1.2021 4 22 Thursday
2.2021 4 22 Thursday
3.1 Background 2 Related Work 3 White-Box Attack and Defense 4 IoU Attack (Decision-Based Attack)
4. Background Clean image/ Adversarial input Perturbation Adversarial example ▪ Adversarial examples are inputs to machine learning models that an attacker intentionally designed to cause the model to make mistakes. ▪ Threat model defines the rules of the attack.  Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: ICLR (2015)
5. Taxonomy Attack: ▪ Targeted Attack / Non-targeted Attack; ▪ Digital attack / physical attack; ▪ Single-step attack / iterative attack; ▪ White-box attack / Black-box attack; -
6. White-box attack / Black-box attack White-box attack: The adversary has access to all the information of the target neural network. ▪ Gradient-based method: FGSM, I-FGSM, PGD, etc. ▪ Optimization-based method: Deepfool, DAG, C&W, etc. . . . . ▪ Transfer-based method: exploiting transferability between substitute model and target model ▪ Decision-based method: seek smaller noise magnitude without crossing decision boundaries
7. Cooling-Shrinking Attack: Blinding the Tracker With Imperceptible Noises First row search region Second row clean heatmaps Third row adversarial heatmaps ▪ Designed for SiameseRPN-based tracker. ▪ A perturbation generator is trained to simultaneously cool hot regions where the target exists on the heatmaps and force the predicted bounding box to shrink.  Yan, B., Wang, D., Lu, H., Yang, X: Cooling-Shrinking Attack: Blinding the Tracker With Imperceptible Noises. In: CVPR (2020).
8. One-Shot Adversarial Attacks on Visual Tracking With Dual Attention ▪ Designed for Siamese-based tracker. (SiamFC, SiamRPN, SiamRPN++, SiamMask) ▪ The proposed attack consists of two components and leverages the dual attention mechanisms. ▪ One is optimizing the batch confidence loss with confidence attention while the other is optimizing the feature loss with channel attention.  Chen, X., Yan, X., Zheng, F., Jiang, Y., Xia, S., Zhao, Y., Ji, R.: One-Shot Adversarial Attacks on Visual Tracking With Dual Attention. In: CVPR (2020).
9. SPARK: Spatial-aware Online Incremental Attack Against Visual Tracking ▪ Designed for SiameseRPN-based tracker. ▪ This paper proposes SPARK that performs spatial-temporal sparse incremental perturbations online and makes the adversarial attack less perceptible.  Guo Q, Xie X, Juefei-Xu F, et al. SPARK: Spatial-aware online incremental attack against visual tracking. In: ECCV (2020).
10. Efficient Adversarial Attacks for Visual Object Tracking ▪ Designed for SiameseRPN-based tracker. ▪ This paper presents an end-to-end network FAN (Fast Attack Network) that uses a novel drift loss combined with the embedded feature loss to attack the Siamese network based trackers.  Liang S, Wei X, Yao S, et al. Efficient Adversarial Attacks for Visual Object Tracking. In: ECCV (2020).
11. Physical Adversarial Textures That Fool Visual Object Tracking ▪ Designed for GOTURN. ▪ As a target being visually tracked moves in front of such a poster, its adversarial texture makes the tracker lock onto it, thus allowing the target to evade.  Wiyatno R R, Xu A. Physical adversarial textures that fool visual object tracking. In: ICCV (2019)
12.Robust Tracking against Adversarial Attacks
13.Introduction Adversarial examples for attack and defend on the David3 sequence from OTB100 dataset
14.Overview Variations of adversarial perturbations during attack and defence.
15. DaSiamRPN (offline) ▪ DaSiamRPN is a end-to-end trained off-line tracker, consisting of Siamese subnetwork for feature extraction and region proposal subnetwork including the classification branch and regression branch.  Zhu, Z., Wang, Q., Li, B., Wu, W., Yan, J., Hu, W.: Distractor-aware siamese networks for visual object tracking. In: ECCV (2018)
16. RT-MDNet (online) ▪ RT-MDNet is composed of shared layers and multiple branches of domain- specific layers. When tracking a target in a new sequence, it combines the shared with a new binary classification layer, which is updated online.  Jung, I., Son, J., Baek, M., Han, B.: Real-time mdnet. In: ECCV (2018)
17.Adversarial Example Generation Temporal attack
18.Adversarial Example Defense Temporal defense
19.Ablation Study Ablation studies of DaSiamRPN on the OTB100 dataset. We denote Cls as the attack on the classification branch, Reg as the attack on the regression branch where there are offset and scale attacks.
20.Ablation Study Ablation studies on temporal consistency of DaSiamRPN on the OTB100 dataset. Temporal denotes using temporal consistency in adversarial attack
21.Experiments Evaluations on the OTB100 dataset. Evaluations on the UAV123 dataset.
22.Experiments Evaluations on the VOT2018 dataset. Evaluations on the VOT2016 dataset.
23.IoU Attack: Towards Temporally Coherent Black-Box Adversarial Attack for Visual Object Tracking
24.IoU Score Area of intersection IoU Score = Area of Union
25.IoU Attack An intuitive view of IoU attack in the image space.
26. Overview ▪ IoU attack aims to identify one specific noise perturbation leading to the lowest IoU score among the same amount of noise levels.
27.Black-box IoU Attack
28. SiamRPN++ (offline) ▪ SiamRPN++ has a similar architecture with SiamRPN and DaSiamRPN, but applies the layer-wise and depth-wise aggregations by a deeper network ResNet instead of AlexNet..  Bo Li, Wei Wu, Qiang Wang, Fangyi Zhang, Junliang Xing, and Junjie Yan. Siamrpn++: Evolution of siamese visual tracking with very deep networks. In CVPR, 2019.
29. DiMP (Online) ▪ DiMP exploits both target and background appearance information to locate the target by learning the discriminative target model during offline training and updating the optimization with only a few iterations.  Bhat, G., Danelljan, M., Gool, L. V., Timofte, R. Learning discriminative model prediction for tracking. In: ICCV (2019)