Adversarial Search Engine Optimization for Large Language Models
This identifies a new security threat for LLM applications that rank third-party content, potentially impacting users and developers, but it is incremental as it builds on known adversarial attack concepts.
The paper tackles the problem of adversarial manipulation in LLM-based systems like search engines and chatbots, where crafted content can trick LLMs to favor attackers' products and harm competitors, demonstrated on production systems like Bing and GPT-4, leading to degraded outputs for all users.
Large Language Models (LLMs) are increasingly used in applications where the model selects from competing third-party content, such as in LLM-powered search engines or chatbot plugins. In this paper, we introduce Preference Manipulation Attacks, a new class of attacks that manipulate an LLM's selections to favor the attacker. We demonstrate that carefully crafted website content or plugin documentations can trick an LLM to promote the attacker products and discredit competitors, thereby increasing user traffic and monetization. We show this leads to a prisoner's dilemma, where all parties are incentivized to launch attacks, but the collective effect degrades the LLM's outputs for everyone. We demonstrate our attacks on production LLM search engines (Bing and Perplexity) and plugin APIs (for GPT-4 and Claude). As LLMs are increasingly used to rank third-party content, we expect Preference Manipulation Attacks to emerge as a significant threat.