4 th International Workshop on
Designing and Measuring Security in Systems with AI
July 4th, 2025 — Venice
co-located with the 10th IEEE European Symposium on Security and Privacy (EuroS&P 2025)
Photo: https://pixabay.com (License: CC BY 2.0 )

Keynotes

Title: Real world AI security threats and how to tackle them

Kathrin Grosse, Research Scientist @ IBM Research, Zurich (Switzerland) - click for bio

Kathrin Grosse is a Research Scientist at IBM Research, Zurich, Switzerland. Her research interests focus on AI security in practice. Her work bridges research (in AI security) and industry needs. She received her master’s degree from Saarland University and her Ph.D. at CISPA Helmholtz Center, Saarland University, in 2021 under the supervision of Michael Backes, followed by a Postdoc with Battista Biggio in Cagliari, Italy and Alexandre Alahi at EPFL, Switzerland. She interned with IBM in 2019 and Disney Research in 2020/21. As part of her work, she serves as a reviewer for IEEE S&P, Usenix Security, and ICML and organizes workshops at ICML and develops patents. In 2019, she was nominated as an AI Newcomer for the German Federal Ministry of Education and Research's Science Year.

In this talk, we will revisit the evidence of vulnerabilities and exploits within the realm of Artificial Intelligence, encompassing both traditional AI and Large Language Models (LLMs). Such vulnerabilities necessitate prevention – which we suggest could be handled by incident reporting, ideally based on a taxonomy that allows the collection of all information needed to understand the incident and trends in exploits. We will discuss our proposal for such a framework covering properties of the underlying AI, relevant security properties of the AI system, and incident specifics and implications.

Title: Malware Detection with AI Systems: bridging the gap between industry and academia

Luca Demetrio, Assistant Professor @ University of Genoa (Italy) - click for bio

Luca Demetrio is Assistant Professor at the University of Genoa. He is among the pioneers of offensive security against machine-learning antivirus programs, with his research on adversarial EXEmples. He is associate editor for Pattern Recognition, and he serves as review for top-tier conferences (ICML, ICLR, USENIX, NeurIPS) and journals (T-IFS, COSE).


With the abundance of programs developed everyday, it is possible to develop next-generation antivirus programs that leverage this vast accumulated knowledge. In practice, these technologies are developed with a mixture of established techniques like pattern matching, and machine learning algorithms, both tailored to achieve high detection rate and low false alarms. While companies state the application of both techniques, no rigorous investigation on the interconnection between detection strategies have been properly discussed and evaluated, thus keeping further advancements in the field locked up in secrecy. In this talk, we will venture forth into both pattern-matching and data-based decision-making processes to study how they can be integrated, and how their performances can be tuned to improve their efficacy. Also, we will peek into the world of adversaries that want to sneak through these next-generation antivirus programs, highlighting new challenges as well.

Call for Papers

We encourage submissions of the EuroS&P 2025 rejected papers and welcome the authors to optionally attach prior reviews.

Important Dates

  • Paper submission deadline: February 20th, 2025 (all deadlines are 11:59 PM CEST)
  • Extended Paper submission deadline: March 16th, 2025 (all deadlines are 11:59 PM CEST)
  • Review Released and Acceptance notification: **April 3rd, 2025**
  • Final papers and slides due: **April 15th, 2025**
  • Workshop day: July 4th, 2025

Overview

Building secure by design systems has become a corner stone in software development, but with the rapid adoption of AI in virtually every deployed system, methods used for measuring and analyzing security throughout the software development need substantial rethinking. AI and software should be co-designed with security in mind, rather than addressing it separately or as an afterthought. This workshop aims to bridge the secure software design and security for AI research communities by providing a forum for discussing architectural and implementation challenges. This workshop will focus on security for AI-augmented systems, as well as covering the security aspects of AI, especially in real-world scenarios.

