Poison-Only and Targeted Backdoor Attack Against Visual Object Tracking

doi:10.12142/ZTECOM.202503002

ZTE Communications ›› 2025, Vol. 23 ›› Issue (3): 3-14.DOI: 10.12142/ZTECOM.202503002

• Special Topic • Previous Articles Next Articles

Poison-Only and Targeted Backdoor Attack Against Visual Object Tracking

GU Wei¹^,², SHAO Shuo¹^,², ZHOU Lingtao³, QIN Zhan¹^,²(), REN Kui¹^,²

^1.State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou 310027, China
^2.Hangzhou High?Tech Zone (Binjiang) Institute of Blockchain and Data Security, Hangzhou 310051, China
^3.Shandong University, Jinan 250100, China

Received:2025-07-23 Online:2025-09-11 Published:2025-09-11
About author:GU Wei is currently pursuing a master's degree at the School of Cyber Science and Technology and the State Key Laboratory of Blockchain and Data Security, Zhejiang University, China. Before that, he received a BE degree in computer science and technology from Zhuoyue Honors College, Hangzhou Dianzi University, China in 2023. His research interests include LLM security and AI safety.
SHAO Shuo is currently pursuing a PhD degree at the School of Cyber Science and Technology and the State Key Laboratory of Blockchain and Data Security, Zhejiang University, China. Before that, he received a BE degree from the School of Computer Science and Technology, Central South University, China in 2022. His research interests include AI copyright protection, data protection, and LLM safety. He has published a series of papers in top-tier conferences and journals such as NDSS, ICLR, TIFS, and TDSC, among others, and actively serves as a reviewer for NeurIPS, ICML, TCSVT, TII and other leading venues.
ZHOU Lingtao is currently pursuing a BE degree at Shandong University, China. His research interests include backdoor attacks and AI security.
QIN Zhan (qinzhan@zju.edu.cn) is currently a tenured associate professor, with both the College of Computer Science and Technology and the Institute of Cyberspace Research (ICSR) at Zhejiang University, China. He was an assistant professor at the Department of Electrical and Computer Engineering, the University of Texas at San Antonio, USA after receiving the PhD degree from the Computer Science and Engineering department, State University of New York at Buffalo, USA in 2017. His current research interests include data security and privacy, secure computation outsourcing, artificial intelligence security, and cyber-physical security in the context of the Internet of Things. His works explore and develop novel security-sensitive algorithms and protocols for computation and communication in the general context of Cloud and Internet devices.
REN Kui is a professor and the dean of the School of Cyber Science and Technology at Zhejiang University. Before that, he was a SUNY Empire Innovation Professor at State University of New York at Buffalo, USA. He received his PhD degree in electrical and computer engineering from Worcester Polytechnic Institute, USA. His current research interests include data security, IoT security, AI security, and privacy. He received the Guohua Distinguished Scholar Award from Zhejiang University, IEEE CISTC Technical Recognition Award, SUNY Chancellor's Research Excellence Award, Sigma Xi Research Excellence Award, and NSF CAREER Award. He has published extensively in peer-reviewed journals and conferences and received the Test-of-Time Paper Award from IEEE INFOCOM and many Best Paper Awards from IEEE and ACM. He currently serves as Chair of SIGSAC of ACM China. He is a Fellow of IEEE, a Fellow of ACM, and a Clarivate Highly-Cited Researcher.
Supported by:
the "Pioneer" and "Leading Goose" R&D Program of Zhejiang(2024C01169);the National Natural Science Foundation of China(62441238);the National Natural Science Foundation of China(U2441240)

Abstract

Abstract:

Visual object tracking (VOT), aiming to track a target object in a continuous video, is a fundamental and critical task in computer vision. However, the reliance on third-party resources (e.g., dataset) for training poses concealed threats to the security of VOT models. In this paper, we reveal that VOT models are vulnerable to a poison-only and targeted backdoor attack, where the adversary can achieve arbitrary tracking predictions by manipulating only part of the training data. Specifically, we first define and formulate three different variants of the targeted attacks: size-manipulation, trajectory-manipulation, and hybrid attacks. To implement these, we introduce Random Video Poisoning (RVP), a novel poison-only strategy that exploits temporal correlations within video data by poisoning entire video sequences. Extensive experiments demonstrate that RVP effectively injects controllable backdoors, enabling precise manipulation of tracking behavior upon trigger activation, while maintaining high performance on benign data, thus ensuring stealth. Our findings not only expose significant vulnerabilities but also highlight that the underlying principles could be adapted for beneficial uses, such as dataset watermarking for copyright protection.

