Sensing-Assisted Eavesdropper Estimation: An ISAC Breakthrough in Physical Layer Security

In this paper, we investigate the sensing-aided physical layer security (PLS) towards Integrated Sensing and Communication (ISAC) systems. A well-known limitation of PLS is the need to have information about potential eavesdroppers (Eves). The sensing functionality of ISAC offers an enabling role here, by estimating the directions of potential Eves to inform PLS. In our approach, the ISAC base station (BS) firstly emits an omnidirectional waveform to search for potential Eves’ directions by employing the combined Capon and approximate maximum likelihood (CAML) technique. Using the resulting information about potential Eves, we formulate secrecy rate expressions, which is a function of the Eves’ estimation accuracy. We then formulate a weighted optimization problem to simultaneously maximize the secrecy rate with the aid of the artificial noise (AN), and minimize the Cramér-Rao Bound (CRB) of targets’/Eves’ estimation. By taking the possible estimation errors into account, we enforce a beampattern constraint with a wide main beam covering all possible directions of Eves. This implicates that security needs to be enforced in all these directions. By improving estimation accuracy, the sensing and security functionalities provide mutual benefits, resulting in improvement of the mutual performances with every iteration of the optimization, until convergence. Our results avail of these mutual benefits and reveal the usefulness of sensing as an enabler for practical PLS.

