Defending Against Knowledge Poisoning Attacks During Retrieval-Augmented Generation

TL;DR

This paper addresses the vulnerability of Retrieval-Augmented Generation systems to knowledge poisoning attacks and proposes novel filtering methods to defend against adversarial data injection, maintaining system performance.

Contribution

It introduces FilterRAG and ML-FilterRAG, new defense techniques that effectively detect and filter adversarial texts in knowledge sources for RAG models.

Findings

The proposed methods effectively mitigate PoisonedRAG attacks.

Evaluation shows close performance to original RAG systems.

New property to differentiate adversarial from clean texts.

Abstract

Retrieval-Augmented Generation (RAG) has emerged as a powerful approach to boost the capabilities of large language models (LLMs) by incorporating external, up-to-date knowledge sources. However, this introduces a potential vulnerability to knowledge poisoning attacks, where attackers can compromise the knowledge source to mislead the generation model. One such attack is the PoisonedRAG in which the injected adversarial texts steer the model to generate an attacker-chosen response to a target question. In this work, we propose novel defense methods, FilterRAG and ML-FilterRAG, to mitigate the PoisonedRAG attack. First, we propose a new property to uncover distinct properties to differentiate between adversarial and clean texts in the knowledge data source. Next, we employ this property to filter out adversarial texts from clean ones in the design of our proposed approaches. Evaluation of these methods using benchmark datasets demonstrate their effectiveness, with performances close to those of the original RAG systems.