Key words: visual object tracking, backdoor attack, computer vision, data security, AI safety

GU Wei, SHAO Shuo, ZHOU Lingtao, QIN Zhan, REN Kui. Poison-Only and Targeted Backdoor Attack Against Visual Object Tracking[J]. ZTE Communications, 2025, 23(3): 3-14.

Figures/Tables 6

Figure 1 Demonstration of different variants of the targeted attacks against VOT models: (a) tracking the object normally without an attack; (b) forcing the size of the predicted bounding box to be larger or smaller; (c) manipulating the predicted movement trajectory; (d) controlling the size and trajectory simultaneously

Figure 2 Pipeline of the poison-only and targeted backdoor attack against VOT models. In the dirty-label setting, the ground-truth label is directly shifted to the trigger pattern's location, explicitly training the model to treat the pattern as the object to track. In contrast, in the clean-label setting, the trigger pattern is overlaid on the real target, causing the model to learn the pattern as part of the target's appearance. As a result, during inference, the presence of the pattern alone can activate the backdoor and mislead the tracker

Figure 3 Comparison between the random frame poisoning (RFP) and the random video poisoning (RVP) attacks. RFP selects random frames from different videos while RVP selects all the frames from one video

Table 1 SR results of size-manipulation attacks

Dataset

Model

Metric

α

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.051

0.743

1.002

0.732

0.728

1.053

0.854

0.999

0.834

0.823

1.062

1.052

1.072

1.086

1.067

1.070

1.290

1.214

1.406

1.387

1.071

1.544

1.351

1.781

1.733

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.979

0.725

0.873

0.734

0.743

1.001

0.829

0.918

0.839

0.853

1.054

1.057

1.071

1.056

1.064

1.114

1.335

1.291

1.318

1.356

0.120

1.526

1.456

1.479

1.657

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.128

1.736

1.064

0.718

0.726

1.129

0.848

1.056

0.821

0.814

1.132

1.086

1.132

1.122

1.094

1.121

1.396

1.544

1.501

1.106

1.734

2.049

1.957

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.994

0.864

0.949

0.863

0.864

0.998

0.875

0.948

0.881

0.892

1.043

1.047

1.067

1.041

1.062

1.093

1.275

1.253

1.257

1.326

1.105

1.338

1.322

1.291

1.502

Table 1 SR results of size-manipulation attacks

Dataset

Model

Metric

α

0.90

0.95

1.00

1.05

1.10

GOT10K

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.051

0.743

1.002

0.732

0.728

1.053

0.854

0.999

0.834

0.823

1.062

1.052

1.072

1.086

1.067

1.070

1.290

1.214

1.406

1.387

1.071

1.544

1.351

1.781

1.733

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.979

0.725

0.873

0.734

0.743

1.001

0.829

0.918

0.839

0.853

1.054

1.057

1.071

1.056

1.064

1.114

1.335

1.291

1.318

1.356

0.120

1.526

1.456

1.479

1.657

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.128

1.736

1.064

0.718

0.726

1.129

0.848

1.056

0.821

0.814

1.132

1.086

1.132

1.122

1.094

1.121

1.396

1.544

1.501

1.106

1.734

2.049

1.957

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.994

0.864

0.949

0.863

0.864

0.998

0.875

0.948

0.881

0.892

1.043

1.047

1.067

1.041

1.062

1.093

1.275

1.253

1.257

1.326

1.105

1.338

1.322

1.291

1.502

Table 2 Slopes of trajectory-manipulation attacks under different β

Dataset

Model

Metric

β

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.036

0.004

0.008

0.005

0.004

0.049

0.097

0.089

0.093

0.095

0.056

0.166

0.122

0.168

0.167

0.056

0.213

0.140

0.231

0.232

0.059

0.276

0.150

0.291

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.033

0.006

0.040

0.086

0.077

0.086

0.077

0.048

0.161

0.150

0.161

0.150

0.050

0.221

0.207

0.221

0.207

0.051

0.276

0.253

0.276

0.253

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.029

0.006

0.010

0.006

0.007

0.035

0.099

0.077

0.091

0.096

0.033

0.185

0.111

0.181

0.183

0.032

0.255

0.133

0.257

0.260

0.032

0.318

0.153

0.324

0.326

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.029

0.009

0.016

0.008

0.011

0.032

0.077

0.046

0.078

0.070

0.033

0.161

0.051

0.171

0.145

0.034

0.217

0.050

0.235

0.187

0.032

0.260

0.048

0.288

0.216

Table 2 Slopes of trajectory-manipulation attacks under different β

Dataset

Model

Metric

β

fix

0.1

0.2

0.3

0.4

GOT10K

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.036

0.004

0.008

0.005

0.004

0.049

0.097

0.089

0.093

0.095

0.056

0.166

0.122

0.168

0.167

0.056

0.213

0.140

0.231

0.232

0.059

0.276

0.150

0.291

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.033

0.006

0.040

0.086

0.077

0.086

0.077

0.048

0.161

0.150

0.161

0.150

0.050

0.221

0.207

0.221

0.207

0.051

0.276

0.253

0.276

0.253

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.029

0.006

0.010

0.006

0.007

0.035

0.099

0.077

0.091

0.096

0.033

0.185

0.111

0.181

0.183

0.032

0.255

0.133

0.257

0.260

0.032

0.318

0.153

0.324

0.326

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.029

0.009

0.016

0.008

0.011

0.032

0.077

0.046

0.078

0.070

0.033

0.161

0.051

0.171

0.145

0.034

0.217

0.050

0.235

0.187

0.032

0.260

0.048

0.288

0.216

Table 3 SRs, slopes, and IoU of hybrid attacks

Dataset

Attack Mode

Shrink (

α = 0.9

)

Expand (

α = 1.1

)

Fix

Move (

β = 0.1

)

