Rescuing the Unpoisoned: Efficient Defense against Knowledge Corruption Attacks on RAG Systems

TL;DR

This paper introduces RAGDefender, a resource-efficient post-retrieval defense mechanism for RAG systems that effectively detects and filters adversarial content, significantly reducing attack success rates without additional training costs.

Contribution

RAGDefender is a novel lightweight defense method operating during post-retrieval, outperforming existing defenses in efficiency and effectiveness against knowledge corruption attacks in RAG systems.

Findings

RAGDefender reduces attack success rate from 0.89 to 0.02 on Gemini model.

It outperforms RobustRAG and Discern-and-Answer in adversarial scenarios.

Operates without additional training or inference costs.

Abstract

Large language models (LLMs) are reshaping numerous facets of our daily lives, leading widespread adoption as web-based services. Despite their versatility, LLMs face notable challenges, such as generating hallucinated content and lacking access to up-to-date information. Lately, to address such limitations, Retrieval-Augmented Generation (RAG) has emerged as a promising direction by generating responses grounded in external knowledge sources. A typical RAG system consists of i) a retriever that probes a group of relevant passages from a knowledge base and ii) a generator that formulates a response based on the retrieved content. However, as with other AI systems, recent studies demonstrate the vulnerability of RAG, such as knowledge corruption attacks by injecting misleading information. In response, several defense strategies have been proposed, including having LLMs inspect the retrieved passages individually or fine-tuning robust retrievers. While effective, such approaches often come with substantial computational costs. In this work, we introduce RAGDefender, a resource-efficient defense mechanism against knowledge corruption (i.e., by data poisoning) attacks in practical RAG deployments. RAGDefender operates during the post-retrieval phase, leveraging lightweight machine learning techniques to detect and filter out adversarial content without requiring additional model training or inference. Our empirical evaluations show that RAGDefender consistently outperforms existing state-of-the-art defenses across multiple models and adversarial scenarios: e.g., RAGDefender reduces the attack success rate (ASR) against the Gemini model from 0.89 to as low as 0.02, compared to 0.69 for RobustRAG and 0.24 for Discern-and-Answer when adversarial passages outnumber legitimate ones by a factor of four (4x).