existing network infrastructures [1].These applications demand both increasingly high-quality communication as well as high accuracy and robustness of sensing, it is well-recognized that the cooperation and co-design between communication and radar systems will play a significant role in the upcoming beyond 5G (B5G) and 6G eras.
At the early stage of the radar-communication (RadCom) system studies, the two systems were conceived to spectrally coexist with each other, thus easing the severe competition over the scarce spectrum resources [2], [3].In the forthcoming B5G/6G eras, radio sensing and communications (S&C) are both evolving towards higher frequency bands and largescale antenna arrays, which leads to striking similarities between S&C systems in terms of hardware architecture, channel characteristics, and information processing pipeline [4].In light of this, the research on the coexistence of radar and communication systems has involved into dual-functional radar communication (DFRC) systems.The joint design of the S&C operations, in the form of Integrated Sensing and Communications (ISAC), have been initially proposed in [5].ISAC systems are expected to achieve higher spectral and energy efficiencies, but most importantly, promote a new paradigm of integration for attaining mutual benefits from a co-design perspective, wherein the S&C functionalities can mutually assist each other.Benefiting from these two advantages, applications of ISAC have been extended to numerous emerging areas, including smart manufacturing, environmental monitoring, vehicular networks, as well as indoor services such as human activity recognition.
With the evolution of cellular networks, the security in mmWave ISAC systems is facing with great challenges because of the shared use of the spectrum and the broadcasting nature of wireless transmission [6].On one hand, the Rician channels are widely employed in mmWave frequencies, containing the line of sight (LoS) component, which results in an inescapable correlation with the sensing channel.This is different from conventional physical layer security (PLS) studies in communication systems with the independent and identically distributed assumption between legitimate user channels and intercept channels [7]- [9].On the other hand, in dual-functional waveform design, the confidential information intended for communication users (CUs) is embedded in radar probing signals.This makes it susceptible to being eavesdropped by the target of interest.In this case, a unique and interesting conflict arises from the radar functionality side.To be specific, the power is expected to be focused towards targets of interest to improve detectability, while the useful signal information has to be protected from being intercepted by the targets, which are acknowledged as Eves, as each of them is reckoned as a potential eavesdropper (Eve).
To secure confidential information in ISAC systems, existing approaches can be generally divided into the following categories, i.e., 1) Cryptography and 2) PLS.Conventionally, the security of communication systems is regarded as an independent feature and addressed at the upper layers of the protocol stack by deploying cryptographic technologies.The studies of cryptography commonly assume that the physical layer provides an error-free link [10], while the wireless links are vulnerable to attacks in practice, which would result in a high risk of information leakage.It is worth pointing out that 5G has already been a large-scale heterogeneous network with multiple levels and weakly-structured architectures, which makes it difficult to distribute and manage secret keys [11].Also, complicated encryption/decryption algorithms cannot be straightforwardly applied considering the power consumption in 5G networks.Furthermore, even if the data is encrypted, the detection of a wireless link from a potential eavesdropper can reveal critical information.In contrast to complex cryptographic approaches, signal processing operations of PLS are usually simple with little additional overheads.A major limitation of PLS is the need to obtain some information for the potential Eves.This ranges from full CSI, to an SNR estimate of Eve's link, or Eve's direction as a minimum.This difficult-to-obtain information often renders PLS impractical.
To our best knowledge of existing literature, ISAC security has been studied in more complex scenarios in recent years.To be specific, the PLS was concerned with the non-orthogonal multiple access (NOMA)-ISAC system by maximizing the sum secrecy rate for multiple users via artificial jamming, where the superimposed signal for NOMA users can be concurrently employed for target detection [12].Moreover, Reconfigurable Intelligent Surfaces (RIS) have been applied to enhance ISAC security [13]- [15].In [14], the authors deployed an active RIS and designed the optimization problem to maximize the achievable secrecy rate of the system by jointly designing the radar receive beamformers, the active RIS reflection coefficients matrix, and the transmit beamformers.This work proved that the deployment of active RIS improves the secrecy performance compared with the passive RIS or no-RIS case.Also, the aerial eavesdroppers (AE) were considered in [16], where the ISAC BS emitted waveforms to track and jam the AE, which achieved a higher secrecy rate and better fairness performance.The optimization problem was formulated to jointly design radar signal and receiver beamformer for improving the secrecy performance based on the tracking information.
More relevant to this work, security in ISAC systems was initially studied in [17], where MIMO radar transmits two different signals, carrying desired information and false information, respectively, both of which are employed for sensing.Optimization problems were designed to maximize the secrecy rate for safeguarding communication data.As studied in [18], [19], the dual-functional base station (BS) detects targets and transmits information to CUs simultaneously, where each of the targets is regarded as a potential eavesdropper.In this scenario, the artificial noise (AN)-aided secure beamforming design enables the secure information transmission from the BS to CUs in ISAC systems.Specifically, AN is generated at the transmitter side to deteriorate the received signal at each target/Eve, thus the decoding capability of which is destructed.To avoid the redundant power consumption caused by the added AN, the research in [20] proposed a symbollevel precoding algorithm to exploit constructive interference (CI) to aid detection from the legitimate users, and destructive interference (DI) to inhibit detection from the target/Eve.More recently, the encryption keys mechanism has been applied in PLS, where the filter band-based PLS algorithm was proposed to enable key generation by decomposing the received signal in parallel sub-bands, namely chirp modulation [21].This method secured ISAC systems by improving the secret key generation rate efficiently, which however depends on the radio channel characteristics.Additionally, the information-theoretic study in [22] considered mitigating information leakage between sensing and communication operations in the ISAC system, where the inner and outer bounds for the secrecy-distortion region were derived under the assumption of perfect and partial output feedback.

