Physical-Layer Cyberattack and Interference Resilient Automotive Radars

In this paper, we present a physical-layer attack and interference resilient automotive radar system, and derive analytical upper bounds for the probability of not detecting an attack, and the probability of false attack alarm. We consider a quite general attack model and prove that if the attack signal level is above a defined relative threshold, both the probability of false attack alarm and the probability of not detecting an attack converge to zero exponentially with the number of samples acquired during a single chirp, and the number of chirps used in a frame. We also derive an analytical formula for this relative threshold, and prove that by selecting shorter frame durations, and using lower noise RF equipment, the threshold can be made as small as possible. Basically, by proper selection of radar parameters arbitrarily small attack signals can be detected almost always with almost no false alarms. We also present a numerical example using real measured data obtained from two 77 GHz automotive radars operated at the same time. Also using real data, we show that the proposed system reduces the negative effects of undetected weak attacks which are below the above mentioned threshold.


I. INTRODUCTION
Autonomous vehicles (AV), and advanced driver assistance systems (ADAS) rely on highly advanced sensors including millimeter wave radars, lidars, and multiple camera based vision systems. Each of these sensor technologies have their own pros and cons. Millimeter wave radars are quite effective in target distance and velocity measurements, direction estimation, and object identification [1]. A standard frequency modulated continuous wave (FMCW) AV radar offers no protection against physical-layer attacks, but using advanced signal processing techniques, a high degree of attack and interference resilience can be achieved. The report [2], [3] has a discussion of different attack scenarios for connected vehicles and AV radars. In [4], an attack resilient automotive radar design was introduced and its effectiveness was demonstrated using simulations. An similar attack resilient design was discussed in [5] and its effectiveness was demonstrated using real measured data, but without any theoretical performance analysis. In this paper, we present a new attack resilient automotive radar system, derive analytical The associate editor coordinating the review of this manuscript and approving it for publication was Christian Esposito . bounds on its attack detection performance, prove that the total risk can be made as small as possible, and demonstrate all of these using real measured data obtained from Texas Instruments 77 GHz automotive radars. All experimental data are obtained using the real-time raw data capture software developed in [6], [7].
A common technique for cyberattack detection is to use an estimator, and generate an alarm if a significant difference is observed between estimated and measured values. Regardless of the problem setup, a significant difference could be an indication of something unusual. Depending on how the difference is scored and thresholded, it is possible to define a variety of different attack detectors, for example see [8]- [11], and references therein. Also in [12]- [14], similar techniques are discussed. These attack detectors have an estimator which can be an analytical expression derived from a probabilistic model, or can be completely artifical intelligence (AI) based. However, for all such designs false attack alarms are always possible because observed differences may be due to simply natural measurement noise and/or estimation error. In general, thresholds should be selected to minimize false alarms without significantly degrading the attack detection capability, see [15] for a related edge case where gradually increasing VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ attacks are used to bypass detection and to destabilize the overall system. These estimator based techniques are known to be quite useful for detecting attacks at the communication layer, but the accuracy of the estimation model is of critical importance for reliable operation. Furthermore, the estimation models may need to be updated due to changing environmental conditions and hence may be difficult to maintain for proper system operation.
In [16], [17], physical-layer attacks on automotive radar sensors are discussed. The first one is based on estimators and the second one is based on a technique called spatiotemporal challenge-response (STCR) which does not depend on an estimation model. A related technique called, physical challange-respone authentication (PyCRA), is introduced in [18]. Both STCR and PyCRA techniques can be quite robust because they do not need an accurate estimator for reliable operation. For physical-layer attacks, there is a sensor which may or may not be connected to a communication network, and attacks occur at the physical level, i.e. adversarial agents generate physical signals to directly interfere with the sensor's measurement process, confuse the sensor and hence the embedded system processing the sensor output [2], [18]. If the processing nodes, i.e. the embedded systems with sensors, are also communicating with each other, then attacks at the communication layer is also possible. But, that is a different attack scenario which has been heavily investigated in the literature. In a good engineering design, both physical-layer and communication layer (if exists) attack detectors should be used to improve safety and reliability. In this work, we focus on physical-layer attacks described in [2], and our approach is inspired by [16], [18]. Finally, the author would like to cite [19]- [21] as related published results.
We will simply use the term ''attack'' for an adversarial agent generating either non-random or random-like electromagnetic waves to confuse the radar sensor. Undetected attacks may cause false object detection, false object classification, not detecting an existing object, and/or increased background noise. We propose a new radar sensor system architecture, derive analytical upper bounds of false attack alarms, and missed attack alarms, and illustrate all of these on a numerical example using real data.

