Saved in:
Bibliographic Details
Main Authors: Kamal, Khaleque Md Aashiq, Eada, Surya, Verma, Aayushi, Acharya, Subek, Yemin, Adrian, Fuller, Benjamin, Mahmood, Kaleel
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.00481
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908857111937024
author Kamal, Khaleque Md Aashiq
Eada, Surya
Verma, Aayushi
Acharya, Subek
Yemin, Adrian
Fuller, Benjamin
Mahmood, Kaleel
author_facet Kamal, Khaleque Md Aashiq
Eada, Surya
Verma, Aayushi
Acharya, Subek
Yemin, Adrian
Fuller, Benjamin
Mahmood, Kaleel
contents Developments in the machine learning voting domain have shown both promising results and risks. Trained models perform well on ballot classification tasks (> 99% accuracy) but are at risk from adversarial example attacks that cause misclassifications. In this paper, we analyze an attacker who seeks to deploy adversarial examples against machine learning ballot classifiers to compromise a U.S. election. We first derive a probabilistic framework for determining the number of adversarial example ballots that must be printed to flip an election, in terms of the probability of each candidate winning and the total number of ballots cast. Second, it is an open question as to which type of adversarial example is most effective when physically printed in the voting domain. We analyze six different types of adversarial example attacks: l_infinity-APGD, l2-APGD, l1-APGD, l0 PGD, l0 + l_infinity PGD, and l0 + sigma-map PGD. Our experiments include physical realizations of 144,000 adversarial examples through printing and scanning with four different machine learning models. We empirically demonstrate an analysis gap between the physical and digital domains, wherein attacks most effective in the digital domain (l2 and l_infinity) differ from those most effective in the physical domain (l1 and l2, depending on the model). By unifying a probabilistic election framework with digital and physical adversarial example evaluations, we move beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.
format Preprint
id arxiv_https___arxiv_org_abs_2603_00481
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Analyzing Physical Adversarial Example Threats to Machine Learning in Election Systems
Kamal, Khaleque Md Aashiq
Eada, Surya
Verma, Aayushi
Acharya, Subek
Yemin, Adrian
Fuller, Benjamin
Mahmood, Kaleel
Machine Learning
Computer Vision and Pattern Recognition
Developments in the machine learning voting domain have shown both promising results and risks. Trained models perform well on ballot classification tasks (> 99% accuracy) but are at risk from adversarial example attacks that cause misclassifications. In this paper, we analyze an attacker who seeks to deploy adversarial examples against machine learning ballot classifiers to compromise a U.S. election. We first derive a probabilistic framework for determining the number of adversarial example ballots that must be printed to flip an election, in terms of the probability of each candidate winning and the total number of ballots cast. Second, it is an open question as to which type of adversarial example is most effective when physically printed in the voting domain. We analyze six different types of adversarial example attacks: l_infinity-APGD, l2-APGD, l1-APGD, l0 PGD, l0 + l_infinity PGD, and l0 + sigma-map PGD. Our experiments include physical realizations of 144,000 adversarial examples through printing and scanning with four different machine learning models. We empirically demonstrate an analysis gap between the physical and digital domains, wherein attacks most effective in the digital domain (l2 and l_infinity) differ from those most effective in the physical domain (l1 and l2, depending on the model). By unifying a probabilistic election framework with digital and physical adversarial example evaluations, we move beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.
title Analyzing Physical Adversarial Example Threats to Machine Learning in Election Systems
topic Machine Learning
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2603.00481