About

Somesh Jha is the Lubar Professor in the Computer Sciences Department at the University of Wisconsin, Madison. He holds a Ph.D. from the School of Computer Science at Carnegie Mellon University. His main research interests lie at the intersection of security and formal methods, with current active focus areas including adversarial machine learning and privacy. He has a peripheral interest in topics such as computational finance, although he has not been actively involved in that area for several years. Jha has contributed to the field through his research, and his work can be accessed via his DBLP and Google Scholar pages. He has been involved in various projects, including the Center for Trustworthy Machine Learning, and has mentored several Ph.D. students. In addition to his research, Jha teaches courses such as Introduction to Cryptography and Security and Privacy for Data Science. He has also provided expert consulting as an expert witness and has been involved with startups like Novashield and Tala Security, focusing on malware detection and web security, respectively.

Research topics

• Computer Science
• Computer Security
• Artificial Intelligence
• Data Mining
• Machine Learning
• Operating system
• Distributed computing
• Mathematics
• Programming language
• Psychology
• World Wide Web
• Human–computer interaction
• Business
• Embedded system
• Theoretical computer science
• Real-time computing
• Database
• Telecommunications
• Social psychology
• Econometrics
• Data science
• Internet privacy

Selected publications

• SLVR: Securely Leveraging Client Validation for Robust Federated Learning

  2026-05-22

  preprintOpen access

  Federated Learning (FL) enables collaborative model training while keeping client data private. However, exposing individual client updates makes FL vulnerable to reconstruction attacks. Secure aggregation mitigates such privacy risks but prevents the server from verifying the validity of each client update, creating a privacy-robustness trade-off. Recent efforts attempt to address this trade-off by enforcing model integrity checks on client updates using privacy-enhancing technologies, but they support limited predicates and often depend on public validation data. We propose SLVR, a general framework that securely leverages clients’ private data through secure multi-party computation. SLVR enables stronger, data-driven integrity validation that takes clients’ private data as input while removing the need for public validation data. Our empirical evaluations show that SLVR improves robustness against model poisoning attacks, particularly outperforming existing methods by up to 60% under adaptive attacks.

  PublisherDOI

• Secure Noise Sampling for Differentially Private Collaborative Learning

  2025-11-19 · 1 citations

  articleOpen access

  Differentially private stochastic gradient descent (DP-SGD) trains machine learning (ML) models with formal privacy guarantees for the training set by adding random noise to gradient updates. In collaborative learning (CL), where multiple parties jointly train a model, noise addition occurs either (i) before or (ii) during secure gradient aggregation. The first option is deployed in distributed DP methods, which require greater amounts of total noise to achieve security, resulting in degraded model utility. The second approach preserves model utility but requires a secure multiparty computation (MPC) protocol. Existing methods for MPC noise generation require tens to hundreds of seconds of runtime per noise sample because of the number of parties involved. This makes them impractical for collaborative learning, which often requires thousands or more samples of noise in each training step.

  PublisherOA PDFDOI

• Systems Security Foundations for Agentic Computing

  ArXiv.org · 2025-12-01

  preprintOpen access

  In recent years, agentic artificial intelligence (AI) systems are becoming increasingly widespread. These systems allow agents to use various tools, such as web browsers, compilers, and more. However, despite their popularity, agentic AI systems also introduce a myriad of security concerns, due to their constant interaction with third-party servers. For example, a malicious adversary can cause data exfiltration by executing prompt injection attacks, as well as other unwarranted behavior. These security concerns have recently motivated researchers to improve the safety and reliability of agentic systems. However, most of the literature on this topic is from the AI standpoint and lacks the system-security perspective and guarantees. In this work, we begin bridging this gap and present an analysis through the lens of classic cybersecurity research. Specifically, motivated by decades of progress in this domain, we identify short- and long-term research problems in agentic AI safety by examining end-to-end security properties of entire systems, rather than standalone AI models running in isolation. Our key goal is to examine where research challenges arise when applying traditional security principles in the context of AI agents and, as a secondary goal, distill these ideas for AI practitioners. Furthermore, we extensively cover 11 case studies of real-world attacks on agentic systems, as well as define a series of new research problems that are specific to this important domain.