A. THEORETICAL PROOF AND EXPERIMENTAL DATA
The proposed AV radar system has the block diagram shown in Fig. 1, and our experimental setup is shown in Fig. 2. The mm-wave radar on the left is the attack generator, and the one on right is the radar sensor. The green FPGA board is used for raw data capture.
In the figure, both radars are placed close to each other only for illustration purposes. A much larger separation is used for the experiments. Note that, our main contribution is theoretical, i.e. derivation of upper bounds on false attack alarms, missed (undetected) attacks and proving that these can be made as small as possible by proper selection of radar parameters and RF hardware. Experimental setup, testing and verification is presented as an additional supporting evidence, and not as the main evidence. Although we have recorded radar data for the following cases • A pedestrian walking in front of a radar • A vehicle is driven towards the radar • Attack signal generator stationary • Attack signal generator on a secondary moving vehicle there are millions of different real-life scenarios that we cannot generate because of lack of time and resources. Therefore, experimental results should be interpreted as just as experimental data to provide additional evidence.

B. MIMO RADARS
Most millimeter wave radars, including the ones shown in Fig. 2, have multiple transmit (TX) and receive (RX) antennas. This allows radars to transmit and receive in different directions without mechanically rotating radar sensor, and also helps to achieve narrower beam-width. Although in our theoretical analysis there is only a single transmit and single receive antenna, our results apply to all multiple TX and multiple RX antenna radars (MIMO radars) as well. Because, mathematically a MIMO system can be viewed as a single TX single RX system with narrower beam-widths, and dynamically reconfigurable directivity. For the experimental measurements, we have considered only the forward looking direction, but we would like to reiterate that experimental data is used only as a secondary supporting evidence.

C. ORGANIZATION OF THE PAPER
This paper is organized as follows: In Section II, we present the proposed system architecture, and in Section III, we outline our mathematical model. In Section IV, we summarize our main theoretical results which are basically analytical bounds on P F and P M , and in Section V we use real experimental data to demonstrate our results. In Section VI, false attack alarm probability is analyzed, and analytical bounds are derived. In Section VII, the probability of miss is discussed, and the corresponding analytical bounds are derived. Finally, in Section VIII we make some concluding remarks. Basically, the paper starts with results without proofs, then a numerical example with real data, then proofs after that. If the reader is not interested in proofs, then Sections VI and VII can be skipped.

II. SYSTEM ARCHITECTURE
The block diagram shown in Fig. 1 provides a high level overview of the proposed system architecture. For the sake of simplicity, the 90-degree phase shifter before the mixer, the low pass filter after the mixer, and seperate analog to digital converters (ADC) for real and imaginary parts are not shown. This FMCW radar system has a voltage controlled oscillator (VCO), and two digital signal processing (DSP) subsystems, one for attack detection, which is addressed in this paper, and another one for the 2D FFT based range-velocity heatmap generation, and the subsequent object detection and classification. Attack detection DSP can generate both false attack alarms, and may miss (not detect) certain attacks. In the proposed system, effects of all noise sources and equipment imperfections are represented by an equivalent noise term, n, and the effect of the attack signal is represented by an equivalent disturbance term, a, see Fig. 1.

A. ATTACK MODEL
The attack signal is modeled as an equivalent additive disturbance, a, just after the ADC stage as shown in Fig. 1. The equivalent attack signal a is not assumed to be a random process, instead we adopt a worst case approach and derive upper bounds on P F and P M which are valid for any attack signal. Basically, we mathematically prove that all attacks with yy above a certain threshold are almost always detected, false attack alarm rate is almost zero, and experimentally demonstrate that weak power attacks below the detection threshold will look like additional background noise.
The radar sensor is assumed to have a physically uncloneable function (PUF) based binary random number generator [22], [23], which is used to determine the sign of the slope of the chirp signal. We assume that, no matter which algorithm is used by the adversarial agent, these PUF generated random numbers will look really random for the adversarial agent. This is the most fundamental assumption made in this paper. In principle, the strength of the proposed attack resilient radar system is limited by the predictability of PUF based random number generators. However, to the best of author's knowledge this is a known difficult prediction problem, and hence justifies the resilience of the proposed system.
Overall system performance is measured by two critical probabilities, P F , false attack alarm rate, and P M , probability of not detecting an attack. System performance can also be characterized by the total risk, which is P F + P M . Note that, our false attack alarm rate, P F , is not the probability of the AV Sensor DSP detecting a target when there is no real target, which is also called as a false alarm in radar literature. Similarly, our P M is not the probability of the AV Sensor DSP not detecting a target when there is a real target, which is also called as miss in radar literature. The results of this paper are valid for both deterministic and random attack scenarios, including spoofing and interference. To the best of author's knowledge, all previously published papers use either simulated attacks and/or specific experiments for testing and verification. One of our differentiating contributions is the theoretical analysis of P F and P M , derivation of analytical upper bounds, and proving that the risk P F + P M can be made as small as possible.

