Human-Imperceptible Retrieval Poisoning Attacks in LLM-Powered Applications

TL;DR

This paper identifies a new security threat called retrieval poisoning in LLM-powered applications, where attackers craft imperceptible malicious documents to mislead retrieval-augmented generation, with high success rates demonstrated in experiments.

Contribution

It introduces the concept of retrieval poisoning, analyzes its mechanism in LLM frameworks, and empirically demonstrates its high success rate and potential risks.

Findings

Attackers can craft visually indistinguishable malicious documents.

Retrieval poisoning achieves an 88.33% success rate in misleading LLMs.

66.67% success rate in real-world application scenarios.

Abstract

Presently, with the assistance of advanced LLM application development frameworks, more and more LLM-powered applications can effortlessly augment the LLMs' knowledge with external content using the retrieval augmented generation (RAG) technique. However, these frameworks' designs do not have sufficient consideration of the risk of external content, thereby allowing attackers to undermine the applications developed with these frameworks. In this paper, we reveal a new threat to LLM-powered applications, termed retrieval poisoning, where attackers can guide the application to yield malicious responses during the RAG process. Specifically, through the analysis of LLM application frameworks, attackers can craft documents visually indistinguishable from benign ones. Despite the documents providing correct information, once they are used as reference sources for RAG, the application is misled into generating incorrect responses. Our preliminary experiments indicate that attackers can mislead LLMs with an 88.33\% success rate, and achieve a 66.67\% success rate in the real-world application, demonstrating the potential impact of retrieval poisoning.