Robustness Analysis against Adversarial Patch Attacks in Fully Unmanned Stores

TL;DR

This paper analyzes the vulnerability of AI-based object detection in unmanned stores to physical adversarial patch attacks, introduces new metrics and defenses, and evaluates attack effectiveness in real-world scenarios.

Contribution

It presents a novel color histogram similarity loss function, new bounding-box metrics, and evaluates attack robustness in physical and black-box environments for unmanned store security.

Findings

Adversarial patches can significantly disrupt object detection in unmanned stores.

Shadow attacks increase success rates without model access.

Proposed defenses highlight current limitations and suggest improvements.

Abstract

The advent of convenient and efficient fully unmanned stores equipped with artificial intelligence-based automated checkout systems marks a new era in retail. However, these systems have inherent artificial intelligence security vulnerabilities, which are exploited via adversarial patch attacks, particularly in physical environments. This study demonstrated that adversarial patches can severely disrupt object detection models used in unmanned stores, leading to issues such as theft, inventory discrepancies, and interference. We investigated three types of adversarial patch attacks -- Hiding, Creating, and Altering attacks -- and highlighted their effectiveness. We also introduce the novel color histogram similarity loss function by leveraging attacker knowledge of the color information of a target class object. Besides the traditional confusion-matrix-based attack success rate, we introduce a new bounding-boxes-based metric to analyze the practical impact of these attacks. Starting with attacks on object detection models trained on snack and fruit datasets in a digital environment, we evaluated the effectiveness of adversarial patches in a physical testbed that mimicked a real unmanned store with RGB cameras and realistic conditions. Furthermore, we assessed the robustness of these attacks in black-box scenarios, demonstrating that shadow attacks can enhance success rates of attacks even without direct access to model parameters. Our study underscores the necessity for robust defense strategies to protect unmanned stores from adversarial threats. Highlighting the limitations of the current defense mechanisms in real-time detection systems and discussing various proactive measures, we provide insights into improving the robustness of object detection models and fortifying unmanned retail environments against these attacks.