Towards invisible backdoor attacks on multi-object tracking via suppressed feature learning

In current practice, training efficient multi-object tracking (MOT) models often requires collecting large-scale third-party datasets. However, directly incorporating these unverified datasets introduces new security threats to MOT. In this paper, we reveal such a threat, where an adversary can implant a hidden backdoor into an MOT tracker by poisoning only a small portion of the dataset. Specifically, we propose a feature-map-suppression-based poison-only backdoor attack, which adopts a sample-specific trigger paradigm and optimizes the trigger based on multi-scale feature maps of video frames. In addition, we introduce an inter-frame motion analysis method for selecting poisoned frames. In our attack, once the tracker is embedded with a backdoor, the object with the trigger will evade tracking. Extensive experiments under various settings demonstrate that our attack significantly degrades the performance of both Tracking-by-Detection and Joint-Detection-and-Tracking MOT trackers. Furthermore, we validate the robustness of our attack against several potential backdoor defense methods. The code will be available at https://github.com/Magic0825/MOT-BA.