Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MIRAGE: Misleading Retrieval-Augmented Generation