Silencing the Watchdogs: Adversarial Attacks on Drone Detection

Author: Denis Avetisyan

Researchers have demonstrated a practical method to evade radio frequency-based drone detection systems by subtly manipulating the drone’s emitted signals.

The mean average precision (mAP) exhibits a functional relationship with the surface plasmon resonance (SPR) power, measured in decibels (dB), suggesting the performance metric’s sensitivity to the energy input of the resonant system.

This work presents the first physical-layer adversarial attack on RF drone detectors, successfully suppressing detection of a target drone while maintaining detection of others through I/Q domain perturbations.

While radio frequency (RF)-based drone detection systems offer a promising defense against unauthorized aerial vehicles, their reliance on machine learning makes them vulnerable to adversarial manipulation. This paper, ‘Real-World Adversarial Attacks on RF-Based Drone Detectors’, presents the first physical-layer attack on such systems, demonstrating successful suppression of target drone detection through optimized, class-specific perturbations directly injected into the RF signal. By crafting subtle, structured waveforms in the I/Q domain, we achieve reliable evasion while maintaining detection of legitimate drones. Could this approach pave the way for more robust and resilient RF-based security systems, or will a continuous arms race between detectors and attackers define the future of drone defense?

The Proliferation of Unseen Systems: A Challenge to Aerial Security

The proliferation of unmanned aerial vehicles, commonly known as drones, presents a growing and multifaceted security challenge. Initially adopted for recreational purposes and commercial applications like photography and delivery services, their accessibility and increasing sophistication have expanded their potential misuse. Concerns range from privacy violations and the disruption of critical infrastructure to more serious threats involving the transportation of contraband or even weaponized payloads. Consequently, a pressing need exists for reliable drone detection systems capable of distinguishing these airborne devices from other objects and identifying potential malicious intent, demanding innovation in surveillance technologies and counter-drone strategies to mitigate these escalating risks.

Accurately identifying drones via their radio frequency (RF) signals presents a considerable challenge to conventional detection methods. The RF spectrum is increasingly congested, filled with interference from countless sources – everything from Wi-Fi routers and Bluetooth devices to microwave ovens and cellular networks. This pervasive electromagnetic noise masks the subtle signatures emitted by drones, making it difficult to isolate and analyze their specific RF ‘fingerprints’. Furthermore, the complexity of these signals – variations in modulation, frequency hopping, and the impact of atmospheric conditions – adds another layer of difficulty. Traditional signal processing techniques often struggle to differentiate between a drone’s transmission and this background clutter, leading to high rates of false positives and missed detections. Consequently, reliance on simple signal strength or frequency analysis proves insufficient for robust and reliable drone identification in real-world scenarios.

Successfully identifying drones through their radio frequency (RF) emissions necessitates a transformation of complex, raw data into a visually and computationally accessible format for machine learning. Raw RF signals are often noisy and lack the clear characteristics needed for accurate classification. To overcome this, researchers commonly employ techniques to generate spectrograms – visual representations of signal frequencies over time. These spectrograms essentially create a “fingerprint” of a drone’s RF emissions, highlighting unique patterns associated with its motors, communication protocols, and even individual manufacturing variations. Machine learning algorithms, particularly convolutional neural networks, can then be trained on these spectrogram images to reliably distinguish between drone signals and background noise, or even to identify specific drone models – a crucial step in mitigating potential security threats and enabling effective airspace management.

Visualizing the Airborne: Deep Learning for Spectrogram Analysis

Object detection models, including YOLOv5, YOLOv8, YOLOv9, YOLOv11, and Faster R-CNN, offer a methodology for automated drone identification within visual representations of radio frequency (RF) signals – spectrograms. These models are typically trained on datasets of spectrogram images containing labeled instances of drone signatures, enabling them to learn the characteristic visual patterns associated with drone transmissions. The process involves feeding a spectrogram image into the trained model, which then outputs bounding box coordinates and confidence scores indicating the presence and location of potential drones within the image. The models utilize convolutional neural networks to extract features from the spectrogram and predict these bounding boxes, effectively translating RF signal characteristics into visual object detection.

