RAGFort: Dual-Path Defense Against Proprietary Knowledge Base Extraction in Retrieval-Augmented Generation
Qinfeng Li, Miao Pan, Ke Xiong, Ge Su, Zhiqiang Shen, Yan Liu, Bing Sun, Hao Peng, Xuhong Zhang
TL;DR
The paper tackles knowledge base extraction threats in retrieval-augmented generation by showing that defenses must protect both intra-class and inter-class attack paths. It introduces RAGFort, a dual-path defense combining contrastive reindexing for inter-class isolation and cascade generation with a rejection rule for intra-class protection, validated by efficiency-preserving experiments. Across multiple domains and attacker strategies, RAGFort significantly reduces knowledge base reconstruction while maintaining high answer quality. The work demonstrates that jointly addressing dual extraction paths yields robust, practical protection for proprietary KBs in RAG systems.
Abstract
Retrieval-Augmented Generation (RAG) systems deployed over proprietary knowledge bases face growing threats from reconstruction attacks that aggregate model responses to replicate knowledge bases. Such attacks exploit both intra-class and inter-class paths, progressively extracting fine-grained knowledge within topics and diffusing it across semantically related ones, thereby enabling comprehensive extraction of the original knowledge base. However, existing defenses target only one path, leaving the other unprotected. We conduct a systematic exploration to assess the impact of protecting each path independently and find that joint protection is essential for effective defense. Based on this, we propose RAGFort, a structure-aware dual-module defense combining "contrastive reindexing" for inter-class isolation and "constrained cascade generation" for intra-class protection. Experiments across security, performance, and robustness confirm that RAGFort significantly reduces reconstruction success while preserving answer quality, offering comprehensive defense against knowledge base extraction attacks.