B. RADAR DETAILS
Theory of automotive radars are discussed in [24], [25]. Basically, an AV radar outputs a new measurement result (range-velocity map) in every T m seconds, which is also called as the measurement cycle or frame. Within a single measurement cycle, we have N r non-overlapping and uniformly separated chirp windows I 0 , · · · , I N r −1 , each of which having t c seconds duration. The time between the beginning of two consecutive chirp windows is t d , and usually t d > t c . In Fig. 3, we see a complete frame for N r = 6, and some of the chirps have positive frequency slope and shown in blue color, and others have negative frequency slope and shown in red color. In a standard FMCW AV radar, chirps do not have this random frequency slope pattern. Instead, they are either all positive, or all negative, or in alternating positivenegative format. However, the proposed random slope pattern is enough to achieve a high degree of attack resilience. The ADC frequency is f s and a total of N s = t c f s samples are acquired during each chirp window. Basically, for every measurement cycle or frame, we have a N r × N s complex matrix as the measured data. For the Texas Instruments AWR1642 series 77 GHz radars used in this work, default parameters values are T m = 40 ms, corresponding to 25 frames per sec, N r = 128 corresponding to 128 chirps per frame, and t d = 160 µs, t c = 25.6 µs corresponding to N s = 256 samples at f s = 10 MHz ADC. The received I/Q data from a single chirp can be viewed as a complex 1 × N s VOLUME 8, 2020 row vector, and all of the row vectors corresponding to the chirps in a single frame can be viewed as a N r × N s complex matrix. The AV radar DSP basically computes the 2D FFT of this complex matrix to generate the range-velocity heatmap. Usually, windowing, zero padding, crop/resizing, normalization, and optional background subtraction are applied as well, see [7] and references therein. The AWR1642 radar has indeed 4 receive antennas, and for the numerical examples based on experimental data we use the forward looking direction by simply averaging all receive antenna data to form the N r × N s complex matrix.
For all experiments, 2 GHz radar bandwidth is used resulting 7.5 cm range resolution. Although the AWR1642 has a total of six antennas (2 TX and 4 RX), and capable of beamforming, the author used a single TX single RX configuration just to prove that the proposed attack detector works even for minimalistic radar designs. The author used Python for coding the detector logic, but AWR1642 has a DSP processor, and an ARM processor which can be used for coding the detector logic. Both proposed detectors require only polynomial computation time, and both have mostly standard vector operations, norms, and loops which are not that complicated to code using a C compiler.

