Saved in:
Bibliographic Details
Main Authors: Zhang, Wentao, Zhuang, Yan, Zheng, ZhuHang, Zhang, Mingfei, Deng, Jiawen, Ren, Fuji
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.18663
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918457676660736
author Zhang, Wentao
Zhuang, Yan
Zheng, ZhuHang
Zhang, Mingfei
Deng, Jiawen
Ren, Fuji
author_facet Zhang, Wentao
Zhuang, Yan
Zheng, ZhuHang
Zhang, Mingfei
Deng, Jiawen
Ren, Fuji
contents Existing jamming attacks on Retrieval-Augmented Generation (RAG) systems typically induce explicit refusals or denial-of-service behaviors, which are conspicuous and easy to detect. In this work, we formalize a subtler availability threat, termed soft failure, which degrades system utility by inducing fluent and coherent yet non-informative responses rather than overt failures. We propose Deceptive Evolutionary Jamming Attack (DEJA), an automated black-box attack framework that generates adversarial documents to trigger such soft failures by exploiting safety-aligned behaviors of large language models. DEJA employs an evolutionary optimization process guided by a fine-grained Answer Utility Score (AUS), computed via an LLM-based evaluator, to systematically degrade the certainty of answers while maintaining high retrieval success. Extensive experiments across multiple RAG configurations and benchmark datasets show that DEJA consistently drives responses toward low-utility soft failures, achieving SASR above 79\% while keeping hard-failure rates below 15\%, significantly outperforming prior attacks. The resulting adversarial documents exhibit high stealth, evading perplexity-based detection and resisting query paraphrasing, and transfer across model families to proprietary systems without retargeting.
format Preprint
id arxiv_https___arxiv_org_abs_2604_18663
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Beyond Explicit Refusals: Soft-Failure Attacks on Retrieval-Augmented Generation
Zhang, Wentao
Zhuang, Yan
Zheng, ZhuHang
Zhang, Mingfei
Deng, Jiawen
Ren, Fuji
Cryptography and Security
Artificial Intelligence
Existing jamming attacks on Retrieval-Augmented Generation (RAG) systems typically induce explicit refusals or denial-of-service behaviors, which are conspicuous and easy to detect. In this work, we formalize a subtler availability threat, termed soft failure, which degrades system utility by inducing fluent and coherent yet non-informative responses rather than overt failures. We propose Deceptive Evolutionary Jamming Attack (DEJA), an automated black-box attack framework that generates adversarial documents to trigger such soft failures by exploiting safety-aligned behaviors of large language models. DEJA employs an evolutionary optimization process guided by a fine-grained Answer Utility Score (AUS), computed via an LLM-based evaluator, to systematically degrade the certainty of answers while maintaining high retrieval success. Extensive experiments across multiple RAG configurations and benchmark datasets show that DEJA consistently drives responses toward low-utility soft failures, achieving SASR above 79\% while keeping hard-failure rates below 15\%, significantly outperforming prior attacks. The resulting adversarial documents exhibit high stealth, evading perplexity-based detection and resisting query paraphrasing, and transfer across model families to proprietary systems without retargeting.
title Beyond Explicit Refusals: Soft-Failure Attacks on Retrieval-Augmented Generation
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2604.18663