PoisonArena: Uncovering Competing Poisoning Attacks in Retrieval-Augmented Generation

TL;DR

PoisonArena introduces a benchmark for evaluating competing poisoning attacks in Retrieval-Augmented Generation systems, revealing the limitations of existing methods and emphasizing the importance of multi-adversary scenarios for robust defense development.

Contribution

This work formalizes a multi-attacker threat model for RAG systems and provides the first benchmark to evaluate competing poisoning attacks in realistic adversarial environments.

Findings

Many isolated attack strategies fail under competitive pressure.

Traditional metrics like ASR and F1 are insufficient for real-world robustness.

PoisonArena enables standardized benchmarking for future defenses.

Abstract

Retrieval-Augmented Generation (RAG) systems, widely used to improve the factual grounding of large language models (LLMs), are increasingly vulnerable to poisoning attacks, where adversaries inject manipulated content into the retriever's corpus. While prior research has predominantly focused on single-attacker settings, real-world scenarios often involve multiple, competing attackers with conflicting objectives. In this work, we introduce PoisonArena, the first benchmark to systematically study and evaluate competing poisoning attacks in RAG. We formalize the multi-attacker threat model, where attackers vie to control the answer to the same query using mutually exclusive misinformation. PoisonArena leverages the Bradley-Terry model to quantify each method's competitive effectiveness in such adversarial environments. Through extensive experiments on the Natural Questions and MS MARCO datasets, we demonstrate that many attack strategies successful in isolation fail under competitive pressure. Our findings highlight the limitations of conventional evaluation metrics like Attack Success Rate (ASR) and F1 score and underscore the need for competitive evaluation to assess real-world attack robustness. PoisonArena provides a standardized framework to benchmark and develop future attack and defense strategies under more realistic, multi-adversary conditions.