III. MATHEMATICAL MODEL
In this section, we summarize our notation and the mathematical model. A Gaussian distributed random variable with mean µ and standard deviation σ is denoted by N (µ, σ ), i.i.d. stands for independent identically distributed, and · 2 is the Euclidean norm. There is one important notational convention adopted throughout the rest of this paper: A discretetime signal of length N s , which is basically a function defined on {0, · · · , N s − 1}, and its column vector representation, which is a N s × 1 vector/matrix, are considered as the same. Basically, we use both the function notation, and the column vector notation at the same time; if a matrix and a signal appear one after the other in an algebraic expression, column vector representation is implied, but if square brackets are used, function representation is implied. Furthermore, we use the term almost always if a probability is close to 1, and almost no/never if a probability is close to 0.
We define S as the set of all functions, ρ, from the domain set {0, · · · , N r − 1} to the range set {−1, +1}. Elements of S are called signature functions, and the random signature generator block shown in Fig. 1 selects a new random signature, ρ ∈ S, for each measurement cycle or frame. Furthermore, ρ(k) = +1 means that during the interval I k the VCO is driven by a positive slope ramp signal resulting an up-chirp (Chirp with positive frequency slope), and ρ(k) = −1 means that during the interval I k the VCO is driven by a negative slope ramp signal resulting a down-chirp (Chirp with negative frequency slope). Basically, the sign of the chirp used during the interval I k is equal to ρ(k), and ρ(k) is a modeled as a ±1 valued random variable with equal probabilities for each. In an FMCW radar system, velocity resolution is equal to δv = λ 2 N r t d , where λ is the wavelength, and N r is usually chosen as a large value to achieve good velocity resolution. The set S will be a quite large with 2 N r elements. For the Texas Instruments AWR1642 series 77 GHz radars used in this work, the default N r is 128, which will result a set S with more than 10 38 elements. The physical signal received by the RX antenna goes through all of the RF and analog blocks, and at the output of the ADC stage it is called as the received data. This complex signal is denoted by R k [m], where k = 0, · · · , N r − 1 is the index of the chirp interval I k , and m = 0, · · · , N s − 1 is the sample index within the chirp window. Furthermore, where n k [·] is the equivalent noise term, x k [·] is the term representing reflections from objects, and a k [·] is the equivalent disturbance term representing the attack signal, see Fig. 1. We assume that n k [m]'s are all i.i.d. N (0, σ ) with circular symmetry. The AV radar system generates its own random signature function ρ ∈ S for each frame, but does not know a k [m]'s. The adversarial agent is assumed to have full information about all of the details of the radar DSP blocks, except for the randomly generated signature ρ. Because of the rapid switching pattern of the AV radar, and microsecond level chirp durations, we assume that the adversarial agent cannot determine the value of ρ(k) and use it for an intelligent attack while the k th chirp is still active. This is a fundamental assumption made in this paper.
In the following, we list our assumptions in a more rigorous format, and provide an engineering interpretation.
Independence Assumptions: The radar sensor generates ρ(k) without knowing the value of a k , the adversarial agent generates a k without knowing the value of ρ(k). The noise n k is independent of both ρ(k) and a k . Noise terms, For any signal, s[m], defined for m = 0, · · · , N s − 1, we define the RMS level as where, · 2 , is the Euclidean norm. Note that, this is a measure of signal strength, and is also a norm. Furthermore, the signal power is equal to s 2 r . Environmental Assumptions: The frame duration is short, and changes in objects' locations are relatively small within a single frame. This is a fundamental assumption for 2D FFT based range-velocity heat-maps, and moving target detection. For attack resilience, we impose the following weaker environmental condition holds for all k, = 0, · · · , N r − 1. In a typical case, 0 will be small. Given an upper bound for the velocity of moving objects in an environment, reducing the frame duration will force 0 to decrease. Basically, this assumptions can be interpreted as ''the frame duration should be selected short for the given relative speeds of objects in that particular environment''. Later in the paper, both this assumption and the value of 0 is discussed using real experimental data. Attack Signal Level (Relative Threshold): The attack signal average RMS level is above the threshold level defined by the following inequality where Basically, it will be proved that if the attack signal is above a minimal threshold relative to the noise level and radar signal strength, then the proposed system will detect the attack with a very high probability. These constants C 1 and C 2 are used to define this minimal threshold. Because of the existence of both σ , and x k r , k = 0, · · · , N r − 1, terms, (2) is not an absolute threshold, but it is a relative threshold. If the reflected signal x k 's RMS levels are well above the noise level (i.e. SNR is high), then the second term in (2) is expected to be dominant. In a typical case, 0 will be small, and we can write C 1 ≈ 8, and C 2 ≈ 2. The rationale behind this assumption is the following: Attack signals which are small compared to noise, n k , and reflected signal, x k , will have a relatively small effect on range-velocity heat-map generation, and object detection and identification. Basically, what is proved in this paper can be summarized as follows: Attack signals above the minimal level defined in (2) are detected almost always with almost no false alarms. However, attack signals below this minimal level may or may not be detected that easily. For a good system design, this minimal level defined in (2) should be reasonably small, because in the worst case, attack signals below this minimal level may be completely missed, and missed attack signals should have very small signal levels to make sure that their effect on Radar DSP is small and comparable to system noise. This observation implies that, we need to have a low noise analog hardware so that the σ is small, and we have a short frame duration so that 0 is small as well. Note that, short frame durations require both better analog and faster digital subsystems.
In the rest of this section, we will prove two useful lemmas. First, we define time-domain projection matrices P +1 and P −1 as i.e. the matrix representation of the N s -point DFT operation, F −1 N s is the matrix representation of the N s -point inverse DFT operation, and + and − are frequency-domain projection matrices defined as where 0 N s /2 and I N s /2 are (N s /2)-dimensional zero and identity matrices respectively. For a given discrete time signal of length N s , we define s + = P +1 s and s − = P −1 s. Note that s = s + + s − , and one can consider s + as the component of s with only non-negative frequencies, and s − as the one with only negative frequencies. Furthermore, by simple matrix algebra it follows that < s + , s − >= 0, i.e. as column vectors s + and , s − are orthogonal. This decomposition will play a critical role in detector design, and theoretical proofs. We now present two lemmas which will be used repeatedly throughout the rest of this paper.
Proof: By definition, . Proof of the other part is similar.
Lemma 2: P ρ(k) x k = x k and P −ρ(k) x k = 0. Proof: Consider an FMCW radar system with maximum range selected properly to avoid aliasing. In that case, if the VCO is driven with a positive slope ramp signal, the complex representation of the mixer output will have an increasing phase and positive frequency components. On the other hand, if the VCO is driven with a negative slope ramp signal, the complex representation of the mixer output will have a decreasing phase, and negative frequency components. Since all of the hardware imperfections are assumed to be captured by the equivalent noise term, we get P ρ(k) x k = x k and P −ρ(k) x k = 0.

IV. MAIN RESULTS
In this section, we define the attack detectors used in the Attack Detector DSP block shown in Fig. 1, and summarize the bounds on false attack alarm rate, P F , missed attack alarm rate, P M , and total risk P F + P M .