B. Contributions
We note that in the above works on secure ISAC transmission, the radar and communication systems work individually over separate end-goals rather than cooperating with each other.To further promote the integration of S&C functionalities to improve the security of the ISAC systems, we propose a novel approach to ensure the PLS for communication data transmission, which is assisted by the sensing functionality.At the first stage, the dual-functional access point (AP) emits an omnidirectional waveform for Eve detection, which then receives echoes reflected from both CUs and Eves located within the sensing range.Suppose that all CUs are cooperative users.That is, the location information of each is acknowledged to the AP.Thus, it is possible to obtain angle estimates of Eves contained in the reflected echo by removing known CUs' angles.The estimation performance is measured by the Cramér-Rao Bound (CRB) [23].
In the next stage, we formulate a weighted optimization problem to minimize the CRB of targets/Eves and maximize the secrecy rate, subject to beampattern constraints as well as a transmit power budget.A key novelty in this setup is that the channel information in the secrecy rates, is a function of the sensing performance.Specifically, to avoid any false dismissal detection, the main lobe of the beampattern is designed to be wide, with a width depending on the estimation accuracy.Afterwards, by improving estimation accuracy, the sensing and security functionalities provide mutual benefits, resulting in improvement of the mutual performances with every iteration of the optimization, until convergence.
Within this scope, the contributions of our work are summarized as follows: • We present a sensing-assisted PLS algorithm for the ISAC systems, where the sensing and secrecy performance are measured by the CRB and the secrecy rate, respectively.In particular, we first perform target detection via emitting an omnidirectional waveform.Then, we formulate a beamforming design problem that jointly improves the sensing accuracy and communication secrecy rate.
• We analyze the lower bound of CRB and the upper bound of the secrecy rate in our proposed ISAC system.• We propose an alternative optimization algorithm that iteratively maximizes the determinant of the Fisher Information Matrix (FIM) and the secrecy rate with the aid of the AN.Specifically, the secrecy rate is updated with improved accuracy of the Eves' angle estimation.• To improve the robustness of the proposed method, we further take into account the uncertainty of Eve's location.
In such cases, the main beam of the sensing beampattern is designed to be sufficiently wide to cover the possible angular region where an Eve may appear with high probability.This region is indicated by the CRB value obtained from the previous iteration.• We design a fractional programming (FP) algorithm to solve the proposed weighted optimization problem and verify the efficiency of the solver for both single-Eve and multi-Eve detection.

C. Organization
This paper is organized as follows.Section II gives the system model.Benchmark schemes including AN design techniques with unknown and statistically known Eve channel information are given in Section III.Section IV presents the approach to estimating Eves' parameters.Bounds for the metrics CRB and secrecy rate are given in Section V and the weighted optimization problem is accordingly designed for Eves' parameters estimation and communication data security in Section VI.Section VII provides numerical results, and Section VIII concludes the paper.
Notations: Unless otherwise specified, matrices are denoted by bold uppercase letters (i.e., X), vectors are represented by bold lowercase letters (i.e., x), and scalars are denoted by normal font (i.e., α).Subscripts indicate the location of the entry in the matrices or vectors (i.e., s i,j and l n are the (i, j)th and the n-th element in S and l, respectively).tr (•) and vec (•) denote the trace and the vectorization operations.(•) T ,

(•)
H and (•) * stand for transpose, Hermitian transpose and the complex conjugate of the matrices, respectively.diag (•) represents the vector formed by the diagonal elements of the matrices and rank , infinite norm and the Frobenius norm respectively.E {•} denotes the statistical expectation.

II. SYSTEM MODEL
We consider a mmWave ISAC system equipped with colocated antennas and let N t and N r denote the number of transmit antennas and receive antennas, where the base station communicates with I communication users (CUs) and detects K targets/Eves simultaneously as depicted in Fig. 1.Note that the targets of interest are considered to be malicious, which intend to intercept the confidential information from the AP to the CUs.We assume the BS has knowledge of the CUs and their channels, and has no knowledge of the Eves.

