Design of a Cyberattack Resilient 77 GHz Automotive Radar Sensor

: In this paper, we propose a novel 77 GHz automotive radar sensor, and demonstrate its cyberattack resilience using real measurements. The proposed system is built upon a standard Frequency Modulated Continuous Wave (FMCW) radar RF-front end, and the novelty is in the DSP algorithm used at the ﬁrmware level. All attack scenarios are based on real radar signals generated by Texas Instruments AWR series 77 GHz radars, and all measurements are done using the same radar family. For sensor networks, including interconnected autonomous vehicles sharing radar measurements, cyberattacks at the network/communication layer is a known critical problem, and has been addressed by several different researchers. What is addressed in this paper is cyberattacks at the physical layer, that is, adversarial agents generating 77 GHz electromagnetic waves which may cause a false target detection, false distance/velocity estimation, or not detecting an existing target. The main algorithm proposed in this paper is not a predictive ﬁltering based cyberattack detection scheme where an “unusual” difference between measured and predicted values triggers an alarm. The core idea is based on a kind of physical challenge-response authentication, and its integration into the radar DSP ﬁrmware.


Introduction
During the last decade, various levels of connectivity and autonomy gained significant importance in automotive industry, and this trend triggered large research projects both in the academia and in the industry [1,2]. There are a multitude of key developments behind this trend which include advancements in electronic, communication, and remote sensing technologies to increase efficiency and improve safety and reliability. However, these key technologies also introduced new and quite challenging problems, and cybersecurity for autonomous vehicles (AV) is among the most important ones. In this paper, we will focus on physical layer cyberattacks to AV radar sensors. In an AV system, radars are typically used for target detection, and range/velocity estimation, and AV algorithms use this information for steering decisions [3,4]. Any kind of cyberattack to an AV system may cause serious and/or fatal accidents.
Cyberattacks can be of passive type where an adversarial agent simply listens to the information received by the sensor, or of active type where an adversarial agent generates physical signals to spoof the sensor [5]. All AV radar sensors, whether isolated or part of a sensor network, are susceptible physical layer attacks. For example, we may have an autonomous vehicle equipped with a 77 GHz radar, and a secondary 77 GHz transmitter may generate electromagnetic waves which may cause a false target detection, false distance/velocity estimation, or not detecting an existing target. If the autonomous vehicle is also a part of a connected AV system, we can have cyberattacks at the network/communication layer too. For a network/communication layer type attack, the adversarial related to the authors' previous simulation based study [18] where all of the above objectives are taken into account for a different algorithm. In this work, we have a significantly improved algorithm which is tested using real data obtained by utilizing the techniques developed in References [19][20][21].
Our results are consistent with the simulation based approach of Reference [18]. Basically, false alarm rate of the system, P F , seems to be extremely small to measure experimentally, therefore we indirectly estimate this small probability using certain other measured parameters. The probability of miss, P M , depends on the cyberattack signal power. For very "weak" cyberattacks, probability of miss P M can be quite high, but their effect on radar DSP performance will be also very small, see Section 7. We carefully study cyberattacks which are just below the detection threshold, and hence not detected, that is, missed. Our attack resilient radar DSP algorithm is designed to be robust for such cases, and it will be shown that the effect of such cyberattacks which are just below the detection threshold are comparable to the effect system noise, see Section 7. This is probably the most important observation made in this work.
The remainder of this paper is organized as follows: In Section 2, we will describe general FMCW radar basics and Texas Instruments (TI) AWR series radars used in this work. In Section 3, high level description of the proposed system is presented, cyberattack detection and attack resilient radar DSP algorithms are given in pseudo code format. In Section 4, we present our experimental setup, and how data is collected for different attack scenarios. In Section 5, we analyze system noise, which affects both the radar performance, and the cyberattack detection threshold. In Section 6, we analyze the cyberattack detection algorithm under various attack scenarios. Finally, in Section 7, we study the performance of the proposed radar DSP algorithm for cyberattacks which are just below the detection threshold.