  PublisherOA PDFDOI

• PEA: Enhancing LLM Performance on Computational-Reasoning Tasks

  ArXiv.org · 2025-02-16

  preprintOpen access

  Large Language Models (LLMs) have exhibited remarkable capabilities across diverse domains, prompting investigations into their potential as generic reasoning engines. While recent studies have explored inference-time computation to enhance model performance on complex problems, current research lacks a formal framework to characterize the complexity of reasoning tasks. This study introduces the Predicate-Enumeration-Aggregation (PEA) framework, a formal approach to describe and solve a class of important reasoning tasks termed computational reasoning problems. The PEA framework decomposes these problems into predicate and enumeration components, using LLMs to synthesize programs based on specified predicates, enumeration, and aggregation rules. These synthesized programs are then executed to obtain solutions to the computational tasks. We demonstrate the framework's efficacy on benchmark tasks including Boolean satisfiability problems, game of $24$, and planning problems. Empirical evaluation reveals that PEA substantially enhances the performance of underlying models on benchmark computational problems, yielding an average accuracy improvement of approximately $50\%$, coupled with increased efficiency.

  PublisherOA PDFDOI

• Technology Gap in Adopting Recommended Cultural Practices of Cotton

  Agriculture Association of Textile Chemical and Critical Reviews · 2025-09-01

  articleSenior author

  Agriculture is pivotal for industrial progress, with cotton emerging as a critical component of the agricultural economy, particularly in India. This study evaluates the technological gaps in cotton cultivation among farmers in Punjab, a significant cotton-producing region. Cotton, referred to as white gold,plays a crucial role in India’s economy, contributing to GDP, industrial production, and export earnings while employing millions. Despite advancements in agricultural practices, a notable disparity exists between recommended and actual practices among farmers. The research was conducted in seven cotton-growing districts in Punjab, involving 350 farmers. Data were collected using an interview schedule focused on nine key cotton cultivation practices. The analysis revealed significant technological gaps, with the largest discrepancies observed in pest identification (60.38%) and pest control measures (51.0%). Other notable gaps were in irrigation practices, seed selection, and disease management. The study underscores the need for enhanced farmer education and the implementation of recommended practices to bridge these gaps and optimize cotton production. The primary challenge encountered was the limited awareness among farmers about scientific agricultural practices. The study contributes by identifying these gaps and offering targeted solutions to bridge them.

  PublisherDOI

• Publicly-Detectable Watermarking for Language Models

  IACR Communications in Cryptology · 2025-01-13 · 9 citations

  articleOpen access

  We present a publicly-detectable watermarking scheme for LMs: the detection algorithm contains no secret information, and it is executable by anyone. We embed a publicly-verifiable cryptographic signature into LM output using rejection sampling and prove that this produces unforgeable and distortion-free (i.e., undetectable without access to the public key) text output. We make use of error-correction to overcome periods of low entropy, a barrier for all prior watermarking schemes. We implement our scheme and find that our formal claims are met in practice.

  PublisherOA PDFDOI

• What Really is a Member? Discrediting Membership Inference via Poisoning

  ArXiv.org · 2025-06-06

  preprintOpen access

  Membership inference tests aim to determine whether a particular data point was included in a language model's training set. However, recent works have shown that such tests often fail under the strict definition of membership based on exact matching, and have suggested relaxing this definition to include semantic neighbors as members as well. In this work, we show that membership inference tests are still unreliable under this relaxation - it is possible to poison the training dataset in a way that causes the test to produce incorrect predictions for a target point. We theoretically reveal a trade-off between a test's accuracy and its robustness to poisoning. We also present a concrete instantiation of this poisoning attack and empirically validate its effectiveness. Our results show that it can degrade the performance of existing tests to well below random.

