"Glue pizza and eat rocks" -- Exploiting Vulnerabilities in Retrieval-Augmented Generative Models

TL;DR

This paper reveals security vulnerabilities in Retrieval-Augmented Generative models by showing how adversaries can manipulate external knowledge bases to alter model outputs, highlighting the need for improved security measures.

Contribution

It introduces a novel security threat in RAG models where adversaries can inject deceptive data into knowledge bases without knowing user queries or model parameters.

Findings

Adversaries can successfully manipulate RAG outputs through crafted content.

The attack does not require knowledge of user queries or model parameters.

Security vulnerabilities pose significant risks to RAG system integrity.

Abstract

Retrieval-Augmented Generative (RAG) models enhance Large Language Models (LLMs) by integrating external knowledge bases, improving their performance in applications like fact-checking and information searching. In this paper, we demonstrate a security threat where adversaries can exploit the openness of these knowledge bases by injecting deceptive content into the retrieval database, intentionally changing the model's behavior. This threat is critical as it mirrors real-world usage scenarios where RAG systems interact with publicly accessible knowledge bases, such as web scrapings and user-contributed data pools. To be more realistic, we target a realistic setting where the adversary has no knowledge of users' queries, knowledge base data, and the LLM parameters. We demonstrate that it is possible to exploit the model successfully through crafted content uploads with access to the retriever. Our findings emphasize an urgent need for security measures in the design and deployment of RAG systems to prevent potential manipulation and ensure the integrity of machine-generated content.