A. Communication Signal Model and Metrics
Let the rows of X ∈ C Nt×L denote the transmit waveforms, where L is the number of time-domain snapshots.By transmitting the dual-functional waveforms to I CUs, the received signal matrix at the receivers can be expressed as where Z C ∈ C I×L is the additive white Gaussian noise (AWGN) matrix and with the variance of each entry being H ∈ C I×Nt represents the communication channel matrix, which is assumed to be known to the BS, with each entry being independently distributed.Following the typical mmWave channel model in [20], [24], we assume that h i is a slow-fading block Rician fading channel.The channel vector of the i-th user can be expressed as where ) is the LoS deterministic component.a (ω i,0 ) denotes the array steering vector, where ω i,0 ∈ -π 2 , π 2 is the angle of departure (AOD) of the LoS component from the BS to the user i [24], [25].The scattering component h NLoS S,i can be expressed as h NLoS S,i = Nt Lp Lp l=1 c i,l a t (ω i,l ), where L p denotes the number of propagation paths, c i,l ∼ CN (0, 1) is the complex path gain and ω i,l ∈ -π 2 , π 2 is the AOD associated to the (i, l)-th propagation path.The waveform X in (1) can be expressed as where W ∈ C Nt×I is the dual-functional beamforming matrix to be designed, each row of S ∈ C I×L denotes the i-th unitpower data stream intended to CUs, and N ∈ C Nt×L is the AN matrix generated by the transmitter to interfere potential eavesdroppers.We assume that N ∼ CN (0, R N ), where R N ⪰ 0 denotes the covariance matrix of the AN that is to be designed.We further assume that the data streams are approximately orthogonal to each other, yielding Note that ( 4) is asymptotically achievable when L is sufficiently large.Then, we denote the beamforming matrix as where each column w i is the beamformer for the i-th CU.Accordingly, the SINR of the i-th user is given as where we denote Hi = h i h H i and Wi = w i w H i .

B. Radar Signal Model
We here consider targets of interest associated with a particular range bin.Targets in adjacent range bins contribute as interference to the range bin of interest [26].By emitting the waveform X to sense Eves, the reflected echo signal matrix at the BS receive array is given as where a (θ) ∈ C Nr×1 and b (θ) ∈ C Nt×1 represent the steering vectors for the receive and transmit arrays, which are assumed to be a uniform linear array (ULA) with halfwavelength antenna spacing.β k is the complex amplitude of the k-th Eve.We assume the number of antennas is even and define the receive steering vector as It is noted that we choose the center of the ULA antennas as the reference point.To this end, it is easy to verify that Finally, Z R denotes the interference and the AWGN term.We assume that the columns of Z R are independent and identically distributed circularly symmetric complex Gaussian random vectors with mean zero and a covariance matrix Similar to the expression in (5), the eavesdropping SINR received at the k-th Eve regarding the i-th CU is written as where α k denotes the complex path-loss coefficient of the k-th target and σ 2 0 denotes the covariance of AWGN received by each Eve.
For simplicity, the reflected echo signal given in ( 6) can be recast as where we denote

C. CRB and Secrecy Rate
In this subsection, we elaborate on the radar detection and communication security metrics.Particularly, the target/Eve estimation is measured by the CRB, which is a lower bound on the variance of unbiased estimators [27], and the security performance is evaluated by the secrecy rate.
In the multi-Eve detection scenario, the CRB with respect to the unknown Eve parameters θ 1 , . . ., θ K and β 1 , . . ., β K was derived in [28] in detail, and the FIM for θ k , ∀ k as well as real and imaginary parts of β k , ∀ k is given as where the elements of the matrix in (11) are given in (12) at the top of next page with ⊙ denoting the Hadamard (element-wise) matrix product, and . Also, the covariance matrix R X is given as As per the above, the corresponding CRB matrix is expressed as and Moreover, the achievable secrecy rate at the legitimate user is defined as the difference between the achievable rates at the legitimate receivers and the eavesdroppers.Thus, we give the expression of the worst-case secrecy rate as [19], [29] SR where R CU i , ∀ i and R E k , ∀ k represent the achievable transmission rate of the i-th CU and the k-th Eve, which can be expressed as (17a) and (17b), respectively.

III. BENCHMARK SCHEMES: ISOTROPIC AN-AIDED SECURE BEAMFORMING AND EVE-AWARD AN DESIGN
In the scenario considered with no knowledge of the Eves, a typical method to avoid the information inception is to transmit AN.To be specific, partial transmit power is allocated to emit the AN to interfere with the Eves, where the AN is isotropically distributed on the orthogonal complement subspace of CUs' channels [30].To elaborate on this, we firstly take the l-th snapshot as a reference, i.e., (1) is simplified as where For simplicity, the snapshot index l will be omitted in the following descriptions.We further rewrite the AN vector n as where V = P ⊥ H = I Nt −H H HH H −1 H denotes the orthogonal complement projector of the H, and n is the zero-mean colored noise vector with a covariance matrix R n = E nn H [31], [32].Accordingly, the covariance matrix is given as Then, the received signal vector of legitimate CUs is written as It is noted that the AN does not interfere with the CUs' channels and the SINR of the i-th user is given as Likewise, the eavesdropping SINR of the k-th Eve on the i-th CU is given as where g k denotes the channel from the transmitter to the kth Eve.Note that the covariance matrix of the colored noise vector, i.e., R n, is set as the identity matrix when Eves' channels are unknown to the ISAC BS.

