Search papers, labs, and topics across Lattice.
The paper introduces RefineRAG, a novel word-level knowledge poisoning attack against RAG systems that refines toxic seeds using retriever-in-the-loop optimization to maximize retrieval priority and naturalness. By treating poisoning as a holistic refinement problem rather than a coarse concatenation, RefineRAG achieves a 90% attack success rate on NQ with minimal grammar errors and repetition. The transferability of these attacks to black-box systems underscores the practical threat posed by this method.
RAG systems are far more vulnerable to subtle, word-level poisoning attacks than previously thought, achieving 90% success rates even against black-box models.
Retrieval-Augmented Generation (RAG) significantly enhances Large Language Models (LLMs), but simultaneously exposes a critical vulnerability to knowledge poisoning attacks. Existing attack methods like PoisonedRAG remain detectable due to coarse-grained separate-and-concatenate strategies. To bridge this gap, we propose RefineRAG, a novel framework that treats poisoning as a holistic word-level refinement problem. It operates in two stages: Macro Generation produces toxic seeds guaranteed to induce target answers, while Micro Refinement employs a retriever-in-the-loop optimization to maximize retrieval priority without compromising naturalness. Evaluations on NQ and MSMARCO demonstrate that RefineRAG achieves state-of-the-art effectiveness, securing a 90% Attack Success Rate on NQ, while registering the lowest grammar errors and repetition rates among all baselines. Crucially, our proxy-optimized attacks successfully transfer to black-box victim systems, highlighting a severe practical threat.