Object detection models utilize Non-Maximum Suppression (NMS) and Intersection over Union (IoU) as post-processing techniques to enhance the precision of bounding box predictions. IoU, calculated as the area of overlap between the predicted bounding box and the ground truth box divided by the area of their union, provides a metric for assessing prediction accuracy; higher IoU values indicate better overlap. NMS addresses the issue of redundant detections by suppressing overlapping bounding boxes that fall below a predefined IoU threshold, retaining only the box with the highest confidence score. This process minimizes false positives and ensures that each detected object is represented by a single, accurate bounding box. The thresholds for both IoU and NMS are hyperparameters that require tuning to optimize performance based on the specific dataset and application.

Model performance in drone detection via spectrogram analysis is significantly impacted by input data characteristics. Spectrogram quality, determined by parameters such as window size, overlap, and frequency resolution, directly influences the clarity of drone signatures and, consequently, detection accuracy. Furthermore, the robustness of the training dataset – encompassing variations in drone type, environmental conditions, signal-to-noise ratio, and operational scenarios – is critical. Insufficient or biased training data can lead to overfitting, reducing the model’s ability to generalize to unseen data and accurately identify drones in real-world deployments. A diverse and representative training set is therefore essential for achieving reliable and consistent detection performance.

The Shadow War in the Spectrum: Adversarial Attacks and Drone Detection

Adversarial Machine Learning techniques introduce intentionally crafted, imperceptible modifications to radio frequency (RF) signals to deceive drone detection systems. These perturbations, applied to the In-phase/Quadrature (I/Q) waveform of a drone’s transmission, do not alter the signal’s core functionality but are designed to exploit vulnerabilities within the machine learning models used for detection. By manipulating the input data in this way, an attacker can cause the detection system to misclassify the drone as benign, report a false negative, or otherwise fail to identify the threat. The success of these attacks hinges on the ability to create perturbations that are both effective at fooling the model and sufficiently subtle to avoid being flagged as anomalous noise or interference.

Drone detection systems commonly analyze In-phase and Quadrature (I/Q) signals to identify radio frequency (RF) emissions characteristic of unmanned aerial vehicles. Adversarial attacks exploit the vulnerabilities of these machine learning models by introducing carefully calculated perturbations to the I/Q waveform. These perturbations, while often imperceptible to standard RF analysis, are designed to manipulate the model’s feature extraction process. Specifically, the altered signal can cause the detection algorithm to misclassify a drone’s signal as noise, or to classify it as a different, benign signal type, effectively evading detection. The success of this approach relies on understanding the model’s decision boundaries and crafting perturbations that push the adversarial signal across those boundaries, leading to incorrect classifications.

Class-Specific Universal Adversarial Perturbations (CUAP) represent a focused technique for evading drone detection systems by crafting perturbations tailored to the characteristics of individual drone models. Unlike universal perturbations designed to fool detectors generally, CUAPs are generated to specifically suppress the detection of a pre-defined drone class. This is achieved by optimizing a single, relatively small perturbation waveform that, when added to the drone’s transmitted signal, consistently causes misclassification or missed detection. The advantage of this approach lies in its efficiency; a single CUAP can be effective against multiple instances of the same drone type without requiring per-drone optimization, offering a more practical defense evasion strategy compared to generating unique adversarial examples for each target.

The efficacy of adversarial attacks on drone detection systems is contingent on parameters such as the Signal Perturbation Ratio (SPR), which quantifies the magnitude of the added noise, and the system’s time-shift invariance. Empirical testing demonstrated a ≥90.3% missed detection rate for the Mavic 2 Zoom drone when subjected to crafted perturbations across four out of five tested detectors. This indicates a significant vulnerability, as even relatively small alterations to the drone’s radio frequency (RF) signal can reliably evade detection. The specific SPR required for successful evasion varies between detector models, but consistent high rates of missed detection were achieved, suggesting a broad applicability of this attack vector.

