Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation
This addresses a security vulnerability in RAG systems for AI practitioners, offering a stealthy attack method that is incremental over prior work.
The paper tackles the problem of membership inference attacks on documents in Retrieval-Augmented Generation (RAG) systems, where existing methods are detectable, and demonstrates that their Interrogation Attack (IA) achieves successful inference with 30 queries, is 76x stealthier, and improves TPR@1%FPR by 2x at a cost of less than $0.02 per document.
Retrieval-Augmented Generation (RAG) enables Large Language Models (LLMs) to generate grounded responses by leveraging external knowledge databases without altering model parameters. Although the absence of weight tuning prevents leakage via model parameters, it introduces the risk of inference adversaries exploiting retrieved documents in the model's context. Existing methods for membership inference and data extraction often rely on jailbreaking or carefully crafted unnatural queries, which can be easily detected or thwarted with query rewriting techniques common in RAG systems. In this work, we present Interrogation Attack (IA), a membership inference technique targeting documents in the RAG datastore. By crafting natural-text queries that are answerable only with the target document's presence, our approach demonstrates successful inference with just 30 queries while remaining stealthy; straightforward detectors identify adversarial prompts from existing methods up to ~76x more frequently than those generated by our attack. We observe a 2x improvement in TPR@1%FPR over prior inference attacks across diverse RAG configurations, all while costing less than $0.02 per document inference.