Abstract:Face Recognition (FR) models are vulnerable to adversarial examples that subtly manipulate benign face images, underscoring the urgent need to improve the transferability of adversarial attacks in order to expose the blind spots of these systems. Existing adversarial attack methods often overlook the potential benefits of augmenting the surrogate model with diverse initializations, which limits the transferability of the generated adversarial examples. To address this gap, we propose a novel method called Diverse Parameters Augmentation (DPA) attack method, which enhances surrogate models by incorporating diverse parameter initializations, resulting in a broader and more diverse set of surrogate models. Specifically, DPA consists of two key stages: Diverse Parameters Optimization (DPO) and Hard Model Aggregation (HMA). In the DPO stage, we initialize the parameters of the surrogate model using both pre-trained and random parameters. Subsequently, we save the models in the intermediate training process to obtain a diverse set of surrogate models. During the HMA stage, we enhance the feature maps of the diversified surrogate models by incorporating beneficial perturbations, thereby further improving the transferability. Experimental results demonstrate that our proposed attack method can effectively enhance the transferability of the crafted adversarial face examples.

What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to solve the vulnerability of face recognition (FR) models to adversarial examples, especially to improve the transferability of adversarial attacks. Specifically: 1. **Limitations of existing adversarial attack methods**: - Existing adversarial attack methods usually overlook the potential benefits of enhancing surrogate model parameters through diverse initialization, which limits the transferability of the generated adversarial examples. - Most enhancement - based adversarial attack methods focus on input - based augmentation, while less exploration is done on deep - layer augmentation (such as feature - layer and parameter - layer augmentation). 2. **Lack of diverse parameter initialization**: - Existing methods mainly rely on pre - trained parameters for initialization, ignoring the possibility of random initialization, resulting in insufficient parameter diversity of surrogate models, thus affecting the transferability of adversarial examples. - In the training process of modern FR models, usually only the backbone model is released, while the head model is not released, which makes it more difficult to obtain diverse parameters. 3. **Improving the transferability of adversarial attacks**: - The paper proposes a new adversarial attack method - Diverse Parameters Augmentation (DPA), which combines pre - trained and randomly initialized parameters to enhance the diversity of surrogate models, thereby improving the transferability of adversarial examples. ### Overview of the solution To solve the above problems, the author proposes the DPA method, which mainly includes two key stages: 1. **Diverse Parameters Optimization (DPO)**: - In the DPO stage, the author optimizes the surrogate model by using pre - trained and randomly initialized parameters and saves the model during the intermediate training process to obtain a diverse set of surrogate models. 2. **Hard Model Aggregation (HMA)**: - In the HMA stage, the author further improves the transferability of adversarial examples by adding beneficial perturbations to the feature maps of diverse surrogate models and combining these models. ### Experimental results The experimental results show that the DPA method achieves the best black - box attack effect on both normally trained FR models and adversarially robust FR models. In addition, the DPA method also shows superior black - box performance under JPEG compression, proving its effectiveness in practical applications. ### Summary This paper effectively improves the transferability of adversarial attacks in face recognition systems by introducing the method of diverse parameter augmentation, and reveals and solves the limitations existing in the existing methods.

Enhancing the Transferability of Adversarial Attacks on Face Recognition with Diverse Parameters Augmentation

Improving the Transferability of Adversarial Attacks on Face Recognition With Beneficial Perturbation Feature Augmentation

Adversarial Attacks on Both Face Recognition and Face Anti-spoofing Models

Sibling-Attack: Rethinking Transferable Adversarial Attacks against Face Recognition

Toward Transferable Attack via Adversarial Diffusion in Face Recognition

Towards Transferable Adversarial Attack Against Deep Face Recognition

Improving Transferability of Adversarial Patches on Face Recognition with Generative Models

Adv-Attribute: Inconspicuous and Transferable Adversarial Attack on Face Recognition

Generating Adversarial Examples with Better Transferability via Masking Unimportant Parameters of Surrogate Model

Improving the Transferability of Adversarial Examples by Feature Augmentation

Transferable Adversarial Facial Images for Privacy Protection

NeRFTAP: Enhancing Transferability of Adversarial Patches on Face Recognition Using Neural Radiance Fields

Exposing Fine-Grained Adversarial Vulnerability of Face Anti-Spoofing Models

Fuzziness-tuned: Improving the Transferability of Adversarial Examples

Improving the Transferability of Adversarial Samples by Path-Augmented Method

DiffAM: Diffusion-based Adversarial Makeup Transfer for Facial Privacy Protection

Boosting the Targeted Transferability of Adversarial Examples via Salient Region & Weighted Feature Drop

FDAA: A feature distribution-aware transferable adversarial attack method

Improving Cross-database Face Presentation Attack Detection via Adversarial Domain Adaptation

Boost Adversarial Transferability by Uniform Scale and Mix Mask Method