Saved in:
Bibliographic Details
Main Authors: Zhou, Xinyun, Li, Xinfeng, Peng, Yinan, Xu, Ming, Zhang, Xuanwang, Yu, Miao, Wang, Yidong, Jia, Xiaojun, Wang, Kun, Wen, Qingsong, Wang, XiaoFeng, Dong, Wei
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.01335
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909937672650752
author Zhou, Xinyun
Li, Xinfeng
Peng, Yinan
Xu, Ming
Zhang, Xuanwang
Yu, Miao
Wang, Yidong
Jia, Xiaojun
Wang, Kun
Wen, Qingsong
Wang, XiaoFeng
Dong, Wei
author_facet Zhou, Xinyun
Li, Xinfeng
Peng, Yinan
Xu, Ming
Zhang, Xuanwang
Yu, Miao
Wang, Yidong
Jia, Xiaojun
Wang, Kun
Wen, Qingsong
Wang, XiaoFeng
Dong, Wei
contents Retrieval-Augmented Generation (RAG) systems are increasingly central to robust AI, enhancing large language model (LLM) faithfulness by incorporating external knowledge. However, our study unveils a critical, overlooked vulnerability: their profound susceptibility to subtle symbolic perturbations, particularly through near-imperceptible emoticon tokens such as "(@_@)" that can catastrophically mislead retrieval, termed EmoRAG. We demonstrate that injecting a single emoticon into a query makes it nearly 100% likely to retrieve semantically unrelated texts that contain a matching emoticon. Our extensive experiment across general question-answering and code domains, using a range of state-of-the-art retrievers and generators, reveals three key findings: (I) Single-Emoticon Disaster: Minimal emoticon injections cause maximal disruptions, with a single emoticon almost 100% dominating RAG output. (II) Positional Sensitivity: Placing an emoticon at the beginning of a query can cause severe perturbation, with F1-Scores exceeding 0.92 across all datasets. (III) Parameter-Scale Vulnerability: Counterintuitively, models with larger parameters exhibit greater vulnerability to the interference. We provide an in-depth analysis to uncover the underlying mechanisms of these phenomena. Furthermore, we raise a critical concern regarding the robustness assumption of current RAG systems, envisioning a threat scenario where an adversary exploits this vulnerability to manipulate the RAG system. We evaluate standard defenses and find them insufficient against EmoRAG. To address this, we propose targeted defenses, analyzing their strengths and limitations in mitigating emoticon-based perturbations. Finally, we outline future directions for building robust RAG systems.
format Preprint
id arxiv_https___arxiv_org_abs_2512_01335
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle EmoRAG: Evaluating RAG Robustness to Symbolic Perturbations
Zhou, Xinyun
Li, Xinfeng
Peng, Yinan
Xu, Ming
Zhang, Xuanwang
Yu, Miao
Wang, Yidong
Jia, Xiaojun
Wang, Kun
Wen, Qingsong
Wang, XiaoFeng
Dong, Wei
Cryptography and Security
Artificial Intelligence
Computation and Language
Retrieval-Augmented Generation (RAG) systems are increasingly central to robust AI, enhancing large language model (LLM) faithfulness by incorporating external knowledge. However, our study unveils a critical, overlooked vulnerability: their profound susceptibility to subtle symbolic perturbations, particularly through near-imperceptible emoticon tokens such as "(@_@)" that can catastrophically mislead retrieval, termed EmoRAG. We demonstrate that injecting a single emoticon into a query makes it nearly 100% likely to retrieve semantically unrelated texts that contain a matching emoticon. Our extensive experiment across general question-answering and code domains, using a range of state-of-the-art retrievers and generators, reveals three key findings: (I) Single-Emoticon Disaster: Minimal emoticon injections cause maximal disruptions, with a single emoticon almost 100% dominating RAG output. (II) Positional Sensitivity: Placing an emoticon at the beginning of a query can cause severe perturbation, with F1-Scores exceeding 0.92 across all datasets. (III) Parameter-Scale Vulnerability: Counterintuitively, models with larger parameters exhibit greater vulnerability to the interference. We provide an in-depth analysis to uncover the underlying mechanisms of these phenomena. Furthermore, we raise a critical concern regarding the robustness assumption of current RAG systems, envisioning a threat scenario where an adversary exploits this vulnerability to manipulate the RAG system. We evaluate standard defenses and find them insufficient against EmoRAG. To address this, we propose targeted defenses, analyzing their strengths and limitations in mitigating emoticon-based perturbations. Finally, we outline future directions for building robust RAG systems.
title EmoRAG: Evaluating RAG Robustness to Symbolic Perturbations
topic Cryptography and Security
Artificial Intelligence
Computation and Language
url https://arxiv.org/abs/2512.01335