RefineRAG: Word-Level Poisoning Attacks via Retriever-Guided Text Refinement
This work addresses a critical security problem for RAG-enhanced LLMs by exposing a severe practical threat through transferable attacks, representing a novel method for a known bottleneck.
The paper tackles the vulnerability of Retrieval-Augmented Generation (RAG) systems to knowledge poisoning attacks by proposing RefineRAG, a framework that refines attacks at the word-level to evade detection, achieving a 90% Attack Success Rate on NQ with low grammar errors and repetition rates.
Retrieval-Augmented Generation (RAG) significantly enhances Large Language Models (LLMs), but simultaneously exposes a critical vulnerability to knowledge poisoning attacks. Existing attack methods like PoisonedRAG remain detectable due to coarse-grained separate-and-concatenate strategies. To bridge this gap, we propose RefineRAG, a novel framework that treats poisoning as a holistic word-level refinement problem. It operates in two stages: Macro Generation produces toxic seeds guaranteed to induce target answers, while Micro Refinement employs a retriever-in-the-loop optimization to maximize retrieval priority without compromising naturalness. Evaluations on NQ and MSMARCO demonstrate that RefineRAG achieves state-of-the-art effectiveness, securing a 90% Attack Success Rate on NQ, while registering the lowest grammar errors and repetition rates among all baselines. Crucially, our proxy-optimized attacks successfully transfer to black-box victim systems, highlighting a severe practical threat.