Fix

Move (

β = 0.1

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.040

0.672

0.784

0.671

0.644

0.039

0.004

0.018

0.006

0.294

0.529

0.432

0.535

0.558

1.050

0.680

0.840

0.671

0.649

0.050

0.097

0.069

0.092

0.093

0.190

0.517

0.313

0.525

0.538

1.186

1.756

1.766

2.082

2.003

0.042

0.008

0.013

0.008

0.009

0.390

0.668

0.664

0.763

0.755

1.160

1.723

1.698

2.054

1.977

0.042

0.088

0.082

0.086

0.087

0.313

0.631

0.609

0.736

0.718

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.995

0.710

0.883

0.719

0.747

0.037

0.011

0.028

0.010

0.012

0.302

0.489

0.363

0.484

0.472

1.015

0.733

0.952

0.743

0.797

0.040

0.075

0.040

0.076

0.066

0.182

0.433

0.209

0.430

0.380

1.116

1.552

1.455

1.511

1.668

0.040

0.017

0.018

0.017

0.012

0.373

0.572

0.535

0.559

0.623

1.096

1.492

1.370

1.430

1.611

0.039

0.052

0.038

0.048

0.056

0.290

0.494

0.420

0.469

0.542

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.094

0.704

0.832

0.684

0.672

0.030

0.005

0.017

0.007

0.277

0.504

0.412

0.524

0.535

1.119

0.706

0.897

0.707

0.694

0.034

0.098

0.057

0.092

0.095

0.117

0.494

0.251

0.497

0.501

1.186

1.867

1.873

2.330

2.204

0.032

0.007

0.013

0.008

0.010

0.398

0.712

0.701

0.853

0.824

1.164

1.821

1.712

2.286

2.140

0.032

0.098

0.076

0.090

0.096

0.324

0.675

0.600

0.803

0.779

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.014

0.874

0.977

0.874

0.903

0.030

0.014

0.027

0.013

0.018

0.283

0.377

0.310

0.379

0.362

1.041

0.895

1.023

0.897

0.948

0.033

0.065

0.033

0.066

0.053

0.109

0.290

0.118

0.289

0.235

1.113

1.335

1.311

1.295

1.453

0.032

0.025

0.028

0.027

0.022

0.376

0.472

0.468

0.455

0.529

1.102

1.266

1.252

1.237

1.370

0.031

0.042

0.033

0.039

0.043

0.300

0.393

0.363

0.376

0.430

Table 3 SRs, slopes, and IoU of hybrid attacks

Dataset

Attack Mode

Shrink (

α = 0.9

)

Expand (

α = 1.1

)

Fix

Move (

β = 0.1

)

Fix

Move (

β = 0.1

)

