RAGFort: Dual-Path Defense Against Proprietary Knowledge Base Extraction in Retrieval-Augmented Generation

TL;DR

RAGFort introduces a dual-path defense mechanism for retrieval-augmented generation systems, effectively protecting proprietary knowledge bases from reconstruction attacks by combining inter-class and intra-class defenses.

Contribution

It proposes RAGFort, a novel structure-aware dual-module defense that jointly protects both intra-class and inter-class paths in RAG systems, enhancing security against knowledge extraction.

Findings

Significantly reduces reconstruction success rates.

Maintains high answer quality and robustness.

Effective against diverse attack strategies.

Abstract

Retrieval-Augmented Generation (RAG) systems deployed over proprietary knowledge bases face growing threats from reconstruction attacks that aggregate model responses to replicate knowledge bases. Such attacks exploit both intra-class and inter-class paths, progressively extracting fine-grained knowledge within topics and diffusing it across semantically related ones, thereby enabling comprehensive extraction of the original knowledge base. However, existing defenses target only one path, leaving the other unprotected. We conduct a systematic exploration to assess the impact of protecting each path independently and find that joint protection is essential for effective defense. Based on this, we propose RAGFort, a structure-aware dual-module defense combining "contrastive reindexing" for inter-class isolation and "constrained cascade generation" for intra-class protection. Experiments across security, performance, and robustness confirm that RAGFort significantly reduces reconstruction success while preserving answer quality, offering comprehensive defense against knowledge base extraction attacks.