Review of FMCW AV Radars
An FMCW AV radar may have multiple transmit and receive antennas, and this multi-input/multi-output (MIMO) architecture can be used for beam forming and direction finding. One of the most critical components of an FMCW radar is the voltage controlled oscillator (VCO) with output frequency changing with input voltage. Most VCOs exhibit some nonlinear behavior, but various non-linearity correction methods are known to mitigate this problem, see References [22,23] and references therein for details.
The block diagram of a standard FMCW radar with a single transmit (TX) and single receive antenna (RX) is given in Figure 1.  The block labeled as mixer and low-pass filter (LPF) multiplies the transmitted and received signals, and outputs the low-pass filtered result to the analog to digital converter (ADC) block. After that, we have the radar DSP block which is responsible for target detection, and range/velocity estimation.
The transmitted signal S T (t) can be written as where θ T is a constant, A T (t) is the VCO output amplitude, and f T is the instantaneous VCO output frequency as a function of the VCO control input voltage v i . We assume that one of the known VCO non-linearity correction methods is already implemented, and hence f T where f 0 is the initial VCO frequency, v i,max is the maximum VCO control input voltage, and B is the VCO bandwidth. If there is an object at distance d from the radar, the received signal, S R (t), will be a delayed and possibly attenuated copy of the transmitted signal. More precisely, where h = 2d/c, d is the target distance, and c is the speed of light. In this case, the output of the mixer and LPF will be the beat signal, S(t), where where θ is a constant, and A(t) is the beat signal amplitude.
Depending on the sign of the VCO sweep, s ∈ {−1, +1}, that is, the sign of the ramp input to the VCO, beat signal frequency will be where d is the target distance, v is the target velocity, t d is the sweep duration, and B is the sweep bandwidth. If the VCO is driven by a triangular signal having both positive and negative ramps, spectral analysis of the beat signal for positive and negative ramps can be used to estimate the target distance and velocity simultaneously. Although this 1D spectral approach works quite well if there is a single reflector, alternative techniques are necessary for crowded environments with multiple reflectors. More specifically, for an AV related application, if we would like to detect moving objects with relatively smaller radar cross section, a different 2D FFT based technique can be used, see References [24][25][26][27][28] and references therein. However, there are certain performance limitations of FMCW radars [19,24,25]. If the beat signal is sampled at frequency f s , the resolution in target distance estimation (δd) will be which indicates that VCOs with higher bandwidth will have better distance (range) resolution. The maximum unambiguous range of an FMCW radar (d max ) will be namely, increasing the sampling frequency improves the maximum distance. For moving targets, the maximum unambiguous velocity will be where t d is the chirp duration [19,24,25]. In an FMCW radar system, a frame is defined as M chirps combined together. Using 2D FFT techniques, velocity can be estimated with resolution see References [19,24,25] and references therein. In Reference [29], the authors have a real-time demo video for 2D FFT based heat-map generation using TI AWR series radars.

Review of the Texas Instruments 77GHz Automotive Radar
In this section, we summarize some of the configuration parameters of the TI AWR1642 automotive radar used in this work, see Figure 2. All of our cyberattack detection tests, and all radar DSP performance tests are done using real data, and all experimental data is obtained by using this specific 77 GHz radar. Indeed to generate a realistic cyberattack, we used two of these radars units, see Figures 5 and 6. Although TI has a MATLAB based offline recording solution, we have used the real-time framework developed in Reference [19]. TI AWR1642 is an FMCW radar at 77GHz with a maximum bandwidth of 4 GHz. When it is used with the DCA1000 FPGA board, a single chirp will have t d = 160 µs duration, which is repeated N r = 128 times over a T m = 40 ms time frame. Furthermore, during a single chirp, data is acquired at 10 MHz for 25.6 µs. See References [19,20] for our detailed real-time radar framework, and a sample AV application.

