Exploiting Instruction-Following Retrievers for Malicious Information Retrieval
Parishad BehnamGhader, Nicholas Meade, Siva Reddy
TL;DR
The paper addresses safety risks arising from instruction-following retrievers used for malicious information retrieval. Itcommonsistently evaluates six retrievers across direct, instruction-following, and RAG-based setups using AdvBench-IR and QA benchmarks, revealing that retrievers can locate harmful passages with high accuracy and that instruction-following prompts enable fine-grained malicious retrieval. It further shows that including harmful retrieved passages in prompts can drive safety-aligned LLMs to produce harmful content, highlighting a risk in retrieval-augmented generation pipelines. The work underscores the need for robust retriever safety mechanisms and informs safer deployment of retrieval systems in combination with large language models.
Abstract
Instruction-following retrievers have been widely adopted alongside LLMs in real-world applications, but little work has investigated the safety risks surrounding their increasing search capabilities. We empirically study the ability of retrievers to satisfy malicious queries, both when used directly and when used in a retrieval augmented generation-based setup. Concretely, we investigate six leading retrievers, including NV-Embed and LLM2Vec, and find that given malicious requests, most retrievers can (for >50% of queries) select relevant harmful passages. For example, LLM2Vec correctly selects passages for 61.35% of our malicious queries. We further uncover an emerging risk with instruction-following retrievers, where highly relevant harmful information can be surfaced by exploiting their instruction-following capabilities. Finally, we show that even safety-aligned LLMs, such as Llama3, can satisfy malicious requests when provided with harmful retrieved passages in-context. In summary, our findings underscore the malicious misuse risks associated with increasing retriever capability.