A. AN Refinement Based on Eves' Information
The AN design could be further refined if more information about Eve's channels g k is known to the BS.In this case, we assume that the instantaneous channel realizations of Eves are known to the transmitter, which is defined as where ḡk and σ 2 G,k I Nt denote the mean and covariance matrix of g k , respectively.In particular, to obtain a fair comparison with our approach that assumes no Eves' information, we consider the extreme setting that Besides, we assume that g k and s are independent and identically distributed (i.i.d.) [33].To this end, the expression of the secrecy rate can be accordingly obtained as given in Section II-C, which is written as In light of the above assumptions, the secrecy rate maximization problem with the omnidirectional beampattern design is given as max Wi,Rn Note that the non-convexity of the problem above only lies in the objection function, while it can be regarded as a typical secrecy rate maximization problem, which has been solved efficiently as studied in [34], [35].We further apply the eigenvalue decomposition or Gaussian randomization procedure to make sure the resulting beamforming matrix Wi is rank-1.The simulation results will be given in Section VII as benchmarks.

IV. EVES' PARAMETERS ESTIMATION
To avoid redundancy, we briefly present the method to estimate amplitudes and angles of Eves based on our signal models proposed in Section II, namely the combined Capon and approximate maximum likelihood (CAML) approach [36], [37].Specifically, Capon is initially applied to estimate the peak directions, and then approximate maximum likelihood (AML) is used to estimate the amplitudes of all Eves.
We firstly give the expression of signal model Y [38], where we let θk , k = 1, . . ., K denote the estimated Eves' directions.Similar to the receive signal model in (6), we here have where Λ = diag β θ1 , . . ., β θK and Z denotes the residual term.By employing the AML algorithm, the estimate of amplitudes can be written in a closed form given as [37] where vecd(•) denotes a column vector with the elements being the diagonal of a matrix and where R is the sample covariance of the observed data samples and R = 1 L YY H .At the first step of the Eve parameter estimation, we design our transmission so that the AP emits an omnidirectional waveform, which is usually employed by the MIMO radar for initial probing.Thus, the covariance matrix is given as RX = P0 Nt I Nt .The CRBs for angles and amplitudes of targets can be accordingly calculated by substituting RX into ( 12) and ( 15), where we denote them as CRB 0 θ and CRB 0 β .Assume that the probability density function (PDF) of the angle estimated error is modeled as Gaussian distribution, zero mean and a variance of CRB 0 θ .That is, E est,k ∼ CN 0, CRB 0 θk , where E est,k denotes the angle estimation error of the k-th Eve.As a consequence, the probability that the real direction of the k-th Eve falls in the range Ξ (0) k = θk − 3 CRB 0 θk , θk + 3 CRB 0 θk is approximately 0.9973 [39].Thus, the main lobe width of the radar beampattern will be initially designed as Ξ (0) , and then it will be iteratively updated based on the optimized CRB.
For clarity, we present the spatial spectrum of the direction demonstrate the CAML performance when SNR=20dB and SNR=-15dB, respectively.It is noted that the CAML approach estimates the DOA precisely when SNR is 20dB, while errors of the angle estimation happen when the SNR decreases to -15 dB.To further illustrate the performance of the CAML estimation method, the root mean square error (RMSE) versus the SNR of the echo signal is shown in Fig. 3 with the CRB as a baseline.As expected, the CRB is shown as the lower bound of the RMSE obtained by CAML estimation, in particular, the CRB gets tight in the high-SNR regime.

