About

Prateek Mittal is a Professor of Electrical and Computer Engineering at Princeton University, where he also serves as Associate Chair of the Department and Director of Undergraduate Studies. His research broadly focuses on privacy-preserving and secure systems, with current emphasis on security and machine learning, privacy and machine learning, and the intersection of privacy, security, and networked systems. His work draws on techniques from data science, network science, distributed systems, and applied cryptography. Professor Mittal's research has contributed to the design of widely-used systems such as the Tor network for anonymous communication and the Let's Encrypt Certificate Authority. He holds a Ph.D. and M.S. from the University of Illinois at Urbana-Champaign and a B.Tech. from the Indian Institute of Technology. He is an associated faculty member in the Center for Information Technology Policy and in computer science, recognized for his contributions to the field through numerous awards and honors, including the NSF CAREER Award, IEEE and ACM senior memberships, and the IBM Faculty Award. His work has been featured in various prestigious conferences and symposia, and he is known for his influence on security and privacy in networked systems.

Research topics

• Computer Security
• Computer Science
• Data Mining
• Data science
• Computer network
• Human–computer interaction
• Distributed computing

Selected publications

• What WeChat Knows: Pervasive First-Party Tracking in a Billion-User Super-App Ecosystem

  Proceedings on Privacy Enhancing Technologies · 2025-07-13 · 1 citations

  articleOpen accessSenior author

  This work studies the analytics and first-party tracking ecosystem of WeChat Mini Programs. WeChat Mini Programs have almost one billion monthly active users, comprising one of the largest ap- plication and analytics ecosystems in the world. A key challenge in investigating the privacy of WeChat’s Mini Programs is WeChat’s use of a proprietary network encryption protocol, MMTLS, to trans- mit analytics data. First, we reverse-engineer WeChat’s network stack, and release tooling and specifications for investigating net- work requests sent to WeChat servers. Leveraging this tooling, we analyze the requests sent by 104 popular Mini Programs to perform the first characterization and analysis of WeChat’s user tracking across their Mini Program ecosystem. Overall, we identified fine- grained browsing data in 76.0% of the network traces we decrypted. This tracking including browsing and search queries performed within third-party Mini Programs, some of which manage particu- larly sensitive data; for instance, we also identified browsing data in 89.7% of the traces we decrypted from 40 health-related Mini Programs. We ultimately find that the first-party platform, WeChat, is comprehensively tracking user activity with third-party Mini Programs, at an unprecedented scale. There is no way for users nor Mini Program developers to opt-out of this data collection.

  PublisherDOI

• The Model Hears You: Audio Language Model Deployments Should Consider the Principle of Least Privilege

  Proceedings of the AAAI/ACM Conference on AI Ethics and Society · 2025-10-15

  articleOpen access

  The latest Audio Language Models (Audio LMs) process speech directly instead of relying on a separate transcription step. This shift preserves detailed information, such as into- nation or the presence of multiple speakers, that would otherwise be lost in transcription. However, it also introduces new safety risks, including the potential misuse of speaker identity cues and other sensitive vocal attributes, which could have legal implications. In this paper, we urge a closer examination of how these models are built and deployed. Our experiments show that end-to-end modeling, compared with cascaded pipelines, creates socio-technical safety risks such as identity inference, biased decision-making, and emotion detection. This raises concerns about whether Audio LMs store voiceprints and function in ways that create uncertainty under existing legal regimes. We then argue that the Principle of Least Privilege should be considered to guide the development and deployment of these models. Specifically, evaluations should assess (1) the privacy and safety risks associated with end-to-end modeling; and (2) the appropriate scope of information access. Finally, we highlight related gaps in current audio LM benchmarks and identify key open research questions—both technical and policy-related—that must be addressed to enable the responsible deployment of end-to-end Audio LMs.

  PublisherOA PDFDOI

• Scaling SCIERA: A Journey Through the Deployment of a Next-generation Network

  2025-08-27 · 3 citations

  articleOpen access

  The SCION Next-Generation Network (NGN) architecture has expanded steadily since 2017, with today 20+ ISPs offering SCION connectivity. In production, IP-to-SCION-to-IP translation by SCION-IP-Gateways (SIGs) is used, such that applications are unaware of the NGN communication. To accelerate innovation and deployments, our aim is to increase the number of native SCION use cases, where the application is fully SCION-aware and optimizes communication across all path choices offered by the network. We set out to achieve two core objectives: (1) facilitating simple native connectivity for applications, and (2) enhancing the scalability of SCION deployment at academic sites.

  PublisherOA PDFDOI

• Does More Inference-Time Compute Really Help Robustness?

