코로나19 팬데믹으로 인해 비대면 거래가 보편화되면서, 완전 무인 매장의 증가 추세가 두드러지고 있다. 이러한 매장에서는 모든 운영 과정이 자동화되어 있으며, 주로 인공지능 기술이 적용된다. 그러나 이러한 인공지능 기술에는 여러 보안 취약점이 존재하고, 이러한 취약점들은 완전 무인 매장 환경에서 치명적으로 작용할 수 있다. 본 논문은 인공지능 기반의 완전 무인 매장이 직면할 수 있는 보안 취약점을 분석하고, 특히 객체 검출 모델인 YOLO에 초점을 맞추어, 적대적 패치를 활용한 Hiding Attack과 Altering Attack이 가능함을 보인다. 이러한 공격으로 인해, 적대적 패치를 부착한 객체는 검출 모델에 의해 인식되지 않거나 다른 객체로 잘못 인식될 수 있다는 것을 확인한다. 또한, 보안 위협을 완화하기 위해 Data Augmentation 기법이 적대적 패치 공격에 어떠한 방어 효과를 주는지 분석한다. 우리는 이러한 결과를 토대로 완전 무인 매장에서 사용되는 인공지능 기술에 내재된 보안 위협에 대응하기 위한 적극적인 방어 연구의 필요성을 강조한다.

The COVID-19 pandemic has led to the widespread adoption of contactless transactions, resulting in a noticeable increase in the trend towards fully unmanned stores. In such stores, all operational processes are automated, primarily using artificial intelligence (AI) technology. However, this AI technology has several security vulnerabilities, which can be critical in the environment of fully unmanned stores. This paper analyzes the security vulnerabilities that AI-based fully unmanned stores may face, focusing particularly on the object detection model YOLO, demonstrating that Hiding Attacks and Altering Attacks using adversarial patches are possible. It is confirmed that objects with adversarial patches attached may not be recognized by the detection model or may be incorrectly recognized as other objects. Furthermore, the paper analyzes how Data Augmentation techniques can mitigate security threats by providing a defensive effect against adversarial patch attacks. Based on these results, we emphasize the need for proactive research into defensive measures to address the inherent security threats in AI technology used in fully unmanned stores.

1 Github, "imgaug"

2 J. Redmon, "You only look once:Unified, real-time object detection" 779-788, 2016

3 Github, "Yolov5"

4 J. Redmon, "YOLO9000: Better, faster, stronger" 7263-7271, 2017

5 Y. Xu, "VitPose: Simple vision transformer baselines for human pose estimation" 35 : 38571-38584, 2022

6 Amazon Technologies, Inc, "Transitioning items from a materials handling facility"

7 H. Ma, "Transferable black-box attack against face recognition with spatial mutable adversarial patch" 2023

8 N. Carlini, "Towards evaluating the robustness of neural networks" IEEE 39-57, 2017

9 A. Madry, "Towards deep learning models resistant to adversarial attacks"

10 SuperSwift, "SuperSwift"

11 StandardAi, "StandardAi"

12 Spharos, "Spharos"

13 Roboflow, "Snacks"

14 Z. Luo, "Rethinking the heatmap regression for bottom-up human pose estimation" 13264-13273, 2021

15 K. Nguyen, "Physical adversarial attacks for surveillance: A Survey" 2023

16 A. Liu, "Perceptual-sensitive gan for generating adversarial patches" 33 (33): 1028-1035, 2019

17 A. Liu, "Perceptual-sensitive GAN for generating adversarial patches" 33 (33): 1028-1035, 2019

18 H. Ma, "PPT:Token-pruned pose transformer for monocular and multi-view human pose estimation" Springer Nature Switzerland 424-442, 2022

19 Y. Zhao, "Object hider: Adversarial patch attack against object detectors"

20 Y.C.T. Hu, "Naturalistic physical adversarial patch for object detectors" 7848-7857, 2021

21 D. Hasler, "Measuring colorfulness in natural images" 5007 : 87-95, 2003

22 O. Gafni, "Live face de-identification in video" 9378-9387, 2019

23 D. Karmon, "Lavan : Localized and visible adversarial noise" 2507-2515, 2018

24 K. Wankhede, "Just walk-out technology and its challenges: A case of Amazon Go" IEEE 254-257, 2018

25 C. Szegedy, "Intriguing properties of neural networks"

26 J. Wang, "Graph-PCNN: Two stage human pose estimation with graph pose refinement" Springer International Publishing 492-508, 2020

27 R.R. Selvaraju, "Grad-cam: Visual explanations from deep networks via gradientbased localization" 618-626, 2017

28 I. Goodfellow, "Generative adversarial nets" 27 : 2014

29 S. Thys, "Fooling automated surveillance cameras: Adversarial patches to attack person detection" 2019

30 S. Ren, "Faster R-CNN: Towards real-time object detection with region proposal networks" 28 : 2015

31 R. Girshick, "Fast R-CNN" 1440-1448, 2015

32 FaindersAI, "FaindersAI"

33 I.J. Goodfellow, "Explaining and harnessing adversarial examples"

34 S. Hoory, "Dynamic adversarial patch for evading object detection models"

35 S.M. Moosavi-Dezfooli, "Deepfool: A simple and accurate method to fool deep neural networks" 2574-2582, 2016

36 L. Pishchulin, "DeepCut:Joint subset partition and labeling for multi person pose estimation" 4929-4937, 2016

37 X. Liu, "DPatch: An adversarial patch attack on object detectors"

38 A. Kurakin, "Artificial Intelligence Safety and Security" Chapman and Hall/CRC 99-112, 2018

39 J. Deng, "Arcface: Additive angular margin loss for deep face recognition" 4690-4699, 2019

40 A. Chambolle, "An algorithm for total variation minimization and applications" 20 : 89-97, 2004

41 A. Chindaudom, "AdversarialQR: An adversarial patch in QR code format" IEEE 1-6, 2020

42 T.B. Brown, "Adversarial patch"

43 G. Ryu, "Adversarial attacks by attaching noise markers on the face against deep face recognition" 60 : 102874-, 2021

44 M. Sharif, "Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition" 1528-1540, 2016

45 AIFI, "AIFI"

46 D. Wang, "A survey on physical adversarial attack in computer vision"

47 M. Sharif, "A general framework for adversarial examples with objectives" 22 (22): 2019

48 X. Zhou, "A data independent approach to generate adversarial patches" 32 (32): 1-9, 2021