Manifesting the Attack: Real-Time Adversarial RF Transmission

The Analog Devices ADRV9009 is a direct-conversion transceiver capable of generating and transmitting complex I/Q waveforms with a bandwidth of up to 60 MHz. This device utilizes a combination of digital signal processing and analog circuitry to modulate and upconvert the digitally crafted adversarial signal for over-the-air transmission. Key specifications relevant to adversarial RF transmission include its 12-bit digital-to-analog converter (DAC) and 12-bit analog-to-digital converter (ADC), operating at a maximum sample rate of 2.8 GSPS. The transceiver supports various modulation schemes and waveform generation techniques, enabling the precise control necessary to implement the designed adversarial signal. Furthermore, the ADRV9009 is programmable via a software-defined radio (SDR) interface, allowing for dynamic reconfiguration and adaptation of the transmitted waveform.

The Analog Devices ADRV9009 RF transceiver requires significant digital signal processing (DSP) resources for waveform generation and control. The Xilinx ZCU102 evaluation board is frequently utilized to provide this necessary processing power, featuring a Xilinx Zynq UltraScale+ MPSoC with numerous ARM cores and programmable logic. This combination allows for real-time implementation of complex algorithms required for generating and transmitting adversarial RF signals, including I/Q waveform manipulation and dynamic adjustments based on environmental factors. The ZCU102’s high-speed data interfaces and programmable logic also facilitate the control of the ADRV9009 transceiver’s various parameters, ensuring precise and reliable signal transmission.

Real-time generation and transmission of adversarial radio frequency (RF) signals is achieved through the integration of a software-defined transceiver with a high-performance processing platform. Specifically, a transceiver like the Analog Devices ADRV9009, capable of generating complex I/Q waveforms, is paired with a system such as the Xilinx ZCU102 evaluation board. This combination provides the computational resources necessary to dynamically create and transmit the adversarial waveforms in response to changing environmental conditions or target behaviors, facilitating live demonstrations of the attack vector and allowing for assessment of its effectiveness against real-world systems. The system’s capacity for real-time operation is critical for evaluating the attack’s practicality and potential impact in dynamic scenarios.

Evaluation of the real-time adversarial RF transmission system was conducted using Multi-Emitter Detection scenarios with diverse drone platforms. Results indicated a significant reduction in detection accuracy for the targeted DJI Mavic 2 Zoom, achieving a near-zero Average Precision (AP) score. Crucially, this performance was achieved without negatively impacting the detection of other drone classes, as demonstrated by the maintenance of existing Mean Average Precision (mAP) scores for non-target platforms. This selective disruption confirms the efficacy of the adversarial signal in specifically targeting and misleading the detection system of the Mavic 2 Zoom.

Towards a Resilient System: Mitigating Adversarial Threats in Drone Detection

Current drone detection systems, while increasingly sophisticated, exhibit a concerning vulnerability to cleverly crafted adversarial attacks. Recent studies demonstrate that even subtle, intentionally designed perturbations – imperceptible to human observers – can effectively evade detection algorithms, leading to potentially critical security breaches. This susceptibility isn’t merely a theoretical concern; it underscores a fundamental need to move beyond systems reliant on easily manipulated input features. The development of robust defenses, capable of withstanding these attacks without compromising performance on legitimate targets, is paramount. Addressing this vulnerability requires a paradigm shift toward detection methods that prioritize resilience and reliability, ensuring the continued safe and secure operation of critical infrastructure and airspace in the face of evolving adversarial threats.

