SeCon-RAG: A Two-Stage Semantic Filtering and Conflict-Free Framework for Trustworthy RAG

TL;DR

SeCon-RAG addresses corpus poisoning in retrieval-augmented generation by integrating a semantic analysis module (EIRE) into a two-stage filtering pipeline (SCF) and a conflict-aware inference module (CAF). The SCF combines clustering-based pruning with semantic-graph filtering to remove poisoned content while preserving valuable information, and CAF enforces consistency across query, retrieved evidence, and internal knowledge before generation. Experimental results across three QA benchmarks and five LLM backbones show robust improvements in accuracy and substantial reductions in attack success rates compared with state-of-the-art defenses, with manageable runtime overhead. The framework is modular, scalable, and practical for real-world RAG deployments seeking trustworthy and faithful outputs under adversarial conditions.

Abstract

Retrieval-augmented generation (RAG) systems enhance large language models (LLMs) with external knowledge but are vulnerable to corpus poisoning and contamination attacks, which can compromise output integrity. Existing defenses often apply aggressive filtering, leading to unnecessary loss of valuable information and reduced reliability in generation. To address this problem, we propose a two-stage semantic filtering and conflict-free framework for trustworthy RAG. In the first stage, we perform a joint filter with semantic and cluster-based filtering which is guided by the Entity-intent-relation extractor (EIRE). EIRE extracts entities, latent objectives, and entity relations from both the user query and filtered documents, scores their semantic relevance, and selectively adds valuable documents into the clean retrieval database. In the second stage, we proposed an EIRE-guided conflict-aware filtering module, which analyzes semantic consistency between the query, candidate answers, and retrieved knowledge before final answer generation, filtering out internal and external contradictions that could mislead the model. Through this two-stage process, SeCon-RAG effectively preserves useful knowledge while mitigating conflict contamination, achieving significant improvements in both generation robustness and output trustworthiness. Extensive experiments across various LLMs and datasets demonstrate that the proposed SeCon-RAG markedly outperforms state-of-the-art defense methods.

Figures (7)

• Figure 1: Overview of the SeCon-RAG. A two-stage defense in which SCF filters poisoning corpus during retrieval and CAF eliminates residual conflicts during inference, guided by semantic information obtained through EIRE.
• Figure 2: Semantic graph comparison using EIRE, more textual details has shown in Appendix\ref{['figure']}.
• Figure 3: Ablation results on accuracy and attack success rate (ASR) across three datasets using Mistral-12B. From left to right are HotpotQA, NQ, MS-MARCO.
• Figure 4: The average runtime per batch (in minutes) for three datasets and adversarial settings. From left to right are HotpotQA, NQ, MS-MARCO.
• Figure 5: A schematic graph of the correct document's semantic structure in two dimensions. Blue indicates the correct response, orange nodes stand for entities, and the edges connecting nodes show the connections between entities.