Cyberattack Detection System
In this section, we will describe the architecture of the proposed cyberattack detection system. Performance analysis using real data will be presented in the following sections.
Our high-level system block diagram is shown in Figure 3. For simplicity, the power amplifier before the transmit antenna, and the low noise amplifier after the receive antenna are not shown. Similarly, the low pass filter after the mixer is not included in the block diagram. To further simplify the discussion, we adopt the complex signal notation, and use a single ADC block after the mixer. If we use the real signal notation, there will be a 90 o phase shifter, two mixer circuits, two low pass filters, and two ADCs for in-phase and quadrature components.
Compared to a standard FMCW radar system, the main difference of the proposed system is the random signature generator software block, which generates a random sequence of 1's and 0's. The ramp generator outputs a positive slope ramp for 1's, and a negative slope ramp for 0's. In other words, for each chirp, either a positive or a negative frequency slope is selected on a random basis. Note that, we are using a standard FMCW radar RF subsystem and hardware, and we have one extra software block for generating random signatures to control the ramp generator, and another extra software block for cyberattack detection DSP algorithm. In the proposed system, the AV sensor software block has a slightly modified DSP algorithm to suppress the effects of "weak" undetected attack signals, and detailed analysis of this will be presented in the following sections.
Consider an AV radar with N TX transmit, and N RX receive antennas. We assume that each transmit antenna is driven by the same VCO with optional phase shifters for beam forming, and each receive antenna has its own signal path consisting of its own mixers, and ADCs. Our focus will be on the N RX = 1 case, because the proposed cyberattack Detector (Detection DSP) block shown in Figure 3 can be added to all (or some) of the receive signal paths as independent cyberattack detectors.