GOT10K

Model

Metric

Slope

IoU

Slope

IoU

Slope

IoU

Slope

IoU

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.040

0.672

0.784

0.671

0.644

0.039

0.004

0.018

0.006

0.294

0.529

0.432

0.535

0.558

1.050

0.680

0.840

0.671

0.649

0.050

0.097

0.069

0.092

0.093

0.190

0.517

0.313

0.525

0.538

1.186

1.756

1.766

2.082

2.003

0.042

0.008

0.013

0.008

0.009

0.390

0.668

0.664

0.763

0.755

1.160

1.723

1.698

2.054

1.977

0.042

0.088

0.082

0.086

0.087

0.313

0.631

0.609

0.736

0.718

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

0.995

0.710

0.883

0.719

0.747

0.037

0.011

0.028

0.010

0.012

0.302

0.489

0.363

0.484

0.472

1.015

0.733

0.952

0.743

0.797

0.040

0.075

0.040

0.076

0.066

0.182

0.433

0.209

0.430

0.380

1.116

1.552

1.455

1.511

1.668

0.040

0.017

0.018

0.017

0.012

0.373

0.572

0.535

0.559

0.623

1.096

1.492

1.370

1.430

1.611

0.039

0.052

0.038

0.048

0.056

0.290

0.494

0.420

0.469

0.542

OTB100

SiamFC++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.094

0.704

0.832

0.684

0.672

0.030

0.005

0.017

0.007

0.277

0.504

0.412

0.524

0.535

1.119

0.706

0.897

0.707

0.694

0.034

0.098

0.057

0.092

0.095

0.117

0.494

0.251

0.497

0.501

1.186

1.867

1.873

2.330

2.204

0.032

0.007

0.013

0.008

0.010

0.398

0.712

0.701

0.853

0.824

1.164

1.821

1.712

2.286

2.140

0.032

0.098

0.076

0.090

0.096

0.324

0.675

0.600

0.803

0.779

SiamRPN++

Benign

RFP-D

RFP-C

RVP-D

RVP-C

1.014

0.874

0.977

0.874

0.903

0.030

0.014

0.027

0.013

0.018

0.283

0.377

0.310

0.379

0.362

1.041

0.895

1.023

0.897

0.948

0.033

0.065

0.033

0.066

0.053

0.109

0.290

0.118

0.289

0.235

1.113

1.335

1.311

1.295

1.453

0.032

0.025

0.028

0.027

0.022

0.376

0.472

0.468

0.455

0.529

1.102

1.266

1.252

1.237

1.370

0.031

0.042

0.033

0.039

0.043

0.300

0.393

0.363

0.376

0.430

References 49

[1]	KRISTAN M, MATAS J, LEONARDIS A, et al. The visual object tracking VOT2015 challenge results [C]//Proc. IEEE International Conference on Computer Vision Workshop (ICCVW). IEEE, 2015: 564–586. DOI: 10.1109/ICCVW.2015.79
[2]	CHEN F, WANG X D, ZHAO Y X, et al. Visual object tracking: a survey [J]. Computer vision and image understanding, 2022, 222: 103508. DOI: 10.1016/j.cviu.2022.103508
[3]	HONG L Y, YAN S L, ZHANG R R, et al. OneTracker: unifying visual object tracking with foundation models and efficient tuning [C]//Proc. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2024: 19079–19091. DOI: 10.1109/CVPR52733.2024.01805
[4]	CHEN X, PENG H W, WANG D, et al. SeqTrack: sequence to sequence learning for visual object tracking [C]//Proc. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2023: 14572–14581. DOI: 10.1109/CVPR52729.2023.01400
[5]	CHENG G, YUAN X, YAO X W, et al. Towards large-scale small object detection: survey and benchmarks [J]. IEEE transactions on pattern analysis and machine intelligence, 2023, 45(11): 13467–13488. DOI: 10.1109/TPAMI.2023.3290594
[6]	TANG H, LIANG K J, GRAUMAN K, et al. Egotracks: a long-term egocentric visual object tracking dataset [C]//Advances in Neural Information Processing Systems 36. NeurIPS, 2023: 75716–75739