A. DEFINITIONS OF ATTACK DETECTORS
We define detectors d 1 (k, η), and then D 1 (p, η) by their alarm trigger conditions. For a given signature function ρ ∈ S, and interval index k ∈ {0, · · · , N r − 1}, the detector d 1 (k, η) generates an alarm iff and the ratio of the left hand side to the right hand side is called the normalized detector output for d 1 (k, η). For a given measurement cycle or frame, if at least p of these detectors generate an alarm, then the detector D 1 (p, η) generates an alarm. We will use the shorthand notation, D 1 , without any parenthesis and arguments for the specific detector D 1 (1, 1). VOLUME 8, 2020 The normalized detector output for D 1 will be maximum of normalized detector outputs of d(k, 1)'s for k = 0, · · · , N s − 1. For a given measurement cycle or frame, the detector D 2 ( , η) generates an alarm iff is true for some k, ∈ {0, · · · , N r − 1}. For this equation, the maximum of the ratio of the left hand side to the right hand side is called normalized detector output for D 2 ( , η), and the maximum is over k, ∈ {0, · · · , N r − 1}. In the following, we will use the shorthand notation, D 2 , without any parenthesis and arguments for the specific detector D 2 ( 0 , 2 + 2 0 ). In summary, for a given measurement cycle or frame, the detector D 1 generates an alarm iff and the detector D 2 generates an alarm iff The inequalities (4) and (5) are basically the formal definitions of the detectors D 1 and D 2 proposed in this work, and they both measure the level of an anomaly which is expected to be very low when there is no attack. Note that, both detectors D 1 and D 2 have polynomial time computational complexity, and both are easy to implement as software inside the Attack Detector DSP block, see Fig. 1.

B. ANALYTICAL BOUNDS ON P F , P M , AND THE RISK
Consider an AV radar system using detectors D 1 , and D 2 as defined above. The false attack alarm rate, P F , satisfies where the upper bound is always valid, but for the lower bound part 1 = 0.5(N r − 1)(0.906) N s and N s is assumed to be a multiple of 128. These bounds imply that, for a low P F , a high N s value is necessary, and sufficient provided that the N r /N s ratio is bounded from below and above by positive numbers. The probability of not detecting an attack, P M , is bounded by Note this upper bound (7) is valid for any attack signal above the threshold defined in (2). In other words, (7) is not simply a bound for the expected value of the probability of not detecting an attack, it is indeed a worst case deterministic upper bound. It is also clear that, for a low P M , a high N r and a high N s will be sufficient, provided that N r /N s ratio is bounded from below and above by positive numbers. As N r , N s → ∞ with the ratio of N r /N s kept fixed, the risk function, P F + P M , converges to 0 exponentially. This can be interpreted as the system being asymptotically perfect, i.e. the risk function, P F + P M , can be made smaller than any given threshold by choosing large enough N r and N s .

C. CFAR APPROACH FOR THRESHOLD SELECTION
In this paper, we do not address perception or target detection algorithms, and the thresholds used in such algorithms. We only consider attack detectors and their thresholds. However, we would like present a short discussion on constant false alarm rate (CFAR) based threshold selection for target detection and also a CFAR based threshold selection for cyberattack detection.
CFAR for target detection: All attacks which are below the detection threshold will result a slight increase in background noise as shown in all of the examples presented in Section V. Therefore, if a CFAR type algorithm is used for target detection, weak attacks below the detection threshold will result a slight increase in CFAR target detection threshold (Compare Fig. 10 and Fig. 11 of Section V). For such weak attacks below the detection threshold, targets will be slightly more difficult to identify, and this may cause certain very weak targets to be missed/undetected. Although it is always possible to find edge cases, the proposed attack detectors are sensitive, Fig. 10 and Fig. 11 are very similar, and the increase in CFAR target detection threshold due to weak undetected attacks will be small. In other words, undetected weak attacks will definitely have some negative effect on target detection, but these will be really small. CFAR for cyberattack detection: As in all hypothesis testing problems, there is always a trade-off between P F , probability of generating a false cyberattack alarm, and P M , probability of not detecting (missing) a cyberattack. Changing an attack detector threshold either increases P F and decreases P M , or decreases P F and increases P M . In most applications, both P F and P M needs to be reasonably small, and hence the selection of a good attack detector threshold is important. Note that, we propose analytic detector thresholds which result very small P F and P M values. Therefore, an adaptive threshold which may result an even smaller P F + P M value seems to be not so critical from an engineering perspective. In other words, the proposed analytic thresholds already perform really quite well, and result in very small P F and P M values.

