Table of Contents
Fetching ...

Stealthy LLM-Driven Data Poisoning Attacks Against Embedding-Based Retrieval-Augmented Recommender Systems

Fatemeh Nazary, Yashar Deldjoo, Tommaso Di Noia, Eugenio Di Sciascio

TL;DR

Retrieval-augmented recommender systems that rely on embedding-based retrieval and LLMs are vulnerable to provider-side data poisoning through minimal edits to item descriptions. The authors formalize a framework with a token-edit budget $δ$ and a semantic-similarity constraint $σ_{min}$ to implement three attack variants—Emotional Edit, Neighbor Borrowing, and Chain Attack—evaluated on MovieLens with two SoA LLM modules. The findings show that small, semantically coherent rewrites can substantially alter item exposure (promotion of long-tail items or demotion of popular ones) with only modest global metric degradation, particularly when using generative ranking. This work highlights practical security risks in RAG pipelines and motivates defenses such as provenance tracking and textual integrity checks, while contributing resources to enable reproducibility and further robustness research.

Abstract

We present a systematic study of provider-side data poisoning in retrieval-augmented recommender systems (RAG-based). By modifying only a small fraction of tokens within item descriptions -- for instance, adding emotional keywords or borrowing phrases from semantically related items -- an attacker can significantly promote or demote targeted items. We formalize these attacks under token-edit and semantic-similarity constraints, and we examine their effectiveness in both promotion (long-tail items) and demotion (short-head items) scenarios. Our experiments on MovieLens, using two large language model (LLM) retrieval modules, show that even subtle attacks shift final rankings and item exposures while eluding naive detection. The results underscore the vulnerability of RAG-based pipelines to small-scale metadata rewrites and emphasize the need for robust textual consistency checks and provenance tracking to thwart stealthy provider-side poisoning.

Stealthy LLM-Driven Data Poisoning Attacks Against Embedding-Based Retrieval-Augmented Recommender Systems

TL;DR

Retrieval-augmented recommender systems that rely on embedding-based retrieval and LLMs are vulnerable to provider-side data poisoning through minimal edits to item descriptions. The authors formalize a framework with a token-edit budget and a semantic-similarity constraint to implement three attack variants—Emotional Edit, Neighbor Borrowing, and Chain Attack—evaluated on MovieLens with two SoA LLM modules. The findings show that small, semantically coherent rewrites can substantially alter item exposure (promotion of long-tail items or demotion of popular ones) with only modest global metric degradation, particularly when using generative ranking. This work highlights practical security risks in RAG pipelines and motivates defenses such as provenance tracking and textual integrity checks, while contributing resources to enable reproducibility and further robustness research.

Abstract

We present a systematic study of provider-side data poisoning in retrieval-augmented recommender systems (RAG-based). By modifying only a small fraction of tokens within item descriptions -- for instance, adding emotional keywords or borrowing phrases from semantically related items -- an attacker can significantly promote or demote targeted items. We formalize these attacks under token-edit and semantic-similarity constraints, and we examine their effectiveness in both promotion (long-tail items) and demotion (short-head items) scenarios. Our experiments on MovieLens, using two large language model (LLM) retrieval modules, show that even subtle attacks shift final rankings and item exposures while eluding naive detection. The results underscore the vulnerability of RAG-based pipelines to small-scale metadata rewrites and emphasize the need for robust textual consistency checks and provenance tracking to thwart stealthy provider-side poisoning.
Paper Structure (5 sections, 1 equation, 1 figure, 1 table)

This paper contains 5 sections, 1 equation, 1 figure, 1 table.

Figures (1)

  • Figure 1: High-level RAG architecture in a recommender setting. A retriever selects candidate items (step 1). An LLM uses these retrieved texts and user queries to re-rank or generate final recommendations (step 2). In our poisoning scenario (red arrow), an attacker subtly modifies item descriptions to alter how retrieval and generation perceive items.