[7]	CEN M B, JUNG C. Fully convolutional Siamese fusion networks for object tracking [C]//Proc. 25th IEEE International Conference on Image Processing (ICIP). IEEE, 2018: 3718–3722. DOI: 10.1109/ICIP.2018.8451102
[8]	LI B, WU W, WANG Q, et al. SiamRPN++: evolution of Siamese visual tracking with very deep networks [C]//Proc. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2019. DOI: 10.1109/cvpr.2019.00441
[9]	BHAT G, DANELLJAN M, VAN GOOL L, et al. Learning discriminative model prediction for tracking [C]//Proc. IEEE/CVF International Conference on Computer Vision (ICCV). IEEE, 2019: 6181–6190. DOI: 10.1109/ICCV.2019.00628
[10]	WEI X, BAI Y F, ZHENG Y C, et al. Autoregressive visual tracking [C]//Proc. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2023: 9697–9706. DOI: 10.1109/CVPR52729.2023.00935
[11]	LI Y M, JIANG Y, LI Z F, et al. Backdoor learning: a survey [J]. IEEE transactions on neural networks and learning systems, 2024, 35(1): 5–22. DOI: 10.1109/TNNLS.2022.3182979
[12]	CHEN Y K, SHAO S, HUANG E H, et al. Refine: inversion-free backdoor defense via model reprogramming[C]//International Conference on Learning Representations. ICLR, 2025: 1–28
[13]	GU T Y, LIU K, DOLAN-GAVITT B, et al. BadNets: evaluating backdooring attacks on deep neural networks [J]. IEEE access, 2019, 7: 47230–47244
[14]	WEI C, WANG Y, GAO K F, et al. PointNCBW: toward dataset ownership verification for point clouds via negative clean-label backdoor watermark [J]. IEEE transactions on information forensics and security, 2024, 20: 191–206. DOI: 10.1109/TIFS.2024.3492792
[15]	ZHU R, TANG D, TANG S Y, et al. Gradient shaping: enhancing backdoor attack against reverse engineering [C]//Proc. 2024 Network and Distributed System Security Symposium. Internet Society, 2024. DOI: 10.14722/ndss.2024.24450
[16]	LIN J Y, XU L, LIU Y Q, et al. Composite backdoor attack for deep neural network by mixing existing benign features [C]//Proc. 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2020: 113–131. DOI: 10.1145/3372297.3423362
[17]	LI Y Z, LI Y M, WU B Y, et al. Invisible backdoor attack with sample-specific triggers [C]//Proc. IEEE/CVF International Conference on Computer Vision (ICCV). IEEE, 2021: 16443–16452. DOI: 10.1109/ICCV48922.2021.01615
[18]	LYU P Z, YUE C, LIANG R G, et al. A data-free backdoor injection approach in neural networks[C]//32nd USENIX Conference on Security Symposium. USENIX, 2023: 2671–2688
[19]	LI Y Z, LI T L, CHEN K J, et al. Badedit: backdooring large language models by model editing [C]//International Conference on Learning Representations. ICLR, 2024: 1–18
[20]	PEI H Z, JIA J Y, GUO W B, et al. TextGuard: provable defense against backdoor attacks on text classification [C]//Proc. 2024 Network and Distributed System Security Symposium. Internet Society, 2024. DOI: 10.14722/ndss.2024.24090
[21]	SHEN L J, JI S L, ZHANG X H, et al. Backdoor pre-trained models can transfer to all [C]//Proc. 2021 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2021: 3141–3158. DOI: 10.1145/3460120.3485370
[22]	LI Y M, ZHONG H X, MA X J, et al. Few-shot backdoor attacks on visual object tracking [C]//International Conference on Learning Representations. ICLR, 2022: 1–21
