Can You Trust the Vectors in Your Vector Database? Black-Hole Attack from Embedding Space Defects
This exposes a critical security flaw in AI retrieval systems, highlighting that geometric defects in embeddings make them inherently vulnerable to attacks.
The paper tackles the security vulnerability of vector databases by proposing the Black-Hole Attack, a poisoning method that injects malicious vectors near the centroid to hijack top-k retrieval results, achieving up to 99.85% success in top-10 results.
Vector databases serve as the retrieval backbone of modern AI applications, yet their security remains largely unexplored. We propose the Black-Hole Attack, a poisoning attack that injects a small number of malicious vectors near the geometric center of the stored vectors. These injected vectors attract queries like a black hole and frequently appear in the top-k retrieval results for most queries. This attack is enabled by a phenomenon we term centrality-driven hubness: in high-dimensional embedding spaces, vectors near the centroid become nearest neighbors of a disproportionately large number of other vectors, while this centroid region is nearly empty in practice. The attack shows that vectors in a vector database cannot be blindly trusted: geometric defects in high-dimensional embeddings make retrieval inherently vulnerable. Our experiments show that malicious vectors appear in up to 99.85% of top-10 results. Additionally, we evaluate existing hubness mitigation methods as potential defenses against the Black-Hole Attack. The results show that these methods either significantly reduce retrieval accuracy or provide limited protection, which indicates the need for more robust defenses against the Black-Hole Attack.