Search papers, labs, and topics across Lattice.
This paper introduces TRACE, a lightweight framework designed to detect corpus poisoning attacks in Retrieval-Augmented Generation (RAG) systems by utilizing token influence attribution. By identifying recurrent high-influence keywords in retrieved documents, TRACE effectively traces the influence of these tokens on model outputs, allowing for the detection of malicious manipulations. Experiments across three QA benchmarks and six large language models reveal that TRACE not only excels in detection performance but also uncovers the specific target answers set by attackers.
TRACE reveals how token influence can expose malicious manipulations in RAG systems, achieving high detection rates without heavy computational costs.
Retrieval-Augmented Generation (RAG) systems are vulnerable to corpus poisoning attacks that manipulate model outputs through malicious retrieved documents. Existing detection methods typically rely on auxiliary classifiers or additional LLM-based verification, introducing substantial computational overhead. We present TRACE, a lightweight detection framework that identifies poisoning attacks by tracing answer-related tokens through token influence attribution. TRACE first discovers recurrent high-influence keywords across retrieved documents and then performs a secondary verification to confirm their influence on model predictions. Experiments on three QA benchmarks and six LLMs demonstrate strong detection performance while simultaneously uncovering attacker-specified target answers.