V. BOUNDS FOR CRB AND SECRECY RATE
The design of a weighted optimization between the radar CRB and the communication secrecy rate presents the challenge that the two performance metrics have different units and potentially different magnitudes.To overcome this challenge we need to normalize them each with their respective upper/lower bound.To obtain these bounds, in this section we present the CRB minimization problem and the secrecy rate maximization problem with the system power budget constraint.Considering the further design of the weighted objective function in the following section, the CRB minimization problem can be approximated as the FIM determinant maximization problem.To this end, the optimal solutions generate the upper bounds of the FIM determinant and the secrecy rate, both of which will be employed to normalize the metrics in Section VI.

A. Upper-bound of the FIM Determinant
We denote η as the sensing parameters, thus the MSE can be expressed as . Thus, it is common to minimize the trace or the determinant of the CRB matrix, i.e., tr J −1 or J −1 .Since the CRB matrix is the inverse of the FIM matrix, the problem of minimizing J −1 is equivalent to maximizing |J|, which is given as [28] max where P 0 denotes the power budget of the proposed system.It is noted that the optimization above is convex and can be efficiently solved by CVX toolbox [41], [42].Consequently, by substituting the optimal Wi , R N in (11), the upper-bound of FIM determinant is obtained.

B. Secrecy Rate Bound
To derive the upper bound of the secrecy rate, we only consider the communication security metric in this subsection.Assuming that the CSI is perfectly known to the BS, the secrecy rate maximization problem can be formulated as It is noted that the non-convexity lies in the objective function of (30), which makes the optimization problem above difficult to solve.To resolve this issue, we introduce an auxiliary variable b, where (30) has the same optimal solutions as the reformulation below The above problem can be simply relaxed into a convex SDP problem.For brevity, we refer readers to [35] for more details.

VI. WEIGHTED OPTIMIZATION FOR EVES' ESTIMATION
AND SECURE COMMUNICATION In this section, we propose a normalized weighted optimization problem that reveals the performance tradeoff between the communication security and Eve parameters estimation.Additionally, recall that the ISAC access point firstly emits an omnidirectional beampattern as given in Section IV, where imprecise angles of Eves have been obtained at the given SNR, with the angular uncertainty interval of the k-th Eve is denoted as Ξ (0) k .To reduce angle estimation errors, we also take the wide main beam design into account, which covers all possible directions of Eves.

A. Problem Formulation
To achieve the desired tradeoff between the communication data security and the radar estimation CRB, while taking the estimation errors of Eves' angles and the system power budget into account, we formulate the weighted optimization problem as follows where |J| U B and SR U B denote the upper bounds of the FIM matrix determinant and the secrecy rate which were obtained in Section V, respectively.γ s denotes the given threshold to constrain the power of the sidelobe.
Algorithm 1 Iterative optimization of the CRB and the secrecy rate k obtained from initial target/Eve estimation and CRB in Section IV; r = 1 1: repeat 2: k is accordingly obtained; until find the optimal c ∈ min which generates the maximum value of the objective function deploying the golden search; the optimal variables W⋆ i , R ⋆ N are obtained; 8: calculate the CRB r θ and the secrecy rate in the r-th iteration; 9: k can be accordingly obtained; the weighting factor that determines the weights for the Eve estimation performance and the secrecy rate.α denotes a given scalar associated with the wide main beam fluctuation.ϑ k,n is the n-th possible direction of the k-th Eve, ϑ k,0 is the angle which was estimated by the algorithm proposed in Section IV.Ω k and Φ k denote the main beam region and sidelobe region, respectively.Note that card (•) denotes the the cardinality of (•).
Remark 1.It is important to highlight that the secrecy rate given by ( 16) is a function of the estimation accuracy of Eve's parameters, including θ k and α k .Accordingly, beyond the tradeoff in the weighted optimization in this section, the improvement in the sensing performance directly results in an improvement in the secrecy performance.