V. NUMERICAL EXAMPLE USING REAL RADAR DATA
In this section, we will present a numerical example to illustrate the main concepts. Although theoretical proofs will be presented later in the paper, we use real experimental data to illustrate how 0 , C 1 , and C 2 can be computed, experimentally demonstrate that the detectors indeed work, and also experimentally demonstrate that weak attack signals below the detection threshold will appear as additional background noise.
Our test setup shown in Fig. 2 has two 77 GHz Texas Instruments AWR1642 radars connected to a laptop computer, one of them is acting as an attack/interference generator, and the  other is used as a regular AV radar sensor. Although we have done multiple different types of tests, and we will use the following two cases for illustration purposes: (E1) A pedestrian approaching the AV radar sensor, Fig. 4, and (E2) A vehicle approaching the AV radar sensor, Fig. 5. For real-time data acquisition, the software developed in [7] is used. For the default parameters N r = 128, and N s = 256, the bound (6) implies that the probability of false attack alarm, P F , is bounded by 9.57 × 10 −7 . Similarly, the bound (7) implies that the probability of not detecting an attack, P M , is bounded by 9.61 × 10 −7 . Note that, this upper bound on P M is valid under the assumption that the attack signal level is above the minimal threshold defined by (2), which is discussed in the next paragraph.
Note that x k , a k , and n k 's are indeed unit-less 16-bit values after the ADC, see Fig. 1. By turning off transmitters, and reading only system noise, we observed that σ ≈ 10.
To determine 0 , we used the measurement results of the experiments E1 and E2, and observed that 0 = 0.06 and 0 = 0.09 will work. As expected, for an environment with larger size objects moving at higher speeds, 0 turns out to be larger. Given a bound on the size of moving objects, their maximum speed, and the frame duration, a comprehensive set of experiments and measurements are required for the selection of 0 , however we have used only 10 different recorded experimental data to select a large enough 0 . We would like to reiterate that reducing the frame duration will reduce 0 . We simply choose a slightly more conservative (larger) value of 0 = 0.1, and the C 1 , and C 2 values in (2) will be 9.11 and 4.93 respectively. The relative threshold for the attack signal level will be 1 N r which directly follows from (2). Basically, any attack signal above this threshold is almost always detected with almost no false alarms. Negative effects of attacks below this threshold are discussed later in this section. In Fig. 4, and Fig. 5, radar range-velocity heatmaps are presented in normalized format, and displayed in parula colormap instead of gray-scale. The bright points on the central horizontal line correspond to reflections from the stationary background. An approaching pedestrian appears as a vertical strip, whereas an approaching vehicle appears as bright dot, see [26] for a detailed discussion. For testing and verification of the proposed attack detectors, we have first recorded the AV radar data for experiments E1 and E2. Then, we have turned off the AV radar's transmitter, activated the second radar unit to emulate an attack, and recorded the signal received by the AV radar's receiver. This recorded attack signal is later scaled with different values, and added to the initial AV radar data using the equation where s is the scaling factor, A k is the recorded radar signal when there is no attack (i.e. the second radar, the attack radar, is off), and B k is the recorded attack signal when the second radar, the attack radar, is active, but the AV radar's transmitter is off. For illustration purposes, we are using a single deterministic attack scenario, but a larger set of random and deterministic attack signals can be used for a more comprehensive experimental testing and verification of the theoretical results proved in this paper.
In Fig. 6, normalized detector outputs of the detectors D 1 and D 2 are plotted with respect to the attack signal scaling factor s. This plot is generated using a two randomly generated signature functions ρ ∈ S, but as observed in [5], generating different random signature functions results similar curves. Note that, normalized detector outputs were defined in the previous section.
As the attack signal level is increased, attack detectors D 1 and D 2 output larger and larger values, and when the thresholds defined in (4) and (5) are reached, an alarm is generated. But, weak attack signals do not trigger an alarm. A natural question to ask is the following: What are the negative effects of an attack signal which is just below this detection threshold, i.e. worst case effects of undetected weak attacks. In Fig. 7, we see the effects of an attack signal just below this detection threshold. Compared to Fig. 4, there is some   noise but the vertical strip corresponding to the approaching pedestrian is still clearly visible. For a standard FMCW radar with no attack detectors and attack resilience, the same attack signal will result a more noisy radar range-velocity heatmap shown in Fig. 8. Because, the randomized signature function basically swaps the energy of x k 's randomly between left and right portions of the frequency spectrum, which reduces the negative effects of undetected attack signals. Attack signals which are above the threshold will have much worse effects on a standard FMCW radar. The proposed detector system detects such attacks almost always with almost no false alarms.

