Are LLMs Reliable Rankers? Rank Manipulation via Two-Stage Token Optimization
Tiancheng Xing, Jerry Li, Yixuan Du, Xiyang Hu
TL;DR
This work addresses the vulnerability of LLM-based rerankers to adversarial prompts by introducing Rank Anything First (RAF), a two-stage token optimization framework that crafts token-by-token perturbations to boost a target item's rank while maintaining fluent, natural language. RAF jointly optimizes a ranking objective $L_{tar}$ and a readability objective $L_{read}$ using a gradient-guided two-stage process with dynamic entropy-based weighting and temperature-controlled sampling, enabling effective manipulation in discrete text space. Across multiple open-source LLMs and product domains, RAF consistently achieves stronger rank promotion with competitive or lower perplexity and minimal detectability compared with baselines, and it transfers well across models, underscoring a systemic security risk in LLM reranking pipelines. These findings highlight the need for robust defenses and evaluation frameworks to ensure trustworthiness and resilience of modern retrieval systems against adversarial rank manipulation, particularly in real-world, cross-model settings.
Abstract
Large language models (LLMs) are increasingly used as rerankers in information retrieval, yet their ranking behavior can be steered by small, natural-sounding prompts. To expose this vulnerability, we present Rank Anything First (RAF), a two-stage token optimization method that crafts concise textual perturbations to consistently promote a target item in LLM-generated rankings while remaining hard to detect. Stage 1 uses Greedy Coordinate Gradient to shortlist candidate tokens at the current position by combining the gradient of the rank-target with a readability score; Stage 2 evaluates those candidates under exact ranking and readability losses using an entropy-based dynamic weighting scheme, and selects a token via temperature-controlled sampling. RAF generates ranking-promoting prompts token-by-token, guided by dual objectives: maximizing ranking effectiveness and preserving linguistic naturalness. Experiments across multiple LLMs show that RAF significantly boosts the rank of target items using naturalistic language, with greater robustness than existing methods in both promoting target items and maintaining naturalness. These findings underscore a critical security implication: LLM-based reranking is inherently susceptible to adversarial manipulation, raising new challenges for the trustworthiness and robustness of modern retrieval systems. Our code is available at: https://github.com/glad-lab/RAF.