Distance-Pulling Attacks in Tracking Systems
- Distance-Pulling Attacks are physical-world attacks that reduce the apparent size of a target in camera-based tracking to mislead the system about true distance.
- The FlyTrap framework employs a progressive distance-pulling strategy that uses closed-loop optimization to maintain high confidence while shrinking bounding boxes.
- Empirical studies show that such attacks can force drones into capture, sensor attack, or even crash regimes by deceiving the control system with altered distance measurements.
Distance-Pulling Attacks (DPA) denote, in recent autonomous target tracking literature, a physical-world attack that causes a camera-based autonomous target tracking (ATT) system to reduce its tracking distance while maintaining tracking lock and high confidence. In the FlyTrap formulation, the attacker presents an adversarial umbrella to a camera-based ATT drone so that the Single Object Tracking (SOT) subsystem outputs a smaller but still confident bounding box; the downstream controller then interprets the target as farther away and moves the drone forward, thereby decreasing the true drone-to-target distance [2509.20362]. Related literatures contain analogous distance-reduction mechanisms in secure ranging, decision-boundary manipulation, and non-control-data corruption, but the acronym “DPA” is also used for unrelated notions such as Differential Power Analysis and Deep Partition Aggregation [2111.05313] [2402.08986] [2006.14768].
1. Canonical formulation in camera-based autonomous target tracking
In the ATT setting studied by FlyTrap, most victim platforms are camera-based systems whose perception stack is a SOT model. Given a template image $\mathbf{I}\text{tplt}$ and a search image $\mathbf{I}\text{search}$, the tracker outputs proposals
$$
\left{ (cx_j, cy_j, w_j, h_j, score_j) \right}{j=1}{M} = F(\mathbf{I}\text{search} \mid \mathbf{I}_\text{tplt}),
$$
where $(cx_j,cy_j)$ is the box center, $(w_j,h_j)$ its dimensions, and $score_j$ the tracking confidence. The proposal with highest score becomes the active tracking result $\mathcal{P}=(cx,cy,w,h)$ [2509.20362].
The control law exploited by DPA is the standard image-based coupling between box geometry and drone motion. If the object’s box gets smaller, the controller infers that the object has moved away and moves the drone forward; if the box gets larger, the controller infers that the object is closer and moves the drone backward. Lateral and yaw corrections center the target, while longitudinal motion is regulated from the discrepancy between current box size and template box size. Under the pinhole model,
$$
p = \frac{f s}{d},
$$
where $p$ is pixel size, $s$ is true object size, $f$ is focal length, and $d$ is distance. A maliciously reduced pixel size therefore yields an overestimate of distance and induces forward motion [2509.20362].
This attack objective is distinct from ordinary adversarial misclassification or tracking failure. FlyTrap explicitly targets a regime in which the system continues to track the correct target with high confidence, but monotonically decreases the true drone-to-target distance. The immediate system-level consequences are threefold: entry into capture range, entry into range for other sensor attacks, and entry into collision range [2509.20362].
2. FlyTrap and progressive distance pulling
FlyTrap realizes DPA with three coupled design objectives: physical deployability, closed-loop effectiveness, and spatial-temporal consistency. Its physical attack vector is an adversarial umbrella, chosen because it provides a large, rigid, almost planar printable surface, can be pointed toward the drone, and is socially ordinary in outdoor environments. The framework combines that attack surface with a closed-loop-aware optimization procedure and a controllable target-generation mechanism for tracker outputs [2509.20362].
The central analytic relation is the distance–shrink equation. Let $d_0$ be the initial distance, $d_a$ the target distance, $s_u$ the true umbrella size, $s_h$ the true human size, and $\lambda = \tfrac{s_u}{s_h}$. If the attacker enforces a shrink rate $r_a$, then the derived relation is
$$
d = \lambda r_a d_0,
$$
so a desired target distance $d_a$ corresponds to
$$
r_a = \frac{d_a}{\lambda d_0}.
$$
This allows the attacker to choose a geometric shrink objective that corresponds directly to a physical approach distance [2509.20362].
FlyTrap does not optimize a single-frame perturbation. Its Progressive Distance-Pulling (PDP) strategy simulates a sequence of approach distances,
$$
dt = d0 - t \Delta d,
$$
and constrains each step with an upper-bounded shrink rate
$$
rt_{\max} = \frac{d{t+1}}{\lambda d0}.
$$
The optimization thus encodes how the bounding box should evolve as the drone approaches, rather than merely forcing a one-shot shrunken box. This is the key mechanism that supports continuous pulling into very close range [2509.20362].
