PoisonedRAG

“they rely exclusively on the poisoned texts injected into the knowledge base, resulting in a significant decline in attack efficiency, i.e., attack success rate, as the number of injected poisoned texts decreases”

“Corpus poisoning attacks, as demonstrated by PoisonedRAG zou2025poisonedrag and ConfusedPilot roychowdhury2024confusedpilot, involve injecting malicious documents into the knowledge base, compromising the model's answers and system integrity.”

“these approaches often overlook whether the malicious content can actually be retrieved, posing a challenge in real-world scenarios where successful retrieval depends on sufficient similarity to the query”

“Joint retriever-generator attacks~wang2025jointgcg,zou2024poisonedrag manipulate generation effectively but produce high-perplexity text (PPL $>$150) that is highly exposed to simple PPL filtering; augmenting these methods with fluency constraints remains unexplored.”

“They are evaluated under simplified RAG configurations, assuming that poisoned content is indexed verbatim and that attackers can anticipate the exact target queries.”

“However, these attacks often lack practicality as they concentrate on isolated factual queries.”

“However, these existing methodologies predominantly rely on explicit content injection or additive noise. In contrast, we propose LogicPoison, a paradigm that topologically rewires logical reasoning chains via stealthy, type-preserving entity swapping, thereby compromising GraphRAG through implicit logical corruption rather than conspicuous fabrication.”

“Some of the methods~zou2025poisonedrag insert the target query into the poisoned text to improve retrieval probability, failing to leverage interactive feedback from the system.”

“attacks like PoisonedRAG~zou2024poisonedrag are effective only when the number of poisoned texts exceeds that of the correct-answer texts within the top-$N$ retrieved texts per query”

“these methods inevitably introduce abnormal inference behaviors and new security risks to the deployed LLMs as these distinctive behaviors are generating incorrect results on particular verification prompts/questions”

“However, these attacks typically rely on pre-defined misinformation templates or manually constructed adversarial passages, limiting the scalability and generality of their approach.”

“Existing RAG poisoning attacks are significantly less effective under GraphRAG...such query-specific poisoning strategies suffer sharp performance degradation on GraphRAG compared to conventional RAG.”