To address the weak transferability of adversarial examples against face recognition models, this paper proposes a Diversified Parameter Augmentation (DPA) attack. The method adopts a two-stage framework: first, Diversified Parameter Optimization (DPO) constructs a highly diverse surrogate model ensemble by jointly leveraging pre-trained and randomly initialized models; second, Hard-Example Model Aggregation (HMA) dynamically fuses feature-map-level perturbations and ensemble gradients from intermediate training snapshots. DPA operates in a gradient-free manner—requiring no access to the target model’s gradients—and significantly enhances black-box attack generalizability. Evaluated on multiple mainstream face recognition models, DPA achieves an average 12.7% higher transfer success rate than state-of-the-art methods, demonstrating strong robustness. Its core innovation lies in the first integration of multi-initialization strategies with intermediate model snapshot mechanisms for surrogate diversity modeling, coupled with feature-level perturbation aggregation and optimization.

Face Recognition (FR) models are vulnerable to adversarial examples that subtly manipulate benign face images, underscoring the urgent need to improve the transferability of adversarial attacks in order to expose the blind spots of these systems. Existing adversarial attack methods often overlook the potential benefits of augmenting the surrogate model with diverse initializations, which limits the transferability of the generated adversarial examples. To address this gap, we propose a novel method called Diverse Parameters Augmentation (DPA) attack method, which enhances surrogate models by incorporating diverse parameter initializations, resulting in a broader and more diverse set of surrogate models. Specifically, DPA consists of two key stages: Diverse Parameters Optimization (DPO) and Hard Model Aggregation (HMA). In the DPO stage, we initialize the parameters of the surrogate model using both pre-trained and random parameters. Subsequently, we save the models in the intermediate training process to obtain a diverse set of surrogate models. During the HMA stage, we enhance the feature maps of the diversified surrogate models by incorporating beneficial perturbations, thereby further improving the transferability. Experimental results demonstrate that our proposed attack method can effectively enhance the transferability of the crafted adversarial face examples.