A. MULTI-TARGET EXPERIMENT
In this subsection, we use the same radar system for another experiment with multiple targets. In this new experiment, we have two pedestrians and two vehicles as shown in Fig. 9 and Fig. 10. Both Fig. 9 and Fig. 10 represent the same scene, same data with no attack signal. In Fig. 9, all targets are marked and to achieve maximum possible zoom level in double-column format, the colorbar and the axis labels are deleted. In Fig. 10, we have the same scene, same data, but targets are not marked on the image, i.e. the image is untouched, but the colorbar and axis values are shown so that comparison can be made with Fig. 11, and Fig. 12.  In Fig. 9, the targets labeled as P1 and P2 are pedestrians, and V1 and V2 are vehicles. As discussed in [26], pedestrians appear as more vertical, and vehicles appear as more horizontal and brighter regions. However, all of these details are related to the perception using the radar image, i.e. the AV Sensor DSP block in Fig. 1, which is not within the scope of this paper. What is addressed in this paper is the Attack Detector DSP block in Fig. 1.
To illustrate the effectiveness of the proposed attack detection algorithm, we first present Fig. 10 where there is no attack signal, and all targets are clearly visible. In Fig. 11, we have an attack signal which is just below the detection threshold and all targets are still clearly identifiable. Basically, the proposed method detects attacks above a certain threshold, and all other weaker attacks below this detection threshold have rather weak noise like effects on the radar image.
When the proposed attack resilience method is not used, results do get worse. In Fig. 12, we see the effect of the same attack signal without the proposed attack resilience method. Although in Fig. 12, vehicles are still clearly identifiable, pedestrians are less clear. For stronger attack signals, the proposed attack detector will detect the attack and reject the radar image, i.e. will not forward it to the perception algorithm. However, if no attack resilence is implemented, stronger attack signals may result major errors in the perception algorithm output, for example pedestrians detection may fail.

VI. FALSE ATTACK ALARMS
In this section, we will first analyze the false attack alarm rate of the detector, D 1 = D 1 (1, 1), and derive analytical upper and lower bounds for P F (D 1 ). Basically, we will prove that where the upper bound is always valid, but for the lower bound part 1 = 0.5(N r − 1)(0.927) N s and N s is assumed to be a multiple of 128. In a typical case, N s , and N r will be large, and 1 will be small. For the Texas Instruments AWR1642 radar used in this work, the default parameters are N s = 256, N r = 128, which results 1 = 2.37 × 10 −7 , false attack alarm probability upper bound 4.79 × 10 −7 , and lower bound 1.35 × 10 −9 .
In the last subsection, we will analyze the false attack alarm rate of the detector D 2 = D 2 ( 0 , 2+2 0 ), and derive the upper bound It is easy to see that, the inequalities (8) and (9) imply (6).
A. ANALYSIS OF THE DETECTOR d 1 (k, 1) In this subsection, we focus on the false attack alarm rate of d 1 (k, 1). Consider a k ∈ {0, · · · , N s − 1}, and assume that ρ(k) = +1 (The proof the ρ(k) = −1 case will be similar). If there is no attack signal present, P −1 R k = P −1 n k + P −1 x k + P −1 a k , will reduce to P −1 R k = n − k by using Lemma 2. Therefore, P −1 R k 2 r will be equal to F N s n − k 2 /N 2 s . By using Lemma 1, we see that the random variable N s −1 m=0 |(F N s n − k )[m]| 2 is a sum of squares of N s /2 i.i.d. N (0, σ √ N s ) random variables. Namely, it is a χ 2 type random variable with N s degrees of freedom. If ρ(k) = −1, then we will have P +1 R k 2 r = F N s n + k 2 /N 2 s , and N s ) random variables, i.e. will be a χ 2 type random variable with N s degrees of freedom.
The following lemma is basically an upper bound for the false attack alarm rate of the detector d 1 (k, 1).

B. UPPER BOUND FOR P F (D 1 )
The detector D 1 generates an alarm iff any of the detectors d 1 (k, 1), k = 0, · · · , N r − 1, generates an alarm. Hence which implies the upper bound in (8). N (0, h) random variables, then Y q will be a χ 2 random variable. It is trivial to see that, if q = Lq 0 with L, q 0 positive integers, then Therefore, if q is a multiple of 64, i.e. q = 64 L with L a positive integer, then Pr(Y q ≥ 2q) ≥ Pr(Y 64 ≥ 128) L = (Pr(Y 64 ≥ 128) (1/64) ) q . By using a χ 2 calculator, we get Pr(Y 64 ≥ 128) (1/64) ≥ 0.822. Therefore, if q is a multiple of 64, Pr(Y q ≥ 2q) ≥ (0.822) q . This observation will be used in the following proof.
To prove the lower bound on P F (D 1 ), we need a separate argument. Let f be the probability that the detector d 1 (k, 1) generates a false attack alarm. Note that f is independent of k. The probability that none of the detectors, d 1 (k, 1), k = 0, · · · , N r − 1 generates an alarm will be (1 − f ) N r , and the probability that at least one generates an alarm will be 1 − (1 − f ) N r , which is the same as P F (D 1 ). Therefore, Using (0.906) N s ≤ f ≤ (0.927) N s , we get the lower bound of P F (D 1 ). Therefore, we have completed the derivation of both upper and lower bounds in (8).

