Search papers, labs, and topics across Lattice.
This paper introduces DiscourseFlip, a novel attack method that manipulates opinions at the discourse level within Retrieval-Augmented Generation (RAG) systems by leveraging a coordinated semantic query network. The authors demonstrate that this approach allows for more effective and widespread opinion shifts compared to existing attack methods, which typically focus on isolated queries. Through extensive experiments, DiscourseFlip is shown to outperform baselines in both effectiveness and camouflage, revealing significant vulnerabilities in current RAG defenses against discourse-level manipulation.
Coordinated attacks on discourse-level opinion can shift perceptions across multi-topic queries, exposing critical vulnerabilities in RAG systems.
Retrieval-Augmented Generation (RAG) systems are widely deployed and increasingly influential, but their reliance on external corpora exposes new security risks from poisoned retrieval content. Existing RAG attacks are largely focusing on individual queries or narrow topic-local query sets, which limits their practical reach and offers limited camouflage in real-world settings. In this paper, we introduce discourse-level opinion manipulation, a new threat model in which coordinated influence across a semantic query network induces opinion shifts over a holistic, multi-topic query space. We formalize this threat in a black-box setting and propose DiscourseFlip, an agentic, graph-guided attack that dynamically allocates a limited poisoning budget to maximize discourse-level opinion deviation. Extensive experiments demonstrate that DiscourseFlip consistently induces targeted opinion shifts across the contextualized query network and significantly outperforms existing baselines in terms of coverage and effectiveness. User studies further confirm that DiscourseFlip is effective while remaining well camouflaged from user detection. Moreover, systematic analyses show that existing mitigation strategies are ineffective against discourse-level manipulation, underscoring the urgent need for more robust and adaptive defenses to address discourse-level vulnerabilities.
