Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents
This exposes a security flaw in RAG systems used for query answering, which is incremental as it builds on known vulnerabilities but introduces a new attack method.
The paper tackles the vulnerability of retrieval-augmented generation (RAG) systems to denial-of-service attacks by adding 'blocker' documents, demonstrating that a single document can cause the system to fail to answer specific queries, with methods evaluated across multiple embeddings and LLMs.
Retrieval-augmented generation (RAG) systems respond to queries by retrieving relevant documents from a knowledge database and applying an LLM to the retrieved documents. We demonstrate that RAG systems that operate on databases with untrusted content are vulnerable to denial-of-service attacks we call jamming. An adversary can add a single ``blocker'' document to the database that will be retrieved in response to a specific query and result in the RAG system not answering this query, ostensibly because it lacks relevant information or because the answer is unsafe. We describe and measure the efficacy of several methods for generating blocker documents, including a new method based on black-box optimization. Our method (1) does not rely on instruction injection, (2) does not require the adversary to know the embedding or LLM used by the target RAG system, and (3) does not employ an auxiliary LLM. We evaluate jamming attacks on several embeddings and LLMs and demonstrate that the existing safety metrics for LLMs do not capture their vulnerability to jamming. We then discuss defenses against blocker documents.