D. UPPER BOUND FOR P F (D 2 )
In this section, we derive an upper bound for the false attack alarm rate of D 2 . Note that we set the attack signal, a k = 0 for the false attack alarm rate analysis. By definition, the detector D 2 ( 0 , η) generates an alarm iff is true for some k, ∈ {0, · · · , N r − 1}. Note that, we use the shorthand notation, D 2 , without any parenthesis and arguments for the specific detector D 2 ( 0 , 2 + 2 0 ). An upper bound for P F (D 2 ) can be obtained as follows: The environmental assumptions imply for all k, = 0, · · · , N r − 1. The inequalities (10) and (11) in Lemma 3 imply that, with a probability of at least 1 − N r (2/e) N s /4 , we have P ρ(k) n k r < σ, for all k ∈ {0, · · · , N r − 1}. Therefore, with a probability of at least 1 − N r (2/e) N s /4 , we have Note that, this inequality is equivalent to the detector D 2 = D 2 ( 0 , 2 + 2 0 ) is not generating a false attack alarm. Therefore, P F (D 2 ) ≤ N r (2/e) N s /4 ≤ N r (0.927) N s , hence the derivation of (9) is complete.

VII. MISSED ATTACK ALARMS
In this section, we will consider the probability of an attack not being detected by D 1 and D 2 , and derive analytical bounds on the probability of miss P M .
Thoerem 1: The probability that both of the attack detectors D 1 = D 1 (1, 1), and D 2 = D 2 ( 0 , 2 + 2 0 ) miss (do not detect) an attack is bounded by In general, P M ≤ (0.500) N r +(2N r +1)(0.927) N s and in most cases the second term will be dominant. Proof: The prove this result, we will consider three separate cases, but before that, we need a preliminary discussion.
We would like to find an upper bound for the probability of the detector d 1 (k, 1) missing an attack. Basically, we will show that, this probability P M (d(k, 1)) = Pr( P −ρ(k) R k r < σ ) is small if the attack signal power is large compared to the noise level.
Consider a ρ ∈ S, and k ∈ {0, · · · , N r − 1}. Without loss of generality, assume that ρ(k) = 1 (The proof of the ρ(k) = −1 case is similar). Because of Lemma 2, we have P −1 R k = a − k + n − k , and by using the triangle inequality for the norm · r , Pr( n − k r > a − k r − σ ) ≤ Pr( n − k r > σ ) ≤ (2/e) N s /2 , where the rightmost inequality follows from Lemma 3. In summary, our preliminary discussion implies that if P −ρ(k) a k r ≥ 2σ , then the attack will be detected ''almost certainly'' by d(k, 1), i.e.
Now, we start the proof of the theorem and complete it by analyzing three separate cases.
The first one is simply the negation of the condition defining, Case 1, and but the second one is different. In this case, for any ρ 1 ∈ S with ρ 1 = ρ 0 , at least one of the detectors d 1 (k, 1) generates an alarm almost always, and hence D 1 = D 1 (1, 1) detects the attack almost always. More precisely, the probability of miss is bounded by where the first term is the probability of the random signature generator generating the signature ρ 0 , and the second term is an upper bound for the combined probability of miss for all of the other signature functions in S.
The first one is simply the negation of the condition defining Case 1, and the second one is the negation of the extra condition used for the definition of Case 2. Overall, Cases 1, 2, and 3 cover all possible cases.
If the detector D 1 misses the attack as well, then for all k ∈ {0, · · · , N r − 1} we will have P −ρ 0 (k) R k r < σ , and by using the triangle inequality P −ρ 0 (k) a k r < P −ρ 0 (k) n k r + σ. Now, we have bounds for both P ρ 0 (k) a k r and P −ρ 0 (k) a k r .

VIII. CONCLUSION
In this paper, we have proposed a cyberattack and interference resilient automotive radar system, and derived analytical upper bounds on false attack alarm probability, P F , and the probability of not detecting an alarm, P M . It is proved that, attacks which are above a defined relative threshold are almost always detected, with almost no false alarms, more precisely P F , and P M converge to zero exponentially as N r , N s → ∞ with N r /N s kept constant. This relative threshold can be made as small as possible by using lower noise analog hardware, and shorter frame durations which require higher processing power. All of these theoretical results are illustrated on a numerical example using real data from 77 GHz automotive radars. Worst case effects of undetected weak attacks are also analyzed, and it has been shown that the random signature function technique reduces the impact of such weak attacks. The proposed basic design strategy is choosing radar parameters such that P F , P M , and the relative threshold is small so that undetected weak attacks will have negligible effect on the radar range-velocity heatmap, and attacks above this minimal threshold are almost always detected with almost no false alarms.