Poisoned-MRAG: Knowledge Poisoning Attacks to Multimodal Retrieval Augmented Generation
This work exposes a critical security threat to multimodal RAG systems, which are increasingly used for visual reasoning, by demonstrating a scalable attack that existing defenses struggle to mitigate.
The paper tackles the vulnerability of multimodal retrieval-augmented generation (RAG) systems by introducing Poisoned-MRAG, a knowledge poisoning attack that injects malicious image-text pairs to manipulate model responses, achieving up to 98% attack success rate with only five injected pairs.
Multimodal retrieval-augmented generation (RAG) enhances the visual reasoning capability of vision-language models (VLMs) by dynamically accessing information from external knowledge bases. In this work, we introduce \textit{Poisoned-MRAG}, the first knowledge poisoning attack on multimodal RAG systems. Poisoned-MRAG injects a few carefully crafted image-text pairs into the multimodal knowledge database, manipulating VLMs to generate the attacker-desired response to a target query. Specifically, we formalize the attack as an optimization problem and propose two cross-modal attack strategies, dirty-label and clean-label, tailored to the attacker's knowledge and goals. Our extensive experiments across multiple knowledge databases and VLMs show that Poisoned-MRAG outperforms existing methods, achieving up to 98\% attack success rate with just five malicious image-text pairs injected into the InfoSeek database (481,782 pairs). Additionally, We evaluate 4 different defense strategies, including paraphrasing, duplicate removal, structure-driven mitigation, and purification, demonstrating their limited effectiveness and trade-offs against Poisoned-MRAG. Our results highlight the effectiveness and scalability of Poisoned-MRAG, underscoring its potential as a significant threat to multimodal RAG systems.