  ArXiv.org · 2025-07-21

  preprintOpen accessSenior author

  Recently, Zaremba et al. demonstrated that increasing inference-time computation improves robustness in large proprietary reasoning LLMs. In this paper, we first show that smaller-scale, open-source models (e.g., DeepSeek R1, Qwen3, Phi-reasoning) can also benefit from inference-time scaling using a simple budget forcing strategy. More importantly, we reveal and critically examine an implicit assumption in prior work: intermediate reasoning steps are hidden from adversaries. By relaxing this assumption, we identify an important security risk, intuitively motivated and empirically verified as an inverse scaling law: if intermediate reasoning steps become explicitly accessible, increased inference-time computation consistently reduces model robustness. Finally, we discuss practical scenarios where models with hidden reasoning chains are still vulnerable to attacks, such as models with tool-integrated reasoning and advanced reasoning extraction attacks. Our findings collectively demonstrate that the robustness benefits of inference-time scaling depend heavily on the adversarial setting and deployment context. We urge practitioners to carefully weigh these subtle trade-offs before applying inference-time scaling in security-sensitive, real-world applications.

  PublisherOA PDFDOI

• WireWatch: Measuring the Security of Proprietary Network Encryption in the Global Android Ecosystem

  2025-05-12

  article

  We present WireWatch, a large-scale measurement pipeline to evaluate the network security of Android apps. WireWatch measures apps' usage of plaintext network traffic and non-standard, proprietary network cryptography. We found that 47.6% of top Mi Store applications used proprietary network cryptography without any additional encryption, compared to only 3.51% of top Google Play Store applications. We analyzed the 18 most popular protocols from WireWatch, which belonged to 9 protocol families, including cryptosystems designed by Alibaba, iQIYI, Kuaishou, and Tencent. We found that 8 of these protocol families sent requests that allowed network eavesdroppers to decrypt underlying data, including browsing data and device metadata, among various other issues, such as being downgradable, not validating TLS certificates, and the use of RSA without OAEP. These vulnerabilities affected 26.9% of our Mi Store dataset with a cumulative 130 billion downloads. Ultimately, WireWatch reveals that a large portion of massively popular applications are using insecure proprietary network protocols to encrypt sensitive user data.

  PublisherDOI

• Differentially Private Image Classification by Learning Priors from Random Processes

  Journal of Privacy and Confidentiality · 2025-03-31 · 1 citations

  articleOpen accessSenior author

  In privacy-preserving machine learning, differentially private stochastic gradient descent (DP-SGD) performs worse than SGD due to per-sample gradient clipping and noise addition. A recent focus in private learning research is improving the performance of DP-SGD on private data by incorporating priors that are learned on real-world public data. In this work, we explore how we can improve the privacy-utility tradeoff of DP-SGD by learning priors from images generated by random processes and transferring these priors to private data. We propose DP-RandP, a three-phase approach. We attain new state-of-the-art accuracy when training from scratch on CIFAR10, CIFAR100, MedMNIST and ImageNet for a range of privacy budgets $\epsilon \in [1, 8]$. In particular, we improve the previous best reported accuracy on CIFAR10 from $60.6 \%$ to $72.3 \%$ for $\epsilon=1$.

  PublisherOA PDFDOI

• The Model Hears You: Audio Language Model Deployments Should Consider the Principle of Least Privilege

  ArXiv.org · 2025-03-21

  preprintOpen access

  The latest Audio Language Models (Audio LMs) process speech directly instead of relying on a separate transcription step. This shift preserves detailed information, such as intonation or the presence of multiple speakers, that would otherwise be lost in transcription. However, it also introduces new safety risks, including the potential misuse of speaker identity cues and other sensitive vocal attributes, which could have legal implications. In this paper, we urge a closer examination of how these models are built and deployed. Our experiments show that end-to-end modeling, compared with cascaded pipelines, creates socio-technical safety risks such as identity inference, biased decision-making, and emotion detection. This raises concerns about whether Audio LMs store voiceprints and function in ways that create uncertainty under existing legal regimes. We then argue that the Principle of Least Privilege should be considered to guide the development and deployment of these models. Specifically, evaluations should assess (1) the privacy and safety risks associated with end-to-end modeling; and (2) the appropriate scope of information access. Finally, we highlight related gaps in current audio LM benchmarks and identify key open research questions, both technical and policy-related, that must be addressed to enable the responsible deployment of end-to-end Audio LMs.