The Attack Target Generator (ATG) supplies target boxes $\mathcal{P}_at=(cx_at,cy_at,w_at,h_at)$ across time so that the predicted boxes remain spatially plausible and temporally smooth. When higher-level defenses use pose or detector outputs, ATG also constrains those outputs for cross-model consistency. The optimization combines localization loss, confidence loss, optional pose-consistency loss, and total variation regularization; physical robustness is handled by compositional transformations in an Expectation-over-Transformation pipeline [2509.20362].
3. Empirical behavior and system-level effects
FlyTrap was evaluated on a new aerial dataset collected with a DJI Mini 4 Pro, comprising 23 training videos with 11,898 frames and 25 test videos with 13,594 frames, across four persons and multiple outdoor scenes. Victim trackers included SiamRPN-AlexNet, SiamRPN-ResNet, SiamRPN-MobileNet, and MixFormer. Evaluation was performed in both open-loop and closed-loop settings, and extended to commercial ATT drones including DJI Mini 4 Pro, DJI Neo, and HoverAir X1 [2509.20362].
The principal open-loop metric is $\mathrm{ASR}{\text{open}}$, with mean performance reported as $\mathrm{mASR}{\text{open}}$ over threshold grids. In the digital white-box experiments, the baseline printed human-photo target (TGT) achieved an average $\mathrm{mASR}{\text{open}}$ of 36.0\%, FlyTrap without PDP achieved 33.9\%, and FlyTrap with PDP achieved 53.6\%. For MixFormer specifically, FlyTrap with PDP reached 78.7\% $\mathrm{mASR}{\text{open}}$ [2509.20362].
Closed-loop experiments on a custom ATT drone showed the system-level effect more directly. With MixFormer and with SiamRPN-Res, FlyTrap with PDP achieved 100\% success for all three tested thresholds: capture at $\le 9\,\mathrm{m}$, projector-based sensor attack at $\le 6\,\mathrm{m}$, and crash at $\le 0.5\,\mathrm{m}$. In contrast, non-PDP variants often succeeded for capture and sensor-attack distances but not for the crash regime, indicating that progressive shrinking is critical for aggressive final approach [2509.20362].
Commercial black-box results showed partial but consequential transfer. On DJI Mini 4 Pro, the human-shaped MixFormer-derived pattern achieved 60\% success for capture distance and 30\% for the 6 m sensor-attack threshold, but 0\% for the 0.5 m crash threshold. On the lighter short-range platforms, crash-level effects were observed: DJI Neo reached 60\% and HoverAir X1 80\% at the $\le 0.5\,\mathrm{m}$ threshold. The paper also reports end-to-end demonstrations in which a Mini 4 Pro is brought into net-gun capture range and a HoverAir drone is brought into direct hit range [2509.20362].
4. Related distance-reduction mechanisms in adjacent literatures
Distance reduction long predates FlyTrap in secure ranging. “Ghost Peak” demonstrates a practical over-the-air attack against IEEE 802.15.4z HRP UWB ranging, including Apple U1 chips, that requires no cryptographic material and can reduce measured distance from 12 m actual distance to 0 m spoofed distance with attack success probabilities of up to 4\%, using an inexpensive USD 65 off-the-shelf device [2111.05313]. Its mechanism differs from FlyTrap’s visual-box shrinkage, but the operational effect is similar: the victim system preserves nominal protocol behavior while accepting a shorter apparent distance than the physical one.
The formal distance-bounding literature models this more abstractly as distance fraud, mafia fraud, and terrorist fraud. In secure distance bounding verification based on physical-channel properties, the verifier accepts or rejects a distance claim by exploiting the SNR gap induced by path loss and additive noise; the model defines honest, uncertainty, and adversarial regions through a DBV ratio $\psi>1$ [1303.0346]. Graph-based distance bounding refines the distance-fraud problem further: the optimal early-reply attacker must find the most frequent response sequence, and the resulting success probability is
$$
P_\text{df} = \frac{E(M_{G,v,n})}{2n}.
$$
For the Binary MFS problem underlying that strategy, NP-hardness was proved even under the structural constraints of graph-based DB protocols [1412.6016].
Machine-learning literature contains two additional analogues. In adversarial spectrum sensing, the operative quantity is not physical range but distance to the classifier’s decision boundary,
$$
d(\mathbf{x}) = \min_{\boldsymbol{\delta}} |\boldsymbol{\delta}|_2 \quad \text{s.t.} \quad f_0(\mathbf{x}+\boldsymbol{\delta}) = f_1(\mathbf{x}+\boldsymbol{\delta}),
$$
and attacks are effective because they generate sensing vectors close to that boundary [2402.08986]. In certified poisoning defenses, Deep Partition Aggregation formalizes the threat in training-set Hamming distance, and the paper explicitly notes that any “distance-pulling attack” that tries to shift the decision boundary by strategically relocating a small set of training examples is a special case of its general poisoning model [2006.14768]. This suggests a broader abstraction in which the manipulated quantity may be physical distance, boundary distance, or training-set distance, provided system behavior is driven by that quantity.
