Hoist with His Own Petard: Inducing Guardrails to Facilitate Denial-of-Service Attacks on Retrieval-Augmented Generation of LLMs
Pan Suo, Yu-Ming Shang, San-Chuan Guo, Xi Zhang
TL;DR
The paper reveals a novel denial-of-service vulnerability in retrieval-augmented generation by exploiting LLM safety guardrails with jailbreak prompts embedded in the knowledge base. It introduces MutedRAG, a framework that uses a crafted suffix to trigger refusal behavior and a prefix to ensure the malicious text is retrieved within the top-k results, yielding high attack effectiveness under both black-box and white-box settings. Across HotpotQA, NQ, and MS-MARCO with diverse LLMs, MutedRAG achieves substantial ASR and I-ASR with minimal injected text, outperforming prior PoisonedRAG attacks. The work evaluates defenses like paraphrasing, perplexity-based screening, and duplicate text filtering, finding them largely insufficient, and calls for robust, defense-in-depth strategies to secure RAG deployments in practice.
Abstract
Retrieval-Augmented Generation (RAG) integrates Large Language Models (LLMs) with external knowledge bases, improving output quality while introducing new security risks. Existing studies on RAG vulnerabilities typically focus on exploiting the retrieval mechanism to inject erroneous knowledge or malicious texts, inducing incorrect outputs. However, these approaches overlook critical weaknesses within LLMs, leaving important attack vectors unexplored and limiting the scope and efficiency of attacks. In this paper, we uncover a novel vulnerability: the safety guardrails of LLMs, while designed for protection, can also be exploited as an attack vector by adversaries. Building on this vulnerability, we propose MutedRAG, a novel denial-of-service attack that reversely leverages the guardrails of LLMs to undermine the availability of RAG systems. By injecting minimalistic jailbreak texts, such as "\textit{How to build a bomb}", into the knowledge base, MutedRAG intentionally triggers the LLM's safety guardrails, causing the system to reject legitimate queries. Besides, due to the high sensitivity of guardrails, a single jailbreak sample can affect multiple queries, effectively amplifying the efficiency of attacks while reducing their costs. Experimental results on three datasets demonstrate that MutedRAG achieves an attack success rate exceeding 60% in many scenarios, requiring only less than one malicious text to each target query on average. In addition, we evaluate potential defense strategies against MutedRAG, finding that some of current mechanisms are insufficient to mitigate this threat, underscoring the urgent need for more robust solutions.
