Saved in:
Bibliographic Details
Main Authors: Xi, Meng, Lv, Sihan, Jin, Yechen, Cheng, Guanjie, Wang, Naibo, Li, Ying, Yin, Jianwei
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.10008
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917193640312832
author Xi, Meng
Lv, Sihan
Jin, Yechen
Cheng, Guanjie
Wang, Naibo
Li, Ying
Yin, Jianwei
author_facet Xi, Meng
Lv, Sihan
Jin, Yechen
Cheng, Guanjie
Wang, Naibo
Li, Ying
Yin, Jianwei
contents Retrieval-Augmented Generation (RAG) systems based on Large Language Models (LLMs) have become a core technology for tasks such as question-answering (QA) and content generation. RAG poisoning is an attack method to induce LLMs to generate the attacker's expected text by injecting poisoned documents into the database of RAG systems. Existing research can be broadly divided into two classes: white-box methods and black-box methods. White-box methods utilize gradient information to optimize poisoned documents, and black-box methods use a pre-trained LLM to generate them. However, existing white-box methods require knowledge of the RAG system's internal composition and implementation details, whereas black-box methods are unable to utilize interactive information. In this work, we propose the RIPRAG attack framework, an end-to-end attack pipeline that treats the target RAG system as a black box and leverages our proposed Reinforcement Learning from Black-box Feedback (RLBF) method to optimize the generation model for poisoned documents. We designed two kinds of rewards: similarity reward and attack reward. Experimental results demonstrate that this method can effectively execute poisoning attacks against most complex RAG systems, achieving an attack success rate (ASR) improvement of up to 0.72 compared to baseline methods. This highlights prevalent deficiencies in current defensive methods and provides critical insights for LLM security research.
format Preprint
id arxiv_https___arxiv_org_abs_2510_10008
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle RIPRAG: Hack a Black-box Retrieval-Augmented Generation Question-Answering System with Reinforcement Learning
Xi, Meng
Lv, Sihan
Jin, Yechen
Cheng, Guanjie
Wang, Naibo
Li, Ying
Yin, Jianwei
Artificial Intelligence
Retrieval-Augmented Generation (RAG) systems based on Large Language Models (LLMs) have become a core technology for tasks such as question-answering (QA) and content generation. RAG poisoning is an attack method to induce LLMs to generate the attacker's expected text by injecting poisoned documents into the database of RAG systems. Existing research can be broadly divided into two classes: white-box methods and black-box methods. White-box methods utilize gradient information to optimize poisoned documents, and black-box methods use a pre-trained LLM to generate them. However, existing white-box methods require knowledge of the RAG system's internal composition and implementation details, whereas black-box methods are unable to utilize interactive information. In this work, we propose the RIPRAG attack framework, an end-to-end attack pipeline that treats the target RAG system as a black box and leverages our proposed Reinforcement Learning from Black-box Feedback (RLBF) method to optimize the generation model for poisoned documents. We designed two kinds of rewards: similarity reward and attack reward. Experimental results demonstrate that this method can effectively execute poisoning attacks against most complex RAG systems, achieving an attack success rate (ASR) improvement of up to 0.72 compared to baseline methods. This highlights prevalent deficiencies in current defensive methods and provides critical insights for LLM security research.
title RIPRAG: Hack a Black-box Retrieval-Augmented Generation Question-Answering System with Reinforcement Learning
topic Artificial Intelligence
url https://arxiv.org/abs/2510.10008