Practical Poisoning Attacks against Retrieval-Augmented Generation
This work addresses a security problem for users of RAG systems by demonstrating a more practical and stealthy attack method, though it is incremental as it builds on prior poisoning research.
The paper tackles the vulnerability of Retrieval-Augmented Generation (RAG) systems to poisoning attacks by proposing CorruptRAG, a method that injects only a single poisoned text to achieve higher attack success rates than existing baselines in experiments across multiple datasets.
Large language models (LLMs) have demonstrated impressive natural language processing abilities but face challenges such as hallucination and outdated knowledge. Retrieval-Augmented Generation (RAG) has emerged as a state-of-the-art approach to mitigate these issues. While RAG enhances LLM outputs, it remains vulnerable to poisoning attacks. Recent studies show that injecting poisoned text into the knowledge database can compromise RAG systems, but most existing attacks assume that the attacker can insert a sufficient number of poisoned texts per query to outnumber correct-answer texts in retrieval, an assumption that is often unrealistic. To address this limitation, we propose CorruptRAG, a practical poisoning attack against RAG systems in which the attacker injects only a single poisoned text, enhancing both feasibility and stealth. Extensive experiments across multiple datasets demonstrate that CorruptRAG achieves higher attack success rates compared to existing baselines.