[23]	CHENG Z Y, WU B Y, ZHANG Z Y, et al. TAT: targeted backdoor attacks against visual object tracking [J]. Pattern recognition, 2023, 142: 109629. DOI: 10.1016/j.patcog.2023.109629
[24]	HUANG B, YU J, CHEN Y, et al. BadTrack: a poison-only backdoor attack on visual object tracking [C]//Proc. 37th International Conference on Neural Information Processing Systems. NIPS, 2023: 41778–41796
[25]	ADRIAN A I, ISMET P, PETRU P. An overview of intelligent surveillance systems development [C]//Proc. International Symposium on Electronics and Telecommunications (ISETC). IEEE, 2018: 1–6. DOI: 10.1109/ISETC.2018.8584003
[26]	LU J H, HUANG D, WANG Y H, et al. Scaling and occlusion robust athlete tracking in sports videos [C]//Proc. IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2016: 1526–1530. DOI: 10.1109/ICASSP.2016.7471932
[27]	WENG X S, WANG J R, HELD D, et al. 3D multi-object tracking: a baseline and new evaluation metrics [C]//Proc. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS). IEEE, 2020: 10359–10366. DOI: 10.1109/IROS45743.2020.9341164
[28]	WANG J S, TAO B, GONG Z Y, et al. A mobile robotic measurement system for large-scale complex components based on optical scanning and visual tracking [J]. Robotics and computer-integrated manufacturing, 2021, 67: 102010. DOI: 10.1016/j.rcim.2020.102010
[29]	MARVASTI-ZADEH S M, CHENG L, GHANEI-YAKHDAN H, et al. Deep learning for visual tracking: a comprehensive survey [J]. IEEE transactions on intelligent transportation systems, 2021, 23(5): 3943–3968. DOI: 10.1109/TITS.2020.3046478
[30]	CHOPRA S, HADSELL R, LECUN Y. Learning a similarity metric discriminatively, with application to face verification [C]//Proc. IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR' 05. IEEE, 2005: 539–546. DOI: 10.1109/CVPR.2005.202
[31]	CHEN X, YAN B, ZHU J W, et al. Transformer tracking [C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. IEEE, 2021: 1571–1580. DOI: 10.1109/CVPR46437.2021.00803
[32]	XU X, HUANG K Z, LI Y M, et al. Towards reliable and efficient backdoor trigger inversion via decoupling benign features [C]//International Conference on Learning Representations. ICLR, 2024: 1–25
[33]	LI C J, PANG R, CAO B C, et al. On the difficulty of defending contrastive learning against backdoor attacks [C]//33rd USENIX Security Symposium. USENIX, 2024: 2901–2918
[34]	HUANG K Z, LI Y M, WU B Y, et al. Backdoor defense via decoupling the training process [C]//International Conference on Learning Representations. ICLR, 2022: 1–25
[35]	LI S F, LIU H, DONG T, et al. Hidden backdoors in human-centric language models [C]//Proc. 2021 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2021: 3123–3140. DOI: 10.1145/3460120.3484576
[36]	HUANG H, ZHAO Z Y, BACKES M, et al. Composite backdoor attacks against large language models [C]//Proc. Findings of the Association for Computational Linguistics. NAACL, 2024: 1459–1472. DOI: 10.18653/v1/2024.findings-naacl.94
[37]	YANG W Y, SHAO S, YANG Y, et al. Watermarking in secure federated learning: a verification framework based on client-side backdooring [J]. ACM transactions on intelligent systems and technology, 2024, 15(1): 1–25. DOI: 10.1145/3630636
