RAGPart & RAGMask: Retrieval-Stage Defenses Against Corpus Poisoning in Retrieval-Augmented Generation

TL;DR

This paper introduces RAGPart and RAGMask, two lightweight retrieval-stage defenses that protect retrieval-augmented generation models from corpus poisoning attacks by detecting and mitigating malicious documents.

Contribution

The paper presents novel, computationally efficient defenses operating at the retrieval stage, improving robustness of RAG models against corpus poisoning without altering the generation component.

Findings

Defenses significantly reduce attack success rates across multiple benchmarks.

RAGPart and RAGMask maintain utility under benign conditions.

The defenses are effective against various poisoning strategies and retriever types.

Abstract

Retrieval-Augmented Generation (RAG) has emerged as a promising paradigm to enhance large language models (LLMs) with external knowledge, reducing hallucinations and compensating for outdated information. However, recent studies have exposed a critical vulnerability in RAG pipelines corpus poisoning where adversaries inject malicious documents into the retrieval corpus to manipulate model outputs. In this work, we propose two complementary retrieval-stage defenses: RAGPart and RAGMask. Our defenses operate directly on the retriever, making them computationally lightweight and requiring no modification to the generation model. RAGPart leverages the inherent training dynamics of dense retrievers, exploiting document partitioning to mitigate the effect of poisoned points. In contrast, RAGMask identifies suspicious tokens based on significant similarity shifts under targeted token masking. Across two benchmarks, four poisoning strategies, and four state-of-the-art retrievers, our defenses consistently reduce attack success rates while preserving utility under benign conditions. We further introduce an interpretable attack to stress-test our defenses. Our findings highlight the potential and limitations of retrieval-stage defenses, providing practical insights for robust RAG deployments.