B. Efficient Solver
To tackle problem (32), we firstly recast the complicated secrecy rate term in the objective function.For simplicity, we denote Σ i = I m=1 tr Hi Wm and rewrite the optimization problem as (33).According to [35], the weighted optimization problem can be recast as (34) by introducing the scalar b.Problem ( 34) is shown at the top of the next page.
It is noted that the min operator only applies to the second term of the objective function of problem (34).According to the Fractional Programming (FP) algorithm [43], the optimization problem can be further reformulated by replacing the fraction term with the coefficient z, which is given as where y denotes a collection of variables y = {y 1 , . . ., y I }.Referring to [35], let c = 1 b , where c ∈ min can be rewritten as (37) (next page) by replacing b with c, and the optimal y i can be found in the following closed form Note that problem (37) (at the top of the next page) can be efficiently solved by the CVX toolbox [41], [42].Given the interval of c, the optimal variables.W⋆ i , R ⋆ N , z ⋆ can be consequently obtained by performing a one-dimensional search over c, such as uniform sampling or the golden search [44].To this end, the optimal CRB ⋆ and SR ⋆ can be accordingly calculated.The computational complexity of solving problem (37) at each iteration is O N 6.5 t according to [45].To further generalize the problem above and simplify the objective function, we equivalently consider the determinant minimization problem of P H J −1 P by introducing the matrix P, where P associates with activated Eves with the dimension of P is 3K × 3.For example, when the CRB minimization is only associated with the first Eve, the first, the (K + 1)th, and the (2K + 1)-th rows are the first, second, and third rows of the identity matrix I 3×3 , respectively [28].Then, by max Wi,RN (32b) , (32c) , (32d) and (32e) . (34c) (32b) , (32c) , (32d) and (32e) .
noting that the inequality Υ −1 ≥ P H J −1 P is equivalent to Υ ≥ ΥP H J −1 PΥ, and based on the Schur-complement condition, problem (32) Similarly, the determinant maximization problem above is convex and readily solvable.For clarity, the above procedure has been summarized in Algorithm 1.

VII. NUMERICAL RESULTS
In this section, we provide the numerical results to evaluate the effectiveness of the proposed sensing-aided secure ISAC system design.We assume that both the ISAC BS and the radar receiver are equipped with uniform linear arrays (ULAs) with the same number of elements with half-wavelength spacing between adjacent antennas.In the following simulations, the number of transmit antennas and receive antennas are set as N t = N r = 10 serving I = 3 CUs, the frame length is set as L = 64, the noise variance of the communication system is σ 2 C = 0 dBm.We assume that the complex pathloss coefficient is constant over the observation interval and modeled as a complex Gaussian distributed with mean zero and variance of σ2 , where d k is the distance between the BS and the k-th target [46].verify the efficiency of the proposed approach, the received SNR of the echo signal is set as SNR=-22 dB, which is defined as SNR = |β| 2 LP0 σ 2