  PublisherOA PDFDOI

• ATLAS: Constraints-Aware Multi-Agent Collaboration for Real-World Travel Planning

  ArXiv.org · 2025-09-29

  preprintOpen access

  While Large Language Models (LLMs) have shown remarkable advancements in reasoning and tool use, they often fail to generate optimal, grounded solutions under complex constraints. Real-world travel planning exemplifies these challenges, evaluating agents' abilities to handle constraints that are explicit, implicit, and even evolving based on interactions with dynamic environments and user needs. In this paper, we present ATLAS, a general multi-agent framework designed to effectively handle such complex nature of constraints awareness in real-world travel planning tasks. ATLAS introduces a principled approach to address the fundamental challenges of constraint-aware planning through dedicated mechanisms for dynamic constraint management, iterative plan critique, and adaptive interleaved search. ATLAS demonstrates state-of-the-art performance on the TravelPlanner benchmark, improving the final pass rate from 23.3% to 44.4% over its best alternative. More importantly, our work is the first to demonstrate quantitative effectiveness on real-world travel planning tasks with live information search and multi-turn feedback. In this realistic setting, ATLAS showcases its superior overall planning performance, achieving an 84% final pass rate which significantly outperforms baselines including ReAct (59%) and a monolithic agent (27%).

  PublisherOA PDFDOI

• On the Difficulty of Constructing a Robust and Publicly-Detectable Watermark

  ArXiv.org · 2025-02-07 · 1 citations

  preprintOpen access

  This work investigates the theoretical boundaries of creating publicly-detectable schemes to enable the provenance of watermarked imagery. Metadata-based approaches like C2PA provide unforgeability and public-detectability. ML techniques offer robust retrieval and watermarking. However, no existing scheme combines robustness, unforgeability, and public-detectability. In this work, we formally define such a scheme and establish its existence. Although theoretically possible, we find that at present, it is intractable to build certain components of our scheme without a leap in deep learning capabilities. We analyze these limitations and propose research directions that need to be addressed before we can practically realize robust and publicly-verifiable provenance.

  PublisherOA PDFDOI

• How Not to Detect Prompt Injections with an LLM

  ArXiv.org · 2025-07-08

  preprintOpen accessSenior author

  LLM-integrated applications and agents are vulnerable to prompt injection attacks, where adversaries embed malicious instructions within seemingly benign input data to manipulate the LLM's intended behavior. Recent defenses based on known-answer detection (KAD) scheme have reported near-perfect performance by observing an LLM's output to classify input data as clean or contaminated. KAD attempts to repurpose the very susceptibility to prompt injection as a defensive mechanism. We formally characterize the KAD scheme and uncover a structural vulnerability that invalidates its core security premise. To exploit this fundamental vulnerability, we methodically design an adaptive attack, DataFlip. It consistently evades KAD defenses, achieving detection rates as low as $0\%$ while reliably inducing malicious behavior with a success rate of $91\%$, all without requiring white-box access to the LLM or any optimization procedures.

  PublisherOA PDFDOI

Recent grants

• SaTC: CORE: Frontier: Collaborative: End-to-End Trustworthiness of Machine-Learning Systems

  NSF · $696k · 2018–2025

• CPS: Small: Self-Improving Cyber-Physical Systems

  NSF · $500k · 2017–2022

• SaTC: CORE: Medium: Collaborative: User-Centered Deployment of Differential Privacy

  NSF · $77k · 2020–2021

• FMitF: Collaborative Research: Formal Methods for Machine Learning System Design

  NSF · $406k · 2018–2024

• TWC: Medium: Collaborative: Scaling and Prioritizing Market-Sized Application Analysis

  NSF · $600k · 2016–2023

Frequent coauthors

• Xi Wu

  Chengdu University of Information Technology

  34 shared

• Thomas Reps

  33 shared

• Jiefeng Chen

  Central South University

  31 shared

• Mihai Christodorescu

  24 shared

• Ninghui Li

  23 shared

• Tianhao Wang

  23 shared

• Matt Fredrikson

  21 shared

• Prasad Chalasani

  21 shared

Education

• Ph.D.

  School of Computer Science