Mathematical Notation
In this section, we will summarize the mathematical notation used to describe the proposed system. As shown in Figure 4, the AV radar outputs a chirp signal in every t d seconds. However, the slope of the chirp is based on the randomly generated signature, and can be either positive or negative. Positive slope chirps are shown in blue color, have increasing instantaneous frequency, and are marked with a 1 on the top. Negative slope chirps are shown in red color, have decreasing instantaneous frequency, and are marked with a 0 on the top. These non-overlapping chirp windows are denoted as I 0 , · · · , I M−1 , and we have a total of M chirps followed by a blank period of T m − Mt d seconds. This time window of T m seconds is called a measurement cycle, or frame duration, and the corresponding received data is called the frame data. Basically, the AV Sensor (Radar DSP) block shown in Figure 3, outputs an estimate about the environment in every T m seconds. This estimate usually consists of a set of identified targets (or reflectors), their distance and velocity values. In most radar applications, this is done by using the 2D FFT of the frame data, and some additional post-processing.
We now introduce some relevant notation for random signatures. Let Z M be the set {0, · · · , M − 1}. The set of all functions from Z M to {0, 1} will be denoted by {0, 1} Z M . Basically, a random signature is a function in {0, 1} Z M with some extra conditions. More precisely, a ρ ∈ {0, 1} Z M is a random signature iff it is equal to 1 for M/2 values in Z M , and is equal to 0 for the remaining M/2 values in Z M . In other words, a ρ ∈ {0, 1} Z M is as a random signature iff ∑ k∈Z M ρ[k] = M/2. The set of all possible random signatures will be The reason behind this M/2 value is the inequality in other words, the M/2 which appears in the definition of R results in the largest set of random signatures, equivalently the largest size for the set R. Basically, for each frame a randomly selected element of R will be used as the random signature ρ. The slope of each chirp in a frame is determined by the value of ρ at the chirp index. In other words, if ρ[k] = 1, then the k th chirp in the time window I k will have positive slope, that is, increasing instantaneous frequency. However, if ρ[k] = 0, then the corresponding k th chirp in the time window I k will have negative slope, that is, decreasing instantaneous frequency. (See Figure 4).
The set R is indeed a very large set, because the cardinality of R is M M/2 , and where we used the inequality √ 2π n n+ 1 2 e −n ≤ n! ≤ e n n+ 1 2 e −n . For M = 128, we have at least 2 × 10 37 random signatures in R. If the AV radar is used continuously for 100 years with 25 frames/s, we will use only 25 × 3600 × 24 × 366 × 100 ≤ 8 × 10 10 (11) frames, which is less than 10 −26 times the total number of random signatures in R. In our proposed design, the AV radar is operated according to the following procedure: 1. In every measurement cycle, a random signature ρ ∈ R is selected randomly. 2. Throughout the measurement cycle, there will be total M chirps with index k = 0, · · · , M − 1.
3. If ρ[k] = 1, the ramp generator outputs a positive slope ramp resulting in an up-chirp. Otherwise, the ramp generator outputs a negative slope ramp resulting in a down-chirp.
In Figure 4, a sample AV radar frame is shown. There are N r = 10 chirp windows, and half of them, I 0 , I 2 , I 5 , I 8 , I 9 , are up-chirps (shown in blue color), and the remaining ones are down-chirps (shown in red color). For each measurement cycle, we re-select a ρ ∈ R. Note that, there are blank periods between successive chirps, which can be used for VCO relaxation. There are also blank periods between successive frames, that is, T m − Mt d , which can be used for on-chip signal processing of the frame data. The signal observed at the input of ADCs, is denoted by y k [m], where k = 0, · · · , M − 1 is the chirp index, and m = 0, · · · , N s − 1 is the sample index. Our mathematical model is where s k is the received signal when there is no system noise and no attack. The term n k is the effective noise term which represents system noise in a mathematically equivalent formulation.
Although several subsystems of an AV radar can generate different levels of noise, eventually their combined effect will appear as an added term, n k , at the output of the ADC block (See Figure 3). The term a k is the effective attack signal. Although one can consider so many different attack scenarios, eventually all attack signals will appear as an added, a k , at the output of the ADC. This mathematical formulation allows us to study the effects of noise level, and cyberattack signal power level separately. The motivation behind the proposed approach can be explained as follows: The AV radar system knows the random signature ρ, but does not know a k [m]'s. On the other hand, the attacking agent may have full information about the AV radar system architecture, may even know chirp start/end times, but we assume that it does not know the random signature. Because of the rapid switching pattern of the AV radar, we assume that the attacking agent cannot determine the value of ρ[k] while we are in the interval I k . This is a very realistic assumption, because for the Texas Instruments radar used in this work, the transmitter is active for only 60 µs during every chirp, and for each chirp the slope is re-selected on a random basis. Identifying the nature of the received RF waveform, finding the slope of the chirp, and generating an intelligent counter attack signal in such a short period of time requires noticeable effort and resources. Basically, by the time that the attacking agent determines the slope, that chirp cycle will be over, and the next chirp cycle will begin with a new random slope.
Our cyberattack Detection DSP algorithm is presented in Algorithm 1. The main motivation behind this specific detector design is the following: For up-chirps, the complex beat signal will have only positive frequency components in its FFT decomposition, whereas for down-chirps, we will have only negative frequency components. In reality, because of system noise, we will always observe both negative and positive frequency components. However, for up-chirps, the average power at negative frequencies should be small, and for down-chirps, the average power at negative frequencies of the reversed signal should be small. By comparing this with the average power of system noise, we can design a detector. Of course, the threshold selection, and associated false alarm rates are important design parameters. These will be discussed in the following sections using real data.
In Line 3 of the Algorithm 1, we have For up-chirps, we compute the average power at negative frequencies, and for down-chirps we first do time reversal and then compute the average power at negative frequencies. For a given one dimensional signal y[m] defined for m = 0, · · · , N s − 1, the Y = FFT(y) is defined as and the average power at negative frequencies is defined as Maximum of these average power values, P, are compared with 2σ 2 n , where σ 2 n is the average power of the system noise. Basically, a P value below 2σ 2 n does not trigger an alarm, however larger P values will be considered as suspicious, and the cyberattack alarm will be triggered.
Our AV sensor Radar DSP algorithm is presented in Algorithm 2. It is similar to a standard 2D FFT based range-velocity heatmap generation algorithm. As in the Detector DSP code, we start with DC offset removal, and then do time reversal for down-chirps. Then we define the complex matrix I, compute its 2D FFT, then do f f tshi f t, followed by element-wise absolute value. The 2D FFT of I is denoted by F = FFT(I), and is equal to The f f tshi f t which appears in Line 6 of Algorithm 2 is defined as provided that A, B, C, D are square matrices of same dimensions. Similary, the absolute value of a matrix is defined as the element-wise absolute value, namely for a given p × q matrix A, B = |A| is defined as In Line 8 of Algorithm 2, the notation 0 p,q means the p × q zero matrix. Input: Frame data, y k [m], k = 0, · · · , M − 1, and m = 0, · · · , N s − 1, and the random signature function ρ for the given measurement cycle. Result: Range-velocity heatmap as a 2D real matrix or as an image.
/* DC offset removal and time reversal */ 1 for Delete the columns m = 0, · · · , N s /2 − 1 of the resulting F matrix 10 Optional: Normalization, rotation, apply a colormap to F, etc.

