Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Analyzing Physical Adversarial Example Threats to Machine Learning in Election Systems

Khaleque Md Aashiq Kamal, Surya Eada, Aayushi Verma, Subek Acharya, Adrian Yemin, Benjamin Fuller, Kaleel Mahmood

TL;DR

By unifying a probabilistic election framework with digital and physical adversarial example evaluations, this paper moves beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.

Abstract

Developments in the machine learning voting domain have shown both promising results and risks. Trained models perform well on ballot classification tasks (> 99% accuracy) but are at risk from adversarial example attacks that cause misclassifications. In this paper, we analyze an attacker who seeks to deploy adversarial examples against machine learning ballot classifiers to compromise a U.S. election. We first derive a probabilistic framework for determining the number of adversarial example ballots that must be printed to flip an election, in terms of the probability of each candidate winning and the total number of ballots cast. Second, it is an open question as to which type of adversarial example is most effective when physically printed in the voting domain. We analyze six different types of adversarial example attacks: l_infinity-APGD, l2-APGD, l1-APGD, l0 PGD, l0 + l_infinity PGD, and l0 + sigma-map PGD. Our experiments include physical realizations of 144,000 adversarial examples through printing and scanning with four different machine learning models. We empirically demonstrate an analysis gap between the physical and digital domains, wherein attacks most effective in the digital domain (l2 and l_infinity) differ from those most effective in the physical domain (l1 and l2, depending on the model). By unifying a probabilistic election framework with digital and physical adversarial example evaluations, we move beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.

Analyzing Physical Adversarial Example Threats to Machine Learning in Election Systems

TL;DR

By unifying a probabilistic election framework with digital and physical adversarial example evaluations, this paper moves beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.

Abstract

Developments in the machine learning voting domain have shown both promising results and risks. Trained models perform well on ballot classification tasks (> 99% accuracy) but are at risk from adversarial example attacks that cause misclassifications. In this paper, we analyze an attacker who seeks to deploy adversarial examples against machine learning ballot classifiers to compromise a U.S. election. We first derive a probabilistic framework for determining the number of adversarial example ballots that must be printed to flip an election, in terms of the probability of each candidate winning and the total number of ballots cast. Second, it is an open question as to which type of adversarial example is most effective when physically printed in the voting domain. We analyze six different types of adversarial example attacks: l_infinity-APGD, l2-APGD, l1-APGD, l0 PGD, l0 + l_infinity PGD, and l0 + sigma-map PGD. Our experiments include physical realizations of 144,000 adversarial examples through printing and scanning with four different machine learning models. We empirically demonstrate an analysis gap between the physical and digital domains, wherein attacks most effective in the digital domain (l2 and l_infinity) differ from those most effective in the physical domain (l1 and l2, depending on the model). By unifying a probabilistic election framework with digital and physical adversarial example evaluations, we move beyond prior close race analyses to explicitly quantify when and how adversarial ballot manipulation could alter outcomes.
Paper Structure (32 sections, 39 equations, 8 figures, 28 tables)

This paper contains 32 sections, 39 equations, 8 figures, 28 tables.

Table of Contents

  1. Introduction
  2. Datasets, Models and Related Voting Work
  3. Adversarial Threat Model
  4. White-Box Adversarial Evasion Attacks
  5. Probabilistic Election Attack Framework
  6. The Election Process Framework
  7. The Compromised Election Process Framework
  8. Attack Confidence Function
  9. Digital Adversarial Attacks
  10. Digital Experimental Analyses
  11. Physical World Attacks
  12. Physical Experimental Analyses
  13. Conclusion
  14. Statistical Derivations
  15. Central moments of true vote $X_i$'s distribution.
  16. ...and 17 more sections

Figures (8)

  • Figure 1: U.S. Election Pipeline: First officials define a ballot layout which is then sent for printing. During the printing step, an attacker could potentially compromise ballot printers and add adversarial examples to the ballots. The ballots are then distributed to voters on election day and tabulation can be done by a ballot classifier.
  • Figure 2: Physical Adversarial examples with varying $\epsilon$ or $k$ for all attacks on the CaiT-C model.
  • Figure 3: Digital and printed physical adversarial examples for the CaiT-C model. Each attack uses the imperceivable parameters determined in Section \ref{['sec:digital']}.
  • Figure 4: Histograms for a digital clean ballot (left), its corresponding $l_{1}$ digital adversarial example (center) and the physically printed and scanned adversarial example (right).
  • Figure 5: UConn Bubbles with Marginal Marks dataset.
  • ...and 3 more figures