Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents

Add code
Jun 09, 2024
Avital Shafran, Roei Schuster, Vitaly Shmatikov
Figure 1 for Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents
Figure 2 for Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents
Figure 3 for Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents
Figure 4 for Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

Retrieval-augmented generation (RAG) systems respond to queries by retrieving relevant documents from a knowledge database, then generating an answer by applying an LLM to the retrieved documents. We demonstrate that RAG systems that operate on databases with potentially untrusted content are vulnerable to a new class of denial-of-service attacks we call jamming. An adversary can add a single ``blocker'' document to the database that will be retrieved in response to a specific query and, furthermore, result in the RAG system not answering the query - ostensibly because it lacks the information or because the answer is unsafe. We describe and analyze several methods for generating blocker documents, including a new method based on black-box optimization that does not require the adversary to know the embedding or LLM used by the target RAG system, nor access to an auxiliary LLM to generate blocker documents. We measure the efficacy of the considered methods against several LLMs and embeddings, and demonstrate that the existing safety metrics for LLMs do not capture their vulnerability to jamming. We then discuss defenses against blocker documents.

View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon