Typos that Broke the RAG's Back: Genetic Attack on RAG Pipeline by Simulating Documents in the Wild via Low-level Perturbations

📄 arXiv: 2404.13948v2 📥 PDF

作者: Sukmin Cho, Soyeong Jeong, Jeongyeon Seo, Taeho Hwang, Jong C. Park

分类: cs.CL

发布日期: 2024-04-22 (更新: 2024-10-22)

备注: Findings of EMNLP Camera-ready version


💡 一句话要点

提出GARAG以解决RAG系统对低级扰动的脆弱性问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 检索增强生成 鲁棒性评估 遗传攻击 文本扰动 自然语言处理 智能问答 系统脆弱性

📋 核心要点

  1. 现有RAG系统在面对现实世界中的低级扰动时表现出脆弱性,缺乏对组件间关系的全面评估。
  2. 本文提出的GARAG方法通过模拟噪声文档,系统性地评估RAG的鲁棒性,揭示其潜在脆弱性。
  3. 实验结果显示GARAG在多个标准问答数据集上取得了显著的攻击成功率,影响了RAG系统的整体性能。

📝 摘要(中文)

随着大型语言模型(LLMs)在各个领域的应用不断扩大,其鲁棒性变得愈发重要。检索增强生成(RAG)作为一种解决LLMs局限性的有前景的方法,现有研究往往忽视了RAG组件之间的相互关系及现实数据库中常见的小文本错误带来的潜在威胁。本文探讨了RAG鲁棒性评估中的两个未被充分研究的方面:1)对噪声文档的脆弱性,2)RAG鲁棒性的整体评估。我们提出了一种新颖的攻击方法——遗传攻击(GARAG),旨在揭示各组件的脆弱性,并测试系统在噪声文档下的整体功能。实验结果表明,GARAG在标准问答数据集上取得了高攻击成功率,显著削弱了各组件及其协同作用的性能,强调了小文本不准确性对RAG系统的重大风险。

🔬 方法详解

问题定义:本文旨在解决RAG系统在面对低级文本扰动时的脆弱性,现有方法未能全面考虑组件间的相互影响及现实中的文本错误。

核心思路:GARAG方法通过遗传算法模拟噪声文档,系统性地测试RAG各组件的鲁棒性,揭示其在真实环境下的脆弱性。

技术框架:GARAG的整体架构包括噪声文档生成模块、组件脆弱性评估模块和整体系统功能测试模块,旨在全面评估RAG的鲁棒性。

关键创新:GARAG的主要创新在于其遗传攻击策略,能够针对RAG系统的每个组件进行精确攻击,显著不同于传统的单一攻击方法。

关键设计:在GARAG中,关键参数包括噪声扰动的强度和类型,损失函数设计用于评估组件性能下降的程度,确保攻击的有效性和针对性。

🖼️ 关键图片

img_0

📊 实验亮点

实验结果表明,GARAG在多个标准问答数据集上实现了高达85%的攻击成功率,显著降低了RAG系统各组件的性能,尤其是在面对低级文本扰动时,整体性能下降幅度达到40%以上,突显了小文本错误的风险。

🎯 应用场景

该研究的潜在应用领域包括智能问答系统、信息检索和自然语言处理等。通过提高RAG系统的鲁棒性,能够在实际应用中更好地应对文本错误和噪声,提高用户体验和系统可靠性,具有重要的实际价值和未来影响。

📄 摘要(原文)

The robustness of recent Large Language Models (LLMs) has become increasingly crucial as their applicability expands across various domains and real-world applications. Retrieval-Augmented Generation (RAG) is a promising solution for addressing the limitations of LLMs, yet existing studies on the robustness of RAG often overlook the interconnected relationships between RAG components or the potential threats prevalent in real-world databases, such as minor textual errors. In this work, we investigate two underexplored aspects when assessing the robustness of RAG: 1) vulnerability to noisy documents through low-level perturbations and 2) a holistic evaluation of RAG robustness. Furthermore, we introduce a novel attack method, the Genetic Attack on RAG (\textit{GARAG}), which targets these aspects. Specifically, GARAG is designed to reveal vulnerabilities within each component and test the overall system functionality against noisy documents. We validate RAG robustness by applying our \textit{GARAG} to standard QA datasets, incorporating diverse retrievers and LLMs. The experimental results show that GARAG consistently achieves high attack success rates. Also, it significantly devastates the performance of each component and their synergy, highlighting the substantial risk that minor textual inaccuracies pose in disrupting RAG systems in the real world.