Human-Imperceptible Retrieval Poisoning Attacks in LLM-Powered Applications
This addresses a security problem for developers and users of LLM applications, highlighting a critical oversight in current frameworks, though it is incremental in exposing a specific threat rather than proposing a broad solution.
The paper tackles the vulnerability of LLM-powered applications using retrieval augmented generation (RAG) to retrieval poisoning attacks, where attackers craft human-imperceptible documents that mislead applications into generating incorrect responses, achieving up to 88.33% success in experiments.
Presently, with the assistance of advanced LLM application development frameworks, more and more LLM-powered applications can effortlessly augment the LLMs' knowledge with external content using the retrieval augmented generation (RAG) technique. However, these frameworks' designs do not have sufficient consideration of the risk of external content, thereby allowing attackers to undermine the applications developed with these frameworks. In this paper, we reveal a new threat to LLM-powered applications, termed retrieval poisoning, where attackers can guide the application to yield malicious responses during the RAG process. Specifically, through the analysis of LLM application frameworks, attackers can craft documents visually indistinguishable from benign ones. Despite the documents providing correct information, once they are used as reference sources for RAG, the application is misled into generating incorrect responses. Our preliminary experiments indicate that attackers can mislead LLMs with an 88.33\% success rate, and achieve a 66.67\% success rate in the real-world application, demonstrating the potential impact of retrieval poisoning.