Submitting ML Work to USENIX Security

If you are using machine learning to solve a security or privacy problem, mark the paper’s primary field as the field of the problem you’re solving. For instance, a paper proposing a novel ML method for Intrusion Detection should be tagged with "Network Security" as the primary field not Security & Privacy of ML as the primary field; a paper proposing a novel attack against an ML pipeline for phishing website detection should be tagged with "Web Security" as the primary field; a paper evaluating previously-proposed ML techniques for malware analysis should be tagged with "Software Security" as the primary field.

If you are working on the security or privacy of machine learning, this document will help you decide whether USENIX is an appropriate venue for your submission.

We note that USENIX Security remains a systems security venue. Therefore, ML-focused contributions must be relevant to the broader systems security community. Papers deemed out of scope will be desk rejected.

Relevant works may investigate novel security and privacy attacks and defenses, and their implications, across the ML lifecycle, including data curation for pre-training and post-training, the training phases (pre-training and post-training), and deployment. Examples of attacks include, but are not limited to, data poisoning, model poisoning, backdoors, adversarial examples, prompt injection, jailbreaks, model inversion, membership inference, and model stealing. Defenses may involve redesigning ML algorithms and pipelines to prevent attacks, developing methods to detect attacks, advancing post-attack forensic analysis and recovery techniques, and understanding the implications of defenses on model or pipeline performance.

All papers submitted should provide a threat model that clearly articulates the (i) envisioned attacker(s), (ii) threat surfaces (e.g., system components including but not limited to the underlying machine learning algorithm), (iii) generality, and (iv) practicality of the attack.

Papers on robustness need to have a clear security flavour, presenting an adversary that aims to, deliberately affect the performance of the system arbitrarily or in a targeted manner. Works that primarily focus on improving ML functionality or efficiency (e.g., robustness to noise on the data or spurious artifacts) are not in scope.

Examples

To assist in selecting the primary field of your paper, we provide below a list of ML-related papers accepted to recent editions of USENIX Security, and explain which primary field in USENIX Security '27 should be selected:


View the Call for Papers