A software-systems analogue appears in data-oriented exploitation. The SoK on data-oriented attacks characterizes an attacker that gradually alters a metric or threshold without violating control-flow integrity as a non-control-data attack; when the target is a distance, threshold, or score variable, the attack fits as direct data manipulation, multi-step DDM, or a lightweight DOP-style exploit depending on the write primitive and gadget structure [1902.08359]. Here again, the system remains on nominal control-flow paths while attacker-controlled data shifts a downstream distance-like decision variable.
5. Detection, defense, and structural limits
FlyTrap evaluates several state-of-the-art spatial–temporal defenses and shows that adaptive target generation can substantially reduce alarm rates. Against PercepGuard, the reported true alarm rate drops from about 60.7\% for vanilla FlyTrap to about 2.8\% with ATG. Against VOGUES, the corresponding reduction is from about 88.8\% to about 52.4\%. Against VisionGuard’s ARIMA-based ego-state detector, FlyTrap causes no alarms across the tested thresholds. These results indicate that smooth, confidence-preserving box shrinkage can remain inside the tolerated dynamics of perception and control [2509.20362].
The ATT paper therefore emphasizes system-level mitigations rather than tracker-only fixes. Recommended directions include sensor fusion for range, consistency checks between bounding-box evolution and independent geometry, sanity checks on approach rate, minimum standoff distances, segmentation or pose-based anchoring to full human silhouettes rather than small subregions, and safe fallback behaviors that stop approaching when inconsistencies are detected [2509.20362]. These are architectural mitigations; the paper does not present a fully robust countermeasure.
In adversarial spectrum sensing, the principal defense is statistical rather than geometric. The detector computes DDB values for training and testing windows, forms empirical CDFs, and applies a two-sample Kolmogorov–Smirnov test using
$$
d_{\text{KS}} = \max_{\delta} \left|F_{\text{train},a_1}(\delta) - F_{\text{test},a_2}(\delta)\right|.
$$
Under typical settings, the reported detection rate is up to 99\% with false alarm rate less than 1\%, and the proposed DDB computation improves computational efficiency by 54\%–64\% over existing distance-calculation methods [2402.08986]. That defense relies on the observation that minimal-perturbation attacks accumulate unusually near the decision boundary.
Where the manipulated “distance” is explicit program state rather than perception output, the SoK on data-oriented attacks identifies a different defense stack: spatial and temporal memory safety at stage S1, compartmentalization and randomization at S2, and DFI-like or CVI-style variable integrity at S3 [1902.08359]. It also states that CFI does not protect against data-oriented attacks. Intel PT can sometimes detect such attacks through incompatible branch behavior or macro/micro control-flow anomalies, but pure non-predicate data corruption may remain invisible in PT traces [1902.08359]. This limit is structurally similar to FlyTrap’s ability to preserve nominal control behavior while altering a latent control variable.
6. Terminological ambiguity and acronym overload
The acronym “DPA” is heavily overloaded across arXiv and adjacent technical literatures. In the context of camera-based ATT, it denotes Distance-Pulling Attack; in side-channel cryptography, it denotes Differential Power Analysis; and in certified robustness for poisoning, it denotes Deep Partition Aggregation.
| Context | Meaning of “DPA” | Role |
|---|---|---|
| Camera-based ATT | Distance-Pulling Attack | Physical attack that reduces tracking distance [2509.20362] |
| Image-encryption/side-channel literature | Differential Power Analysis | Power-analysis threat mitigated via DPA-resistant S-box design [2312.15280] |
| Poisoning robustness | Deep Partition Aggregation | Certified defense against poisoning attacks [2006.14768] |
This terminological overlap matters because several neighboring literatures also discuss “distance” in technically distinct senses. Secure ranging studies physical distance reduction and distance fraud [2111.05313] [1303.0346]. Adversarial spectrum sensing studies distance to the decision boundary [2402.08986]. Data-oriented exploitation studies corruption of distance-like variables and thresholds inside program state [1902.08359]. The recent ATT literature gives the term its most explicit and system-level physical meaning: a distance-preserving tracker is turned into a distance-reducing controller by manipulating the visual evidence on which range control depends [2509.20362].
The contemporary significance of Distance-Pulling Attacks lies in that control-layer consequence. A DPA need not break authentication, crash perception, or violate control-flow integrity. It may instead preserve nominal operation while biasing the latent quantity that the system uses to decide how close to move, how strongly to trust, or which side of a decision boundary to inhabit. Across drones, ranging systems, machine-learning classifiers, and data-oriented software exploits, that common structure is the most technically stable way to understand the emerging literature.