Addressing the vulnerabilities exposed by adversarial attacks necessitates a concentrated effort on developing proactive defense strategies for drone detection systems. Future research will likely center on techniques such as adversarial training, where detection algorithms are intentionally exposed to subtly altered, malicious inputs during the learning process, thereby increasing their resilience. Complementary to this, input sanitization methods – designed to identify and neutralize potentially harmful modifications to sensor data – offer a critical layer of defense. These strategies aim not simply to detect drones, but to reliably distinguish between legitimate signals and carefully crafted attacks, ensuring the continued security and dependability of these systems in increasingly complex operational environments.

The escalating reliance on drones across diverse sectors necessitates a shift from reactive to proactive defense strategies for detection systems. Simply identifying malicious drones after intrusion is insufficient; robust security demands preemptive measures that anticipate and neutralize adversarial threats before they compromise the system. This includes techniques like adversarial training, where detection algorithms are exposed to and learn to resist subtly altered drone signals, and input sanitization, which filters out potentially harmful data before it reaches the core detection mechanisms. Integrating these proactive defenses isn’t merely about improving accuracy rates; it’s about building a resilient infrastructure capable of maintaining reliable operation even under intentional attack, thereby safeguarding critical infrastructure and ensuring public safety in an increasingly drone-populated airspace.

A critical area for future study involves the intersection of drone detection system hardware and vulnerability to adversarial attacks. Recent findings demonstrate a surprisingly high missed detection rate – exceeding 90.3% – when systems are subjected to carefully crafted interference, even while maintaining relatively low performance degradation (≤3.2%) on identifying legitimate, non-target objects. This suggests that hardware limitations, such as sensor sensitivity or processing power, may be a significant factor in the effectiveness of these attacks, potentially outweighing the sophistication of the adversarial techniques themselves. Investigating these constraints could reveal fundamental limits to detection accuracy and inform the development of more resilient systems, possibly through optimized sensor configurations or the implementation of hardware-assisted security measures, ultimately strengthening the reliability of drone detection in real-world applications.

The pursuit of robust drone detection systems, as detailed in this work, reveals a fundamental truth about complex systems: stability is often a temporary state. This research, demonstrating successful adversarial attacks through subtle I/Q domain perturbations, isn’t necessarily a failure of the detection mechanisms, but rather an illustration of their inherent susceptibility to the passage of time and clever manipulation. As Henri Poincaré observed, “Mathematics is the art of giving reasons, even to those who do not understand.” Similarly, this study provides a reasoned demonstration of vulnerability, highlighting that even seemingly secure systems are not immune to the inevitable forces of change and the ingenuity of those who seek to exploit them. The ability to suppress detection of specific drones while maintaining others underscores the delicate balance inherent in these systems-a balance perpetually threatened by entropy.

What Lies Ahead?

The demonstrated success of crafting physical-layer perturbations, tailored to suppress specific drone signatures, reveals a fundamental truth about these detection systems: stability is an illusion cached by time. Uptime, in this context, isn’t a feature, but a temporary reprieve. The system doesn’t fail so much as it yields to the inevitable entropy inherent in any signal processing flow. Future work will undoubtedly explore the limits of these targeted attacks – the range at which they remain effective, the computational cost of generating the perturbations in real-time, and the system’s resilience to noise or variations in drone hardware.

However, the deeper question isn’t simply one of improved defenses. It’s about acknowledging that any detection scheme based on observable phenomena will always be susceptible to manipulation. Latency is the tax every request must pay, and here, the “request” is a drone’s presence, and the “payment” is a carefully sculpted distortion of its RF signature. Research will likely shift toward exploring the limits of adversarial robustness – not by attempting to eliminate vulnerability, but by designing systems that degrade gracefully under attack, providing partial or probabilistic detection even when compromised.

Ultimately, the field will confront a choice: pursue increasingly complex defenses, perpetually chasing an unattainable ideal of perfect security, or embrace the inherent fragility of these systems and focus on mitigating the consequences of detection failure. The latter path accepts that all flows decay; the challenge becomes managing that decay, rather than denying it.

Original article: https://arxiv.org/pdf/2512.20712.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/