Topics of Interest

Topics of interest include (but are not limited to):

  • Modeling security for AI-augmented systems (including generative AI)
    • Approaches to secure software architecture
    • Security risk assessment and analysis
    • Security risk management
    • Threat modelling
    • Attack, intrusion and defense modeling
    • Challenges with modeling or integrating legacy systems with AI components
  • Enforcing security for AI-augmented systems (including generative AI)
    • Preventing AI misuse and AI bench-marking
    • Enforcing security between design and implementation
    • Enforcing security between implementation and runtime
    • Developing attacks and defenses
  • Measuring security for AI-augmented systems (including generative AI)
    • Metrics and measurement approaches
    • Security, trust and privacy metrics
    • Measurement systems and associated data gathering
    • Security trade-off analyses
    • Assurance and security certification methods
    • Devtime and runtime security measurements
    • Visualization approaches for security measurements
    • Human aspects and diversity effects
  • Applications of AI for enhancing security
    • AI for security requirements engineering, secure coding standards, application security guidelines
    • AI for assessing security design documents, threat modeling documents, planned mitigations and countermeasures
    • AI for aiding security code review, securing the source code, and processing documentation
    • AI for SAST, DAST, PEN testing, application and container security testing
    • AI for incident response planning and execution

Submission Guidelines

We invite the following types of papers (the page limits exclude well-marked references and appendix):

  • Original research papers (of a maximum of 6 pages) that describe novel contributions, report on experimental results, or experiences in industry such as case or field studies.
  • Position and open-problem papers (of a maximum of 6 pages) discussing promising preliminary experimental results, approaches, ideas, or challenging issues for application in the industry, future perspectives and roadmap papers, and "Systematization of knowledge" papers, which provide a comprehensive view of the state-of-the-art on the workshop topics.
  • Extended abstracts (of a maximum of 2 pages) that describe ongoing ideas and work in progress and would benefit from quick feedback from the research community

All papers should be submitted as a PDF file in double-column IEEE Conference Proceedings format (see Overleaf template ). Submissions will go through a double-blind peer-reviewing process aimed at selecting the papers to be presented at the workshop. There will be no formal workshop proceedings . Papers already published in other venues are welcome in all three categories. The accepted papers or slides will be made available to registered attendees on the workshop's online website. Submissions must be in English and properly anonymized.

Important: The use of generative AI for authors and reviewers is not allowed. Should we (or our PC) encounter any suspicious submissions, they will be rejected. The organizers will oversee the review process and ensure high-quality feedback is provided by all reviewers. If we encounter an author or a co-reviewer reporting a suspicious review, one of the workshop chairs will check the review in question and if needed provide an additional review.

Submission Site

Submission link: https://easychair.org/my/conference?conf=demessai25 .

All accepted submissions will be presented at the workshop as posters. Accepted papers will be selected for presentation as spotlights based on their review score and novelty. Nonetheless, all accepted papers should be considered as having equal importance.

One author of each accepted paper is required to attend the workshop and present the paper.

For any questions, please contact one the workshop organizers at k.tuma@vu.nl , maura.pintor@unica.it and jamal.el-hachem@univ-ubs.fr .

Committee

Workshop Chairs

Program Committee

  • Arul Thileeban Sagayam (Bloomberg NYC)
  • Bernhard J. Berger (University of Rostock)
  • Birgy Lorenz (Tallinn University of Technology (TalTech))
  • Christopher Gerking (Karlsruhe Institute of Technology)
  • Claudia Szabo (The University of Adelaide)
  • Daniel Strüber (Chalmers | University of Gothenburg, Radboud University Nijmegen)
  • David Pape (CISPA)
  • Denis Trcek (University of Ljubljana)
  • Dimitri Van Landuyt (KU Leuven)
  • Elena Lisova (MDU, VCE)
  • Emanuele Iannone (Hamburg University of Technology)
  • Giorgio Piras (University of Cagliari)
  • Giulio Rossolini (Scuola Superiore Sant'Anna)
  • Jinhan Kim (Università della Svizzera italiana)
  • Julien Francq (Naval Group)
  • Megha Khosla (Delft University of Technology)
  • Mengyuan Zhang (Vrije Universiteit Amsterdam)
  • Muhammad Ali Babar (The University of Adelaide)
  • Nan Messe (IRIT)
  • Phu Nguyen (SINTEF)
  • Riccardo Scandariato (Hamburg University of Technology)
  • Simon Schneider (Hamburg University of Technology)
  • Stjepan Picek (Radboud University)
  • Sven Peldszus (Ruhr University Bochum)
  • Thijs van Ede (University of Twente)
  • Tong Li (Beijing University of Technology)