Saved in:
Bibliographic Details
Main Authors: Mahmood, Kaleel, Manicke, Caleb, Rathbun, Ethan, Verma, Aayushi, Ahmad, Sohaib, Stamatakis, Nicholas, Michel, Laurent, Fuller, Benjamin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.14582
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915348476854272
author Mahmood, Kaleel
Manicke, Caleb
Rathbun, Ethan
Verma, Aayushi
Ahmad, Sohaib
Stamatakis, Nicholas
Michel, Laurent
Fuller, Benjamin
author_facet Mahmood, Kaleel
Manicke, Caleb
Rathbun, Ethan
Verma, Aayushi
Ahmad, Sohaib
Stamatakis, Nicholas
Michel, Laurent
Fuller, Benjamin
contents We show the security risk associated with using machine learning classifiers in United States election tabulators. The central classification task in election tabulation is deciding whether a mark does or does not appear on a bubble associated to an alternative in a contest on the ballot. Barretto et al. (E-Vote-ID 2021) reported that convolutional neural networks are a viable option in this field, as they outperform simple feature-based classifiers. Our contributions to election security can be divided into four parts. To demonstrate and analyze the hypothetical vulnerability of machine learning models on election tabulators, we first introduce four new ballot datasets. Second, we train and test a variety of different models on our new datasets. These models include support vector machines, convolutional neural networks (a basic CNN, VGG and ResNet), and vision transformers (Twins and CaiT). Third, using our new datasets and trained models, we demonstrate that traditional white box attacks are ineffective in the voting domain due to gradient masking. Our analyses further reveal that gradient masking is a product of numerical instability. We use a modified difference of logits ratio loss to overcome this issue (Croce and Hein, ICML 2020). Fourth, in the physical world, we conduct attacks with the adversarial examples generated using our new methods. In traditional adversarial machine learning, a high (50% or greater) attack success rate is ideal. However, for certain elections, even a 5% attack success rate can flip the outcome of a race. We show such an impact is possible in the physical domain. We thoroughly discuss attack realism, and the challenges and practicality associated with printing and scanning ballot adversarial examples.
format Preprint
id arxiv_https___arxiv_org_abs_2506_14582
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Busting the Paper Ballot: Voting Meets Adversarial Machine Learning
Mahmood, Kaleel
Manicke, Caleb
Rathbun, Ethan
Verma, Aayushi
Ahmad, Sohaib
Stamatakis, Nicholas
Michel, Laurent
Fuller, Benjamin
Cryptography and Security
Computer Vision and Pattern Recognition
Machine Learning
We show the security risk associated with using machine learning classifiers in United States election tabulators. The central classification task in election tabulation is deciding whether a mark does or does not appear on a bubble associated to an alternative in a contest on the ballot. Barretto et al. (E-Vote-ID 2021) reported that convolutional neural networks are a viable option in this field, as they outperform simple feature-based classifiers. Our contributions to election security can be divided into four parts. To demonstrate and analyze the hypothetical vulnerability of machine learning models on election tabulators, we first introduce four new ballot datasets. Second, we train and test a variety of different models on our new datasets. These models include support vector machines, convolutional neural networks (a basic CNN, VGG and ResNet), and vision transformers (Twins and CaiT). Third, using our new datasets and trained models, we demonstrate that traditional white box attacks are ineffective in the voting domain due to gradient masking. Our analyses further reveal that gradient masking is a product of numerical instability. We use a modified difference of logits ratio loss to overcome this issue (Croce and Hein, ICML 2020). Fourth, in the physical world, we conduct attacks with the adversarial examples generated using our new methods. In traditional adversarial machine learning, a high (50% or greater) attack success rate is ideal. However, for certain elections, even a 5% attack success rate can flip the outcome of a race. We show such an impact is possible in the physical domain. We thoroughly discuss attack realism, and the challenges and practicality associated with printing and scanning ballot adversarial examples.
title Busting the Paper Ballot: Voting Meets Adversarial Machine Learning
topic Cryptography and Security
Computer Vision and Pattern Recognition
Machine Learning
url https://arxiv.org/abs/2506.14582