  PublisherOA PDFDOI

• Adversarial Déjà Vu: Jailbreak Dictionary Learning for Stronger Generalization to Unseen Attacks

  arXiv (Cornell University) · 2025-10-24

  preprintOpen access

  Large language models remain vulnerable to jailbreak attacks that bypass safety guardrails to elicit harmful outputs. Defending against novel jailbreaks represents a critical challenge in AI safety. Adversarial training -- designed to make models robust against worst-case perturbations -- has been the dominant paradigm for adversarial robustness. However, due to optimization challenges and difficulties in defining realistic threat models, adversarial training methods often fail on newly developed jailbreaks in practice. This paper proposes a new paradigm for improving robustness against unseen jailbreaks, centered on the Adversarial Déjà Vu hypothesis: novel jailbreaks are not fundamentally new, but largely recombinations of adversarial skills from previous attacks. We study this hypothesis through a large-scale analysis of 32 attack papers published over two years. Using an automated pipeline, we extract and compress adversarial skills into a sparse dictionary of primitives, with LLMs generating human-readable descriptions. Our analysis reveals that unseen attacks can be effectively explained as sparse compositions of earlier skills, with explanatory power increasing monotonically as skill coverage grows. Guided by this insight, we introduce Adversarial Skill Compositional Training (ASCoT), which trains on diverse compositions of skill primitives rather than isolated attack instances. ASCoT substantially improves robustness to unseen attacks, including multi-turn jailbreaks, while maintaining low over-refusal rates. We also demonstrate that expanding adversarial skill coverage, not just data scale, is key to defending against novel attacks. \textcolor{red}{\textbf{Warning: This paper contains content that may be harmful or offensive in nature.

  PublisherOA PDFDOI

• Effectively Controlling Reasoning Models through Thinking Intervention

  ArXiv.org · 2025-03-31

  preprintOpen accessSenior author

  Reasoning-enhanced large language models (LLMs) explicitly generate intermediate reasoning steps prior to generating final answers, helping the model excel in complex problem-solving. In this paper, we demonstrate that this emerging generation framework offers a unique opportunity for more fine-grained control over model behavior. We propose Thinking Intervention, a novel paradigm designed to explicitly guide the internal reasoning processes of LLMs by strategically inserting or revising specific thinking tokens. We find that the Thinking Intervention paradigm enhances the capabilities of reasoning models across a wide range of tasks, including instruction following on IFEval and Overthinking, instruction hierarchy on SEP, and safety alignment on XSTest and SorryBench. Our results demonstrate that Thinking Intervention significantly outperforms baseline prompting approaches, achieving up to 6.7% accuracy gains in instruction-following scenarios, 15.4% improvements in reasoning about instruction hierarchies, and a 40.0% increase in refusal rates for unsafe prompts using open-source DeepSeek R1 models. Overall, our work opens a promising new research avenue for controlling reasoning LLMs.

  PublisherOA PDFDOI

• Adapting to Evolving Adversaries with Regularized Continual Robust Training

  ArXiv.org · 2025-02-06

  preprintOpen accessSenior author

  Robust training methods typically defend against specific attack types, such as Lp attacks with fixed budgets, and rarely account for the fact that defenders may encounter new attacks over time. A natural solution is to adapt the defended model to new adversaries as they arise via fine-tuning, a method which we call continual robust training (CRT). However, when implemented naively, fine-tuning on new attacks degrades robustness on previous attacks. This raises the question: how can we improve the initial training and fine-tuning of the model to simultaneously achieve robustness against previous and new attacks? We present theoretical results which show that the gap in a model's robustness against different attacks is bounded by how far each attack perturbs a sample in the model's logit space, suggesting that regularizing with respect to this logit space distance can help maintain robustness against previous attacks. Extensive experiments on 3 datasets (CIFAR-10, CIFAR-100, and ImageNette) and over 100 attack combinations demonstrate that the proposed regularization improves robust accuracy with little overhead in training time. Our findings and open-source code lay the groundwork for the deployment of models robust to evolving attacks.

  PublisherOA PDFDOI

Recent grants

• SaTC: CORE: Medium: Collaborative: A Linguistically-Informed Approach for Measuring and Circumventing Internet Censorship

  NSF · $540k · 2017–2021

• TWC: Medium: Collaborative: Aspire: Leveraging Automated Synthesis Technologies for Enhancing System Security

  NSF · $400k · 2014–2018

• CAREER: Trustworthy Social Systems Using Network Science

  NSF · $521k · 2016–2022

• CIF: Small: Collaborative Research: Analytics on Edge-labeled Hypergraphs: Limits to De-anonymization

  NSF · $250k · 2016–2019

• TWC: Small: Collaborative: Advancing Anonymity Against an AS-level Adversary

  NSF · $250k · 2014–2017

Frequent coauthors

• Vikash Sehwag

  34 shared

• Arjun Nitin Bhagoji

  University of Chicago

  32 shared

• Mung Chiang

  31 shared

• Nikita Borisov

  25 shared

• Daniel Cullina

  24 shared

• Saeed Mahloujifar

  22 shared

• Shouling Ji

  Zhejiang University

  21 shared

• Peng Gao

  19 shared

Labs

• Prateek Mittal LabPI

Awards & honors

• CSAW Applied Research Finalist, 2018
• Army Research Office (ARO) Young Investigator Award, 2018
• Office of Naval Research (ONR) Young Investigator Award, 201…
• Princeton Engineering Commendation List for Outstanding Teac…
• IBM Faculty Award, 2017