Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation

TL;DR

This paper introduces a stealthy membership inference attack on Retrieval-Augmented Generation systems, showing it can accurately identify documents with minimal queries and low cost, surpassing prior methods in stealth and effectiveness.

Contribution

The paper presents Interrogation Attack, a novel natural-language query-based membership inference method that is more stealthy, efficient, and effective than existing approaches for RAG systems.

Findings

Achieves 2x higher true positive rate at 1% false positive rate compared to prior attacks.

Operates with only 30 queries per document, maintaining stealth.

Costs less than $0.02 per document inference, demonstrating high efficiency.

Abstract

Retrieval-Augmented Generation (RAG) enables Large Language Models (LLMs) to generate grounded responses by leveraging external knowledge databases without altering model parameters. Although the absence of weight tuning prevents leakage via model parameters, it introduces the risk of inference adversaries exploiting retrieved documents in the model's context. Existing methods for membership inference and data extraction often rely on jailbreaking or carefully crafted unnatural queries, which can be easily detected or thwarted with query rewriting techniques common in RAG systems. In this work, we present Interrogation Attack (IA), a membership inference technique targeting documents in the RAG datastore. By crafting natural-text queries that are answerable only with the target document's presence, our approach demonstrates successful inference with just 30 queries while remaining stealthy; straightforward detectors identify adversarial prompts from existing methods up to ~76x more frequently than those generated by our attack. We observe a 2x improvement in TPR@1%FPR over prior inference attacks across diverse RAG configurations, all while costing less than $0.02 per document inference.