[38]	SHAO S, YANG W Y, GU H L, et al. FedTracker: furnishing ownership verification and traceability for federated learning model [J]. IEEE transactions on dependable and secure computing, 2025, 22(1): 114–131. DOI: 10.1109/TDSC.2024.3390761
[39]	LI Y M, YAN K Y, SHAO S, et al. CBW: towards dataset ownership verification for speaker verification via clustering-based backdoor watermarking [EB/OL]. (2025-03-02)[2025-07-15].
[40]	ZHAI T Q, LI Y M, ZHANG Z Q, et al. Backdoor attack against speaker verification [C]//Proc. 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2021: 2560–2564. DOI: 10.1109/ICASSP39728.2021.9413468
[41]	HAN X S, WU Y T, ZHANG Q J, et al. Backdooring multimodal learning [C]//Proc. IEEE Symposium on Security and Privacy (SP). IEEE, 2024: 3385–3403. DOI: 10.1109/SP54263.2024.00031
[42]	XU Y D, WANG Z Y, LI Z X, et al. SiamFC++: towards robust and accurate visual tracking with target estimation guidelines [C]//Proc. AAAI conference on artificial intelligence. AAAI, 2020: 12549–12556. DOI: 10.1609/aaai.v34i07.6944
[43]	WU Y, LIM J, YANG M H. Object tracking benchmark [J]. IEEE transactions on pattern analysis and machine intelligence, 2015, 37(9): 1834–1848. DOI: 10.1109/TPAMI.2014.2388226
[44]	HUANG L H, ZHAO X, HUANG K Q. GOT-10k: a large high-diversity benchmark for generic object tracking in the wild [J]. IEEE transactions on pattern analysis and machine intelligence, 2021, 43(5): 1562–1577. DOI: 10.1109/TPAMI.2019.2957464
[45]	FAN H, LIN L T, YANG F, et al. LaSOT: a high-quality benchmark for large-scale single object tracking [C]//Proc. IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2019: 5369–5378. DOI: 10.1109/CVPR.2019.00552
[46]	SHAO S, LI Y M, YAO H W, et al. Explanation as a watermark: towards harmless and multi-bit model ownership verification via watermarking feature attribution [C]//Proc. 2025 Network and Distributed System Security Symposium. Internet Society, 2025. DOI: 10.14722/ndss.2025.230338
[47]	REN K, YANG Z Q, LU L, et al. Sok: on the role and future of AIGC watermarking in the era of gen-AI [EB/OL]. (2024-11-18)[2025-07-15].
[48]	LI Y M, ZHU M Y, YANG X, et al. Black-box dataset ownership verification via backdoor watermarking [J]. IEEE transactions on information forensics and security, 2023, 18: 2318–2332. DOI: 10.1109/TIFS.2023.3265535
[49]	LI Y M, SHAO S, HE Y, et al. Rethinking data protection in the (generative) artificial intelligence era. [EB/OL]. (2025-07-03)[2025-07-15].

Poison-Only and Targeted Backdoor Attack Against Visual Object Tracking

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 49

Related Articles 3

Recommended Articles

Metrics

[1]	LU Ping, FENG Daquan, SHI Wenzhe, LI Wan, LIN Jiaxin. Key Techniques and Challenges in NeRF-Based Dynamic 3D Reconstruction [J]. ZTE Communications, 2025, 23(3): 71-80.
[2]	FANG Yuming, ZHANG Xiaoqiang. Visual Attention Modeling inCompressed Domain:From Image Saliency Detection toVideo Saliency Detection [J]. ZTE Communications, 2019, 17(1): 31-37.
[3]	Xinhua Dong, Ruixuan Li, Wanwan Zhou, Dongjie Liao, and Shuoyi Zhao. Data Security and Privacy in Cloud Storage [J]. ZTE Communications, 2013, 11(2): 18-23.