Generating Is Believing: Membership Inference Attacks against Retrieval-Augmented Generation

TL;DR

This paper introduces S$^2$MIA, a novel membership inference attack targeting RAG systems, revealing significant privacy vulnerabilities in external databases used by large language models.

Contribution

The paper presents S$^2$MIA, the first attack leveraging semantic similarity to breach membership privacy in RAG systems, and evaluates its effectiveness against existing defenses.

Findings

S$^2$MIA outperforms five existing MIAs in inference accuracy.

It can bypass three common privacy defenses.

The attack exposes substantial privacy risks in RAG external databases.

Abstract

Retrieval-Augmented Generation (RAG) is a state-of-the-art technique that mitigates issues such as hallucinations and knowledge staleness in Large Language Models (LLMs) by retrieving relevant knowledge from an external database to assist in content generation. Existing research has demonstrated potential privacy risks associated with the LLMs of RAG. However, the privacy risks posed by the integration of an external database, which often contains sensitive data such as medical records or personal identities, have remained largely unexplored. In this paper, we aim to bridge this gap by focusing on membership privacy of RAG's external database, with the aim of determining whether a given sample is part of the RAG's database. Our basic idea is that if a sample is in the external database, it will exhibit a high degree of semantic similarity to the text generated by the RAG system. We present S$^2$MIA, a \underline{M}embership \underline{I}nference \underline{A}ttack that utilizes the \underline{S}emantic \underline{S}imilarity between a given sample and the content generated by the RAG system. With our proposed S$^2$MIA, we demonstrate the potential to breach the membership privacy of the RAG database. Extensive experiment results demonstrate that S$^2$MIA can achieve a strong inference performance compared with five existing MIAs, and is able to escape from the protection of three representative defenses.