UniC-RAG: Universal Knowledge Corruption Attacks to Retrieval-Augmented Generation

TL;DR

UniC-RAG introduces a universal attack method that efficiently corrupts knowledge bases in retrieval-augmented generation systems, enabling broad and effective malicious query manipulations across diverse domains.

Contribution

This work presents UniC-RAG, a novel optimization-based universal attack that jointly crafts adversarial texts to target multiple queries simultaneously, surpassing prior query-specific attack methods.

Findings

Achieves over 90% attack success rate with 100 adversarial texts.

Effectively attacks large query sets, e.g., 2,000 queries.

Existing defenses are inadequate against UniC-RAG.

Abstract

Retrieval-augmented generation (RAG) systems are widely deployed in real-world applications in diverse domains such as finance, healthcare, and cybersecurity. However, many studies showed that they are vulnerable to knowledge corruption attacks, where an attacker can inject adversarial texts into the knowledge database of a RAG system to induce the LLM to generate attacker-desired outputs. Existing studies mainly focus on attacking specific queries or queries with similar topics (or keywords). In this work, we propose UniC-RAG, a universal knowledge corruption attack against RAG systems. Unlike prior work, UniC-RAG jointly optimizes a small number of adversarial texts that can simultaneously attack a large number of user queries with diverse topics and domains, enabling an attacker to achieve various malicious objectives, such as directing users to malicious websites, triggering harmful command execution, or launching denial-of-service attacks. We formulate UniC-RAG as an optimization problem and further design an effective solution to solve it, including a balanced similarity-based clustering method to enhance the attack's effectiveness. Our extensive evaluations demonstrate that UniC-RAG is highly effective and significantly outperforms baselines. For instance, UniC-RAG could achieve over 90% attack success rate by injecting 100 adversarial texts into a knowledge database with millions of texts to simultaneously attack a large set of user queries (e.g., 2,000). Additionally, we evaluate existing defenses and show that they are insufficient to defend against UniC-RAG, highlighting the need for new defense mechanisms in RAG systems.