If you are using machine learning to solve a security or privacy problem, mark the paper’s primary field as the field of the problem you’re solving. For instance, a paper proposing a novel ML method for Intrusion Detection should be tagged with "Network Security" as the primary field not Security & Privacy of ML as the primary field; a paper proposing a novel attack against an ML pipeline for phishing website detection should be tagged with "Web Security" as the primary field; a paper evaluating previously-proposed ML techniques for malware analysis should be tagged with "Software Security" as the primary field.
If you are working on the security or privacy of machine learning, this document will help you decide whether USENIX is an appropriate venue for your submission.
We note that USENIX Security remains a systems security venue. Therefore, ML-focused contributions must be relevant to the broader systems security community. Papers deemed out of scope will be desk rejected.
Relevant works may investigate novel security and privacy attacks and defenses, and their implications, across the ML lifecycle, including data curation for pre-training and post-training, the training phases (pre-training and post-training), and deployment. Examples of attacks include, but are not limited to, data poisoning, model poisoning, backdoors, adversarial examples, prompt injection, jailbreaks, model inversion, membership inference, and model stealing. Defenses may involve redesigning ML algorithms and pipelines to prevent attacks, developing methods to detect attacks, advancing post-attack forensic analysis and recovery techniques, and understanding the implications of defenses on model or pipeline performance.
All papers submitted should provide a threat model that clearly articulates the (i) envisioned attacker(s), (ii) threat surfaces (e.g., system components including but not limited to the underlying machine learning algorithm), (iii) generality, and (iv) practicality of the attack.
Papers on robustness need to have a clear security flavour, presenting an adversary that aims to, deliberately affect the performance of the system arbitrarily or in a targeted manner. Works that primarily focus on improving ML functionality or efficiency (e.g., robustness to noise on the data or spurious artifacts) are not in scope.
Examples
To assist in selecting the primary field of your paper, we provide below a list of ML-related papers accepted to recent editions of USENIX Security, and explain which primary field in USENIX Security '27 should be selected:
- Paper: KnowPhish: Large Language Models Meet Multimodal Knowledge Graphs for Enhancing Reference-Based Phishing Detection → Primary Topic: Web Security (The paper proposes the usage of LLMs for Phishing Website Detection).
- Paper: Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection → Primary Topic: Software Security (The paper evaluates the application of ML for the task of vulnerability detection, which pertains to software security).
- Paper: PentestGPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing → Primary Topic: Systems Security (The paper studies the application of LLMs for penetration testing of systems.)
- Paper: Formalizing and Benchmarking Prompt Injection Attacks and Defenses → Primary Topic: Security of ML (The paper evaluates various Prompt Injection Attacks and Defenses, which are specific vulnerabilities of ML-based systems)
View the Call for Papers