Student: Tim Vogelbacher
Abstract:
Retrieval-Augmented Generation (RAG) systems reduce hallucinations
andenhancetherelevanceoftheoutputoflargelanguagemodels(LLMs)
by incorporating external knowledge sources. However, this architectural
advantage introduces new security risks, including the susceptibility to
knowledge corruption attacks, where an attacker crafts malicious docu-
ments that are injected into the knowledge base to manipulate an LLMs
output. Prior work, such as PoisonedRAG, exploits this vulnerability but
is mitigated by defenses like TrustRAG, which clusters the embeddings
of the texts inside the knowledge base to identify and remove unusu-
ally dense document groups. In this thesis, we present SpacedRAG, an
attack that circumvents clustering-based and ROUGE-L-based defenses
by adapting the crafting of malicious documents with a new spacing
condition. Unlike PoisonedRAG that generates documents to be as sim-
ilar to the query as possible and are subsequently also highly similar to
each other, SpacedRAG generates malicious documents that are inten-
tionally dissimilar from each other while still satisfying conditions for
retrieval and resulting in the generation of malicious answers. We for-
mulate the attack as an optimization problem and evaluate SpacedRAG
under different levels of knowledge that the attacker has about the RAG
system. The results show that up to 84% of the adversarial texts created
with SpacedRAG bypass TrustRAG’s defenses and lead to a 70% attack
success rate, when injected into knowledge bases containing millions of
texts.