Real-World Adversarial Attacks on RF-Based Drone Detectors

Radio frequency (RF) based systems are increasingly used to detect drones by analyzing their RF signal patterns, converting them into spectrogram images which are processed by object detection models. Existing RF attacks against image based models alter digital features, making over-the-air (OTA) implementation difficult due to the challenge of converting digital perturbations to transmittable waveforms that may introduce synchronization errors and interference, and encounter hardware limitations. We present the first physical attack on RF image based drone detectors, optimizing class-specific universal complex baseband (I/Q) perturbation waveforms that are transmitted alongside legitimate communications. We evaluated the attack using RF recordings and OTA experiments with four types of drones. Our results show that modest, structured I/Q perturbations are compatible with standard RF chains and reliably reduce target drone detection while preserving detection of legitimate drones.

💡 Research Summary

The paper tackles the emerging use of radio‑frequency (RF) signatures for drone detection, where raw I/Q samples are transformed into spectrogram images and processed by modern object‑detection (OD) networks such as YOLO and Faster R‑CNN. Prior adversarial work on RF systems has focused on pixel‑level perturbations of digital spectrograms, which are difficult to realize over the air because the required waveforms must be reconstructed, synchronized, and transmitted within strict bandwidth and power limits. To overcome these practical barriers, the authors propose a fully physical attack: they directly optimize a class‑specific universal adversarial perturbation (CUAP) in the complex baseband (I/Q) domain and broadcast it OTA from an independent transmitter.

The perturbation is a short 64‑frame I/Q waveform (64 × 1024 samples) that is tiled across time with random circular shifts, making it robust to timing misalignment. A signal‑to‑perturbation ratio (SPR) constraint of ≤10 dB keeps the added power low and ensures compatibility with standard RF chains. The loss function combines (i) an evasion term that drives the confidence of the target drone class toward zero, and (ii) a protection term that penalizes deviation of non‑target class scores from the clean baseline. A weighting λ = 2 balances suppression and preservation. During training each iteration applies a random shift to the perturbation, emulating asynchronous transmission, and the waveform is normalized to satisfy the SPR bound.

Data were collected in a shielded lab using an Analog Devices ADR‑V9009 transceiver at 2.45 GHz (122.88 MS/s, 100 MHz bandwidth) from four DJI drones (Mavic 2 Zoom, Mavic Pro, Mavic Air, Matrice 600). Recordings were augmented with random carrier offsets and AWGN, then split into target, surrogate, and test sets. Five OD models (YOLOv5/v8/v9/v11 and Faster R‑CNN) were fine‑tuned on the spectrograms.

Four knowledge scenarios were examined: White‑box (full access to target weights), Gray‑box (surrogate of same architecture), Closed‑set (joint training on multiple surrogates), and Black‑box (one architecture left out). In digital experiments the Closed‑set CUAP reduced the target class average precision (AP) to near zero while keeping non‑target mean AP above 0.86, demonstrating selective suppression. Gray‑box and Black‑box transfers were weaker but still significant; random AWGN had negligible effect, confirming the adversarial nature of the attack.

Physical OTA tests were performed at 3 m, 5 m, and 7 m distances. The same Closed‑set CUAP was transmitted continuously alongside legitimate drone traffic. Missed Detection Rate (MDR) for the target class reached 71 %–100 % across distances and detectors, while non‑target MDR stayed below 5 %, indicating successful selective jamming without degrading overall system performance. SPR analysis showed a monotonic drop in target AP as SPR decreased, with non‑target mAP remaining stable, validating the 10 dB power budget as an effective trade‑off.

The contributions are threefold: (1) the first physical adversarial attack against image‑based RF OD models, (2) a novel I/Q‑domain optimization that yields transmit‑ready waveforms robust to asynchrony and power limits, and (3) extensive cross‑architecture, cross‑distance, and cross‑channel validation demonstrating real‑world feasibility. The work reveals a concrete vulnerability in RF‑based security systems and opens avenues for future research on multi‑waveform attacks, detection‑side defenses, and generalization to other bands and protocols.