Improving the Transferability of Adversarial Attacks on Face Recognition with Diverse Parameters Augmentation

TL;DR

This paper introduces a novel adversarial attack method called Diverse Parameters Augmentation (DPA) that improves the transferability of face recognition attacks by diversifying surrogate model initializations and aggregating their features.

Contribution

The paper proposes DPA, a new method that enhances adversarial transferability by using diverse surrogate models through parameter initialization and aggregation techniques.

Findings

DPA significantly improves attack transferability on face recognition models.

DPA outperforms existing attack methods in experimental evaluations.

The method effectively exposes vulnerabilities in face recognition systems.

Abstract

Face Recognition (FR) models are vulnerable to adversarial examples that subtly manipulate benign face images, underscoring the urgent need to improve the transferability of adversarial attacks in order to expose the blind spots of these systems. Existing adversarial attack methods often overlook the potential benefits of augmenting the surrogate model with diverse initializations, which limits the transferability of the generated adversarial examples. To address this gap, we propose a novel method called Diverse Parameters Augmentation (DPA) attack method, which enhances surrogate models by incorporating diverse parameter initializations, resulting in a broader and more diverse set of surrogate models. Specifically, DPA consists of two key stages: Diverse Parameters Optimization (DPO) and Hard Model Aggregation (HMA). In the DPO stage, we initialize the parameters of the surrogate model using both pre-trained and random parameters. Subsequently, we save the models in the intermediate training process to obtain a diverse set of surrogate models. During the HMA stage, we enhance the feature maps of the diversified surrogate models by incorporating beneficial perturbations, thereby further improving the transferability. Experimental results demonstrate that our proposed attack method can effectively enhance the transferability of the crafted adversarial face examples.