Experimental Setup and Measurements
In this section, we will briefly describe our experimental setup, and the equipment used for testing. As hardware, we have two 77 GHz Texas Instruments radars, a Lattice FPGA board for streaming the received data to a host PC, a host PC for recording radar data, and interface cables. The list of equipment used in our experiments are shown in Table 1. We have also two different software packages from Texas Instruments as shown in Table 2. Our experimental setup shown in Figure 5 consists of two 77GHz radars. The radar on the left is AWR1642BOOST and is used to generate the attack signal. The radar on the right is AWR1642BOOST-ODS with wider field of view antenna, and is used as the AV sensor. This second radar receives the signals generated by its own transmitter, as well as the attack signals generated by the first radar. The mmWave Studio is used for the configuration of the radar used as the AV sensor (i.e., AWR1642BOOST-ODS), and the FPGA board DCA1000 EVM. The FPGA board is used for streaming the measured radar data to the host PC over a Gigabit Ethernet connection. Although recording can be done using the mmWave Studio software, we used our own Python programs for more flexible recording and real-time visualization options. The mmWave Visualizer software is used for operating the radar AWR1642BOOST which is used to generate attack signals. Both TI software packages, as well as our Python programs for recording and visualization run on the same host PC. In the following, the radars AWR1642BOOST and AWR1642BOOST-ODS are called the attack and the AV radars respectively.
Two independent 77GHz radars The radar on the left generates the attack signal The radar on the right is an independent AV sensor Figure 5. Our experimental setup consists of two 77 GHz radars. The radar on the left is used to generate the attack signal. The radar on the right is used as the AV radar sensor, and receives reflections of its own transmitted signal, as well as the attack signals generated by other radar.
We have done various field tests using the setup shown in Figure 6. Basically we have recorded data for cars driving in front of the radar, as well as pedestrians walking in front of the radar. To be able to analyze different factors, we have conducted three different types of measurements as shown in Table 3. For the first type of measurements, we turn off all transmitters and record only the system noise observed on the receive signal path of the AV radar. This will enable us to understand more about the nature of measurement noise. But more important than that, we can use amplified versions of the noise signal to generate different test data sets. For the second type of measurements, the attack radar is off, and the AV radar is used to record real data for various test cases. These test cases include a vehicle moving in front of the AV radar, and a pedestrian walking in front of the AV radar. Real data for both moving towards and away from the AV radar has been recorded, and this will also be quite useful to generate various test data sets. For the third and final type of measurements, the attack radar is on, AV radar's transmitter is off, but its receiver is on. This will enable us to record the effect of the attack signal only. Once we have these recordings, we can continuously scale both noise, and the attack signal in very small steps, and generate a very large number of test data sets for the proposed algorithms.
Basically, instead of positioning the attack radar in hundreds of different positions, we consider only a couple of different positions and record the effect of the attack radar for these cases only. But later we scale the effective attack signal, a k , to generate hundreds of test data sets for varying levels of attack signal power. This kind of approach makes the radar experiments more controllable.
In a similar fashion, instead of driving the test vehicle in hundreds of different tracks to generate hundreds of different SNR levels, we consider only a couple of different tracks and record the received data for these cases only. But later we scale the effective noise signal, n k , to generate hundreds of test data sets for varying levels of SNR. This kind of approach also makes the radar experiments more controllable.
Basically, we use the following equation to generate various test cases where s k is a signal recorded in a Type II measurement, n k is a signal recorded in a Type I measurement, and a k is a signal recorded in a Type III measurement. The constants c 1 , c 2 are positive real numbers, and are used to generate test data sets with varying SNR, and cyberattack signal power levels. In the following sections, performance of the cyberattack Detection DSP algorithm, as well as the Radar DSP algorithm are analyzed by using these test data sets. The advantage of this approach is the fine control that we have on SNR, and cyberattack signal power levels.

