The Ranking Blind Spot: Decision Hijacking in LLM-based Text Ranking
This exposes a security vulnerability in LLM-based information retrieval systems, posing risks for users relying on unbiased rankings, and is incremental in revealing specific attack vectors.
The research identifies a 'Ranking Blind Spot' in LLMs that allows malicious content providers to hijack decision processes in text ranking systems, demonstrating attacks that effectively manipulate document positioning across various LLMs and ranking schemes, with stronger LLMs being more vulnerable.
Large Language Models (LLMs) have demonstrated strong performance in information retrieval tasks like passage ranking. Our research examines how instruction-following capabilities in LLMs interact with multi-document comparison tasks, identifying what we term the "Ranking Blind Spot", a characteristic of LLM decision processes during comparative evaluation. We analyze how this ranking blind spot affects LLM evaluation systems through two approaches: Decision Objective Hijacking, which alters the evaluation goal in pairwise ranking systems, and Decision Criteria Hijacking, which modifies relevance standards across ranking schemes. These approaches demonstrate how content providers could potentially influence LLM-based ranking systems to affect document positioning. These attacks aim to force the LLM ranker to prefer a specific passage and rank it at the top. Malicious content providers can exploit this weakness, which helps them gain additional exposure by attacking the ranker. In our experiment, We empirically show that the proposed attacks are effective in various LLMs and can be generalized to multiple ranking schemes. We apply these attack to realistic examples to show their effectiveness. We also found stronger LLMs are more vulnerable to these attacks. Our code is available at: https://github.com/blindspotorg/RankingBlindSpot