Analyzing Adversarial Attacks on Sequence-to-Sequence Relevance Models

TL;DR

This paper investigates how adversarial prompt injections can manipulate sequence-to-sequence relevance models like monoT5, revealing vulnerabilities that do not affect traditional lexical models like BM25.

Contribution

It introduces the first analysis of prompt injection attacks on sequence-to-sequence relevance models and demonstrates their susceptibility through experiments on TREC data.

Findings

Adversarial documents can easily manipulate seq2seq relevance models.

BM25 remains unaffected by prompt injection attacks.

Encoder-only models are less affected but still vulnerable.

Abstract

Modern sequence-to-sequence relevance models like monoT5 can effectively capture complex textual interactions between queries and documents through cross-encoding. However, the use of natural language tokens in prompts, such as Query, Document, and Relevant for monoT5, opens an attack vector for malicious documents to manipulate their relevance score through prompt injection, e.g., by adding target words such as true. Since such possibilities have not yet been considered in retrieval evaluation, we analyze the impact of query-independent prompt injection via manually constructed templates and LLM-based rewriting of documents on several existing relevance models. Our experiments on the TREC Deep Learning track show that adversarial documents can easily manipulate different sequence-to-sequence relevance models, while BM25 (as a typical lexical model) is not affected. Remarkably, the attacks also affect encoder-only relevance models (which do not rely on natural language prompt tokens), albeit to a lesser extent.