PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models
作者: Wei Zou, Runpeng Geng, Binghui Wang, Jinyuan Jia
分类: cs.CR, cs.LG
发布日期: 2024-02-12 (更新: 2024-08-13)
备注: To appear in USENIX Security Symposium 2025. The code is available at https://github.com/sleeepeer/PoisonedRAG
💡 一句话要点
提出PoisonedRAG以解决RAG系统的知识腐蚀攻击问题
🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)
关键词: 知识腐蚀攻击 检索增强生成 大型语言模型 安全性研究 优化算法
📋 核心要点
- 现有RAG系统在安全性方面的研究较少,知识数据库成为新的攻击面。
- 本文提出PoisonedRAG,通过向知识数据库注入恶意文本,诱导LLM生成特定答案。
- 实验结果显示,PoisonedRAG在注入少量恶意文本时,攻击成功率高达90%。
📝 摘要(中文)
大型语言模型(LLMs)因其卓越的生成能力而取得了显著成功,但仍存在知识更新不足和幻觉等固有局限性。检索增强生成(RAG)技术旨在通过从知识数据库中检索外部知识来缓解这些问题。然而,现有研究主要集中在提高RAG的准确性或效率上,安全性研究相对缺乏。本文提出了PoisonedRAG,首次针对RAG的知识腐蚀攻击,攻击者可以向知识数据库注入恶意文本,从而诱导LLM生成攻击者选择的目标答案。我们将知识腐蚀攻击形式化为优化问题,并根据攻击者的背景知识提出了两种解决方案。实验结果表明,PoisonedRAG在向包含数百万文本的知识数据库注入五个恶意文本时,攻击成功率可达90%。
🔬 方法详解
问题定义:本文解决的是RAG系统中知识数据库的安全性问题,现有方法未能充分考虑知识腐蚀攻击的风险。
核心思路:提出PoisonedRAG,利用优化算法生成恶意文本,注入知识数据库以操控LLM的输出。
技术框架:整体框架包括知识数据库的构建、恶意文本的生成和注入、以及LLM的回答生成三个主要模块。
关键创新:PoisonedRAG是首个针对RAG的知识腐蚀攻击方法,创新性地将攻击形式化为优化问题,提供了系统化的攻击策略。
关键设计:在优化过程中,考虑了攻击者的背景知识,设计了黑箱和白箱两种不同的攻击方案,确保在不同环境下的有效性。实验中使用了特定的损失函数来评估恶意文本的有效性。
🖼️ 关键图片
📊 实验亮点
实验结果表明,PoisonedRAG在向知识数据库注入五个恶意文本时,攻击成功率高达90%。这一结果显著高于现有防御机制的效果,突显了当前防御措施的不足,强调了对新防御策略的需求。
🎯 应用场景
该研究的潜在应用领域包括安全性要求高的自然语言处理系统,如智能助手、在线问答系统等。通过识别和防御知识腐蚀攻击,可以提高这些系统的安全性和可靠性,确保用户获得准确的信息。未来,研究成果可推动RAG系统的安全防护技术发展。
📄 摘要(原文)
Large language models (LLMs) have achieved remarkable success due to their exceptional generative capabilities. Despite their success, they also have inherent limitations such as a lack of up-to-date knowledge and hallucination. Retrieval-Augmented Generation (RAG) is a state-of-the-art technique to mitigate these limitations. The key idea of RAG is to ground the answer generation of an LLM on external knowledge retrieved from a knowledge database. Existing studies mainly focus on improving the accuracy or efficiency of RAG, leaving its security largely unexplored. We aim to bridge the gap in this work. We find that the knowledge database in a RAG system introduces a new and practical attack surface. Based on this attack surface, we propose PoisonedRAG, the first knowledge corruption attack to RAG, where an attacker could inject a few malicious texts into the knowledge database of a RAG system to induce an LLM to generate an attacker-chosen target answer for an attacker-chosen target question. We formulate knowledge corruption attacks as an optimization problem, whose solution is a set of malicious texts. Depending on the background knowledge (e.g., black-box and white-box settings) of an attacker on a RAG system, we propose two solutions to solve the optimization problem, respectively. Our results show PoisonedRAG could achieve a 90% attack success rate when injecting five malicious texts for each target question into a knowledge database with millions of texts. We also evaluate several defenses and our results show they are insufficient to defend against PoisonedRAG, highlighting the need for new defenses.