R
. The ISAC BS first transmits an omnidirectional beampattern for Eve estimation, with the aid of the CAML technique, which is denoted by green dashed lines in Fig. 4 and Fig. 5.It is referred to as the first iteration and the CRB can be accordingly calculated.Then, to ensure that Eves stay within the angle range of main lobes, we design a beampattern with a wide main beam with a beamwidth determined by the CRB obtained from the last iteration, which has been elaborated in Section VI.By updating the CRB iteratively, the main lobes get narrow and point to the directions of Eves, as illustrated by the rest of the lines in Fig. 4 and Fig. 5.In the simulations, we repeat the weighted optimization problem until the CRB and the secrecy rate both convergence to a local optimum.The beampatterns also indicate that the main beam gain grows with the main lobe width getting narrow.Besides, Fig. 5 shows that the power towards Eves of interest gets lower compared with the single-Eve scenario, while it still outperforms the omnidirectional beampattern design.
In Fig. 6, we investigate the secrecy rate versus the main beam width with different power budget P 0 , and the benchmarks are given in dashed lines and dotted lines which are obtained by the AN design techniques with knowledge of G k and with no information of Eves' channels as given in Sec III, respectively.Generally, the secrecy rate gets higher with the increase of the power budget and it is obvious that the proposed algorithm outperforms benchmark methods.It is worthwhile to stress that the proposed weighted optimization ( 32) is implemented with no information on Eves.Note that the secrecy rate increases first and then decreases with the expansion of Eve's location uncertainty.The initial increase is because the gain of the beam towards the target/Eve of interest decreases with the growth of the main beam width, resulting in the deterioration of the eavesdropping SINR E k,i .With respect to the expression in ( 16), the secrecy rate improves when SINR E k,i reduces.However, the power budget constraint becomes tight when the main beam keeps being expanded.This indicates that more power is allocated to the Eve estimation, thus, the secrecy rate decreases.Additionally, when the main beam is wider, the transmission needs to secure the data over a wider range of angles, which is reflected in an SR expression with high channel uncertainty.Particularly, when the power budget is low, for example, P 0 = 25 dBm, we note that the secrecy rate monotonically decreases with the growth of ∆θ, while the weighted optimization problem is infeasible due to the power budget limit when the ∆θ is larger than 5 degree.Fig. 7 illustrates the convergence of the CRB and the secrecy rate of the proposed algorithm.The benchmark in Fig. 7 (c) is generated following the AN design techniques in Section III, where the covariance of AWGN received by Eves is set as σ 2 0 = 0 dBm. 1 It is noted that the performance of metrics converges after five iterations when SNR=-22 dB, while the convergence requires fewer iterations at higher SNR.Additionally, the secrecy rate obtained by the proposed algorithm converges to 8.9 bit/s/Hz and 9.1 bit/s/Hz when SNR=-22 dB and SNR=-15 dB, which outperforms the isotropical AN methods.
Moreover, it is illustrated in Fig. 8 that the secrecy rate decreases with the growth of the CUs' number, given different power budgets P 0 .Note that a higher power budget achieves better security performance.Particularly, the secrecy rate cannot be ensured if the ISAC system serves more than 5 CUs when P 0 = 25 dBm.In Fig. 9, we consider the performance tradeoff between the target/Eve estimation and communication data security with different power budgets by varying the weighting factor ρ. We note that higher P 0 results 1 In the isotropical AN designs, i.e., the benchmark schemes, we deploy the omnidirectional waveform to ensure the sensing performance, where we have RX = P 0 N t I N t according to problem (25).As the CRB matrix is a function of the covariance matrix, the resultant root-CRB of the benchmark schemes is equal to the value at the first iteration as shown in Fig. 6. in a better performance of the estimation metric, i.e., root-CRB of the amplitude and the angle.Additionally, with the increase in secrecy rate, the CRB grows as well, which demonstrates the deterioration of Eve's angle estimation accuracy.Furthermore, we consider a scenario including one CU and one Eve for exploiting impacts on security and sensing metrics resulting from the angle difference between the CU and the Eve.In this case, the Rician channel model with a strong LoS component is deployed, i.e., v i = 7 in (2), and the CU is assumed to locate at −20 • .Resultant beampatterns are shown in Fig. 10 when the Eve is at −20 • as well.It is demonstrated that the main beam width converges after four iterations and the generated angle root-CRB at the second iteration is lower than the case of a weak Rician channel, which is validated in Fig. 11.Fig. 11 illustrates the analysis of the secrecy rate and the root-CRB of angle with various angle difference.Generally speaking, with the expansion of the uncertain angular interval ∆θ, both of the metrics deteriorated.The secrecy rate decreases when the Eve and the CU directions get closer, while the performance of the CRB improves since the tradeoff is revealed in Fig. 9.

Fig. 1 .
Fig. 1.Architecture of the proposed secure ISAC system assisted by the sensing functionality.

Fig. 6 .
Fig.6.The secrecy rate analysis versus Eve's location uncertainty with various power budgets, where the AN design techniques with no information of Eves' channels and with known G k are denoted by dotted lines and dashed lines, respectively.ϑ 1,0 = −25 • , I = 3, K = 1, SNR=-15 dB.