Analysis of System Noise
In this section, we analyze statistical properties of system noise using a Type I measurement data. Basically, the analysis presented in this section shows that we can model the system noise as white Gaussian noise (WGN). Hence, instead of using a limited set of recorded noise data, we can generate synthetic noise data and do more realistic performance tests for the proposed detector.
In Figure 7a, the real part of the measurement noise is shown in discrete time domain. There are basically M = 128 chirps, but only 4 of them are shown. For each chirp, we have a total of N s = 256 samples. In Figure 7b, we have real and imaginary parts of system noise is shown for a single chirp. In Figure 8a, normalized autocorrelation of the system noise is shown. The autocorrelation is computed using the unbiased method, and the figure shows that the noise is quite white (Here we silently assume ergodicity of the noise process). In Figure 8b, we study the correlation between the real and imaginary part of system noise using actual data. The 2D histogram has a reasonably smooth circular shape, and the estimated correlation coefficient is less than 0.05 in absolute value. Finally, in Figure 9, we have the empirical PDFs of real and imaginary parts of system noise, and the fitted normal distributions with parameters estimated from real data. The analysis presented above shows that the system noise can be viewed as a white Gaussian noise. Based on this observation, we can generate different test data sets: (1) Using recorded system noise and scaled versions of it, or (2) using just pseudo random number generators without using a recorded noise data.

Analysis of the cyberattack Detection DSP
In this section, we will demonstrate the effectiveness of the proposed cyberattack Detection DSP, and summarize our test case generation methodology. Basically, to generate a test case, we will first choose a radar data, s k , which is recorded with no extra noise, or attack signal source. Then we add a scaled version of system noise, and then a scaled version of a recorded attack signal. As summarized in Table 3, (1) For a recorded system noise, n k , all transmitters are off (a.k.a. Type I measurement), so that we capture only the system noise, (2) For a recorded radar data, s k , the Attack Radar TX is off (a.k.a. Type II measurement), so we capture only the signal reflected from a target (A car or a pedestrian), (3) For a recorded attack signal, a k , Attack Radar TX is on, but AV Radar TX is off (a.k.a. Type III measurement). In this case, we capture only the effect of the attack signal.
Then we use y k = s k + c 1 n k + c 2 a k to generate multiple test cases. This weighted addition is done after all measurements are completed, and allows us to play with relative strengths of noise and attacks signals easily. In summary, we use recorded radar data s k , recorded or synthetic noise, n k , and recorded attack signal, a k , and do the weighted summation to generate test cases.
Our test cases can be grouped under 5 different headings as shown in Table 4. Attacker has full VCO sync information, and selects the frequency slope randomly Basically, eWGN corresponds to an experiment where the attacker generating white Gaussian noise. The case eTX2 corresponds to an experiment where Attack Radar TX is generating successive chirp signals to attack/confuse the AV Radar. The case eTX2R is basically the same as eTX2 with random frequency slope selection on the Attack Radar. Namely, the Attack Radar is randomly choosing between positive and negative frequency slopes. For the eTX2 and eTX2R cases, VCO's of the AV Radar and the Attack Radar are not synchronized. To test VCO synchronized attacks, we have two more test cases, eTX1 and eTX1R. The eTX1 case, corresponds to an experiment where the Attack Radar is generating a TX signal for a different environment with possibly fake targets. The eTX1R is basically the same as eTX1 with random frequency slope selection on the Attack Radar.
The attack types WGN, eTX2, and eTX2R look more standard attack types, but eTX1 and eTX1R are smarter attacks where Attack Radar TX is generating a signal which will cause the AV Radar to sense a different environment with possibly fake targets. However, the random signature generator block implemented in the proposed AV Radar system detects such attacks.

