Secure Retrieval-Augmented Generation against Poisoning Attacks
Zirui Cheng, Jikai Sun, Anjun Gao, Yueyang Quan, Zhuqing Liu, Xiaohua Hu, Minghong Fang
TL;DR
This work tackles poisoning attacks on Retrieval-Augmented Generation by introducing RAGuard, which first expands the retrieved set to increase clean content and then applies a three-filter defense. The filters combine chunk-wise perplexity, perplexity maxima, and text similarity in a non-parametric, empirical-threshold framework to detect and remove poisoned texts prior to generation. The approach yields strong detection and output accuracy across five datasets, including against adaptive attacks, while maintaining low false positives and modest computational overhead. By providing a formal performance bound and extensive empirical validation, RAGuard offers a practical, robust defense for knowledge-grounded NLP systems in high-stakes domains.
Abstract
Large language models (LLMs) have transformed natural language processing (NLP), enabling applications from content generation to decision support. Retrieval-Augmented Generation (RAG) improves LLMs by incorporating external knowledge but also introduces security risks, particularly from data poisoning, where the attacker injects poisoned texts into the knowledge database to manipulate system outputs. While various defenses have been proposed, they often struggle against advanced attacks. To address this, we introduce RAGuard, a detection framework designed to identify poisoned texts. RAGuard first expands the retrieval scope to increase the proportion of clean texts, reducing the likelihood of retrieving poisoned content. It then applies chunk-wise perplexity filtering to detect abnormal variations and text similarity filtering to flag highly similar texts. This non-parametric approach enhances RAG security, and experiments on large-scale datasets demonstrate its effectiveness in detecting and mitigating poisoning attacks, including strong adaptive attacks.