1.4230, respectively. For the same SNR, 1.7912, 1.7979, 2.4006, 2.3890, 2.7525, 2.7151, 3.2233, and 3.2134 are attained by EDACM, DAE, ‘IYoLov4-tiny’, ‘SALA-LSTM’, ‘CNN’, ‘RNN’, ‘FFT’, and ‘CFAR’, respectively.

Figure 15 shows the RMSE comparison of radar target velocity value for proposed and existing methods. At 30 dB of SNR, the RMSE values of OHDL with adversarial network, OHDL, EDACM, DAE, ‘IYoLov4-tiny’, ‘SALA-LSTM’, ‘CNN’, ‘RNN’, ‘FFT’, and ‘CFAR’ methods are 0.0000, 0.0139, 0.5982, 0.0599, 0.1157, 0.7809, 1.1825, 1.2869, 1.6136, and 1.8503, respectively.

Figure 16 illustrates the performance of RMSE in range estimation using an adversarial attack network in our proposed model OHDL. OHDL is efficiently used for RTD. When an attack involving OHDL performance degrades, which is overcome by introducing AOHDL (adversarial network), the RMSE is improved. The RMSE performance of the proposed velocity estimation is shown in Figure 17 with and without attack on OHDL and adversarial learning-based OHDL of AOHDL. AOHDL attains almost the same performance as OHDL without an attack on the radar system, which shows the efficiency of our prediction.

Figure 18 depicts the performance of time complexity of the adversarial learning system applied to the radar target detection platform with the deep learning model of OHDL. Compared to simple OHDL, AOHDL has high time consumption due to the design injection of an adversarial RGAN network into the DAALnet and TDDLnet. But at the same time, it is less than that of other earlier methods.

The RMSE values of different SNRs and different methods are shown in

Table 5. RMSE comparison of range estimation.

Method	Proposed AOHDL	Proposed OHDL	EDACM	DAE	IYoLov4-tiny	SALA-LSTM	CNN	RNN	FFT	CFAR
SNR (dB)
0	1.3858	1.4230	1.7912	1.7979	2.4006	2.3890	2.7525	2.7151	3.2233	3.2134
5	0.9641	1.2064	0.9926	1.6154	1.7551	1.7749	2.2075	2.5508	3.0792	2.9172
10	0.4077	0.6199	0.9768	0.8561	1.1182	1.1223	1.5647	2.0185	2.5877	2.7920
15	0.1974	0.3859	0.9323	0.7807	1.1074	0.9606	1.5259	1.8816	2.5317	2.6641
20	0.1800	0.3666	0.6957	0.6879	0.9850	0.9490	1.3687	1.5487	2.3325	2.5249
25	0.1673	0.1963	0.6677	0.6518	0.8349	0.9161	1.2309	1.4634	1.8885	2.3750
30	0.0994	0.1816	0.5191	0.6090	0.4445	0.8986	1.1848	1.3858	1.8745	2.1016

for range estimation, and

Table 6. RMSE comparison of velocity estimation.

Method	Proposed AOHDL	Proposed OHDL	EDACM	DAE	IYoLov4-tiny	SALA-LSTM	CNN	RNN	FFT	CFAR
SNR (dB)
0	0.7364	0.7738	0.8977	1.3787	1.8796	1.5243	2.2306	2.3600	2.7736	2.6874
5	0.3837	0.4085	0.8238	1.2244	1.1700	1.4605	1.4903	2.2395	2.4385	2.6203
10	0.2759	0.3018	0.8069	1.0524	1.1696	1.1170	1.4716	1.9356	2.4062	2.5430
15	0.0502	0.2057	0.7839	0.7919	1.0218	1.0909	1.4305	1.8407	1.9735	2.4357
20	0.0104	0.0695	0.7217	0.7255	0.9082	0.9946	1.4134	1.6086	1.8396	2.0496
25	0.0104	0.0332	0.6484	0.6692	0.3538	0.9330	1.3150	1.5648	1.7609	1.9006
30	0.0000	0.0139	0.5982	0.0599	0.1157	0.7809	1.1825	1.2869	1.6136	1.8503

for velocity estimation. In

Table 7. KPI comparison for different scenarios of adversarial attack in proposed AOHDL at 10 dB of SNR.

KPI	Implementation Methods
	OHDL without Attack	OHDL with Attack	AOHDL with Attack
Accuracy (%)	99.40	97.52	99.10
Precision (%)	99.39	97.49	99.11
Recall (%)	99.41	97.72	99.10
FPR	0.30	0.87	0.45
F1-Score (%)	99.39	97.48	99.10
Mathews Correlation Coefficient (%)	99.10	96.13	98.65
Kappa Coefficient (%)	98.65	94.22	97.98

KPI: key performance indicator.

, we tabulated the evaluation metrics of proposed AOHDL with attack and compared it with OHDL with and without attack scenarios. OHDL without adversarial attack obtains the best performance. When the attack insisted on the radar, OHDL was degraded, showing the lowest results. This degradation is enhanced by our proposed AOHDL, which attains results almost similar to the absence of an attack environment.

Figure 19 shows the performance prediction accuracy in the radar target detection system of multiple implementation algorithms compared with those with the proposed AOHDL. The proposed accuracy reached 100% at SNR of 15 dB. At the same SNR, 99.9%, 99.51%, 99.18%, 99.1%, 98.9%, 98.55%, 98.4%, 98%, and 97% are attained with OHDL, DAE, EDACM, ‘IYoLov4-tiny’, ‘SALA-LSTM’, ‘CNN’, ‘RNN’, ‘FFT’, and ‘CFAR’, respectively.

4.1. Complexity Analysis of Adversarial Learning

It was argued in [48] that there might be an inherent tension between accuracy and adversarial robustness. We argue that this potential tension disappears for a rich class of learning algorithms if we consider q-bounded adversaries. We show that if a learning algorithm satisfies a particular natural property, then there is a lower bound for the complexity of this algorithm that grows with accuracy. For a rich class of learning algorithms, our security guarantee against bounded adversaries increases with accuracy. Figure 20 depicts the performance of multiple interference scenarios in the prediction of range and velocity estimation. As the interferences are reduced in the environment, the prediction RMSE is reduced as much as possible, as shown in Figure 20.

Figure 21 illustrates the RMSE of the proposed AOHDL method in a dynamic radar environment, where targets of varying speed—humans, bicycles, and cars—are analyzed. As the speed of the moving targets increases from humans to cars, the RMSE correspondingly rises, reaching a peak of 1.66 at 0 dB signal-to-noise ratio (SNR) for cars, whereas the RMSE values for bicycles and humans are 1.04 and 0.59, respectively, under the same conditions.

4.2. Time Complexity of Computation in AOHDL

Findings from studies indicate that learning rate and batch size are two characteristics that significantly impact computational complexity [48]. Increasing the batch size will make the model more computationally difficult. Therefore, to obtain a true measure of the model’s complexity, you must multiply these two parameters. You may figure out the convolution layer’s temporal complexity by calculating:

$$\left(\sum _{n=1}^d{k}_{n-1}\times s_n^2\times f_n\times l_n^2\right)\times r_1\times b_1$$

(32)

Here, $k_{n-1}$ defines the number of input channels in the lth layer, $s_n$ is the length of the filter, $f_n$ is the number of filters in the nth layer, d is the depth of the convolutional layer, $l_n$ is the length of the output feature map, $r_1$ is the learning rate, $b_1$ is the batch size.

The time complexity of the fully connected layer can be calculated as:

$$\left(\sum _{i=1}^{f}D\ast W\ast H\ast N\right)$$

(33)

The fully connected layer’s depth is denoted by l, while the input/output channel’s dimension is defined by D, and W, H, and N are the input’s width, height, and the number of outputs, respectively.

5. Conclusions

In this paper, we propose a method for enhancing radar target detection in the FMCW system using a deep learning model in the presence of adversarial attack. Adversarial attack prevention is performed by integrating the Radar Generative Adversarial Network (RGAN) into Adversarial Learned Optimized Hybrid Deep Learning (AOHDL). By utilizing an adversarial learning structure, the low SNR signals can combine the advantages of GAN, L1-norm regularization, and L2-norm regularization to train RGAN. The findings of our experiment show that the combination of RGAN and OHDL-based detectors may achieve an outstanding identification probability and a tiny false alarm probability. For prospective implementation, our main focus can be on domain adaptability within adversarial learning networks.