Analysis of False Alarms
In this subsection, we present detector statistics when there is no attack, and use these to estimate the false alarm rate. Test cases presented in Table 4 will be analyzed in the following subsection.
In Figure 10, we have the PDF of the detector output when there is no attack signal. To generate this PDF, we have used a recorded data set consisting of 1000 frames. Basically a car was driven in front of the radar, no attack signal was generated, and the received radar data was recorded. Recall that, the algorithm used in the Detection DSP block is presented in Algorithm 1, and outputs a real value, dratio, and a boolean value decision. The PDF presented in Figure 10 is for the real value, dratio. As seen in Figure 10, dratio is always below 2.
To estimate the false alarm rate, we first model this empirical PDF as a normal distribution. The best fitted normal distribution seems to be N(1.23, 0.14). Under the assumption that the detector output is a normal distribution, the probability of detector output, dratio, exceeding the threshold 2 can be approximated as where x is N(0, 1) random variable. This is basically the probability of false alarm. Using standard identities for the CDF, Φ, and the error function, er f , we get Φ((2 − 1.23)/0.14) = (1 + er f ((2 − 1.23)/0.14/ √ 2)) ≈ 1 − 2 × 10 −8 .
Therefore, the false alarm rate is estimated as well below 10 −6 . Authors tried multiple other recorded data sets but, despite all attempts, were unable to generate even a single false alarm.

eWGN Cyberattack Test Case
In this test case, the attack signal a k is a randomly selected frame of a recorded system noise (Type I recording). Note that, we multiply this a k with a coefficient c 2 , and increase or decrease the strength of the attack signal for a more a detailed analysis.
The radar data s k is a recorded receive signal when there is a moving target, but no attack signal (Type II recording). This is basically obtained from a randomly selected frame of a recording when a vehicle is being driven in front of the AV radar sensor.
The noise signal n k is another randomly selected frame of a recorded system noise (Type I recording). Note that, we multiply this n k with a coefficient c 1 , and increase or decrease the strength of the noise signal to obtain different SNR levels.
As seen in Figure 11b, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. Plots in Figure 11 also contain experimental results from 100 different synthetically generated noise signals, n k . For each SNR level, we have a min and max of detector output computed and shown in same color. Basically, upper and lower envelopes seem to be very close to each other, indicating little variation with respect to the actual values in the noise sequence. The same analysis is done for all of the other cases discussed in this section.  Figure 11. Test case eWGN . The horizontal orange colored line is the detection threshold. In (a) with respect to the beat signal level, and in (b) with respect to the noise level. Figure 11a presents these from a different perspective: For a high SNR case, attacks with power levels well below the beat signal power level will be detected easily. As SNR level degrades, and noise level increases, attack signals need more power to trigger an alarm. This is related to a very important question: What is the "maximum" harmful effect that can be induced by an attack signal which is just below the detection threshold. How it effects target detection, and distance/velocity estimation performance? These are all addressed in the next section.

eTX2 Cyberattack Test Case
This case is similar to eWGN, but the attack signal is different. In this test case, the attack signal a k is a randomly selected frame of a recorded attack signal (Type III recording). During this recording, Attack Radar's TX was on, but the AV Radar's TX was off. Using the AV Radar's RX system, we have recorded just the effect of the attack signal. As in the previous case, we also scale the noise, and attack signals with different values for a more detailed analysis.
As seen in Figure 12b, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. The detector performance plots given in Figure 12a show that, as SNR get betters, detection of attacks will be easier.  Figure 12. Test case eTX2. The horizontal orange colored line is the detection threshold. In (a) with respect to the beat signal level, and in (b) with respect to the noise level.

