TL;DR
This paper introduces M3Att, a framework for covertly poisoning medical multimodal retrieval-augmented generation systems by injecting imperceptible visual perturbations and ambiguous misinformation, degrading diagnostic accuracy.
Contribution
It presents a novel poisoning method that requires limited database knowledge and evades model correction, highlighting vulnerabilities in medical RAG systems.
Findings
M3Att consistently produces clinically plausible yet incorrect outputs.
The framework effectively manipulates retrieval probabilities with minimal visual perturbations.
It degrades diagnostic accuracy while avoiding self-correction in LLMs.
Abstract
Retrieval-augmented generation (RAG) is a widely adopted paradigm for enhancing LLMs in medical applications by incorporating expert multimodal knowledge during generation. However, the underlying retrieval databases may naturally contain, or be intentionally injected with, adversarial knowledge, which can perturb model outputs and undermine system reliability. To investigate this risk, prior studies have explored knowledge poisoning attacks in medical RAG systems. Nevertheless, most of them rely on the strong assumption that adversaries possess prior knowledge of user queries, which is unrealistic in deployments and substantially limits their practical applicability. In this paper, we propose M\textsuperscript{3}Att, a knowledge-poisoning framework designed for medical multimodal RAG systems, assuming only limited distribution knowledge of the underlying database. Our core idea is to…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
