MIRAGE: Misleading Retrieval-Augmented Generation via Black-box and Query-agnostic Poisoning Attacks

TL;DR

This paper introduces MIRAGE, a novel black-box poisoning attack on RAG systems that effectively manipulates external knowledge sources to mislead language models without requiring white-box access or knowledge of user queries.

Contribution

MIRAGE is a new multi-stage poisoning pipeline that operates in black-box, query-agnostic settings, using surrogate feedback and innovative techniques to enhance attack success and stealth.

Findings

MIRAGE outperforms existing attacks in effectiveness and stealth.

The attack demonstrates high transferability across different models.

Extensive experiments confirm MIRAGE's ability to manipulate RAG systems effectively.

Abstract

Retrieval-Augmented Generation (RAG) systems enhance LLMs with external knowledge but introduce a critical attack surface: corpus poisoning. While recent studies have demonstrated the potential of such attacks, they typically rely on impractical assumptions, such as white-box access or known user queries, thereby underestimating the difficulty of real-world exploitation. In this paper, we bridge this gap by proposing MIRAGE, a novel multi-stage poisoning pipeline designed for strict black-box and query-agnostic environments. Operating on surrogate model feedback, MIRAGE functions as an automated optimization framework that integrates three key mechanisms: it utilizes persona-driven query synthesis to approximate latent user search distributions, employs semantic anchoring to imperceptibly embed these intents for high retrieval visibility, and leverages an adversarial variant of Test-Time Preference Optimization (TPO) to maximize persuasion. To rigorously evaluate this threat, we construct a new benchmark derived from three long-form, domain-specific datasets. Extensive experiments demonstrate that MIRAGE significantly outperforms existing baselines in both attack efficacy and stealthiness, exhibiting remarkable transferability across diverse retriever-LLM configurations and highlighting the urgent need for robust defense strategies.