eTX2R cyberattack test case
This case is very similar to the eTX2 case, but the Attack Radar is generating chirp signals with randomly selected slopes. Namely, randomly choosing a positive or negative frequency slope for each and every chirp in a frame.
As seen in Figure 13b, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. The detector performance plots given in Figure 13a show that, as SNR get betters, detection of attacks will be easier.  Figure 13. Test case eTX2R. The horizontal orange colored line is the detection threshold. In (a) with respect to the beat signal level, and in (b) with respect to the noise level.

eTX1 Cyberattack Test Case
This case is similar to eWGN, but the attack signal is different. In this test case, the attack signal a k is a randomly selected frame of a recorded signal in a Type II recording. This corresponds to a case where the Attack radar and the AV radar has full VCO synchronization. Practically, this is not easy to achieve, but represents a more challenging and smarter attack test case.
As seen in Figure 14b, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. The detector performance plots given in Figure 14a show that, as SNR get betters, detection of attacks will be easier.  Figure 14. Test case eTX1. The horizontal orange colored line is the detection threshold. In (a) with respect to the beat signal level, and in (b) with respect to the noise level.

eTX1R cyberattack test case
This case is very similar to the eTX1 case, but the Attack Radar is generating chirp signals with randomly selected slopes. Namely, randomly choosing a positive or negative frequency slope for each and every chirp in a frame.
As seen in Figure 15b, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. The detector performance plots given in Figure 15a show that, as SNR get betters, detection of attacks will be easier.  Figure 15. Test case eTX1R. The horizontal orange colored line is the detection threshold. In (a) with respect to the beat signal level, and in (b) with respect to the noise level.

Detector Performance When There Is No Target
In this final subsection, we consider the case when there is no target. Namely, the AV radar receives just a noise like signal. To test the detector's performance, we use randomly selected frames of a noise recording as s k , and n k . As the attack signal, we used the signal used in the eTX2 case.
As seen in Figure 16, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. However, compared to the previous cases, a slightly more powerful attack signal is required to trigger the alarm.

Radar Performance under Cyberattacks: Analysis of Radar DSP
We have seen that, when the attack signal becomes comparable to noise level, the detector output will exceed the threshold 2 and cyberattack alarm will be triggered. But what could be the worst case effect of undetected cyberattack signals? Namely, cyberattack signals which are relatively strong, but just below the detection threshold. In this section, we present 3 example cases (All eTX2 type). For each case, we have the radar DSP output when there is no attack, and when there is an attack which is just below the detection threshold. As seen in Figure 17, we see little difference in the radar DSP output, and in all cases the approaching object will be detected because of the bright yellow dot.
In these figures, the center line is the static background, and the bright yellow dot corresponds to an approaching vehicle. Basically, an attack signal just below the detection threshold does have an effect on the 2D range/velocity heat-map, and that's why the left and right images are different. Furthermore, the difference seem to be more noticeable for poor SNR cases. But this small difference seem to have no noticeable effect for approaching object detection. Because, for all cases presented in Figure 17, an approaching object is clearly noticeable because of the bright yellow dot. Difference also seems to be minor for range/velocity estimation, because the bright yellow dot seems to be almost at the same location for all cases.

Conclusions
In this paper, we have presented a cyberattack detection DSP algorithm, and an attack resilient radar DSP algorithm for 77 GHz AV radars. The proposed algorithm seem to have a very low false alarm rate, and for cyberattacks with power comparable to or larger than the noise level, all attacks seem to be detected. Finally, attacks which are just below the detection threshold and hence missed seem to have no noticeable effect on approaching target detection, and range/velocity estimation. All of these tests are done using real data collected by using the TI AWR series 77 GHz radars, and the real-time framework developed by the authors of References [19,21]. To demonstrate the effectiveness of the proposed algorithms, several attack scenarios are carefully analyzed. Both of the proposed DSP algorithms can easily be realized as radar firmware, and executed on the radar DSP processor. Finally, the proposed system is based on a standard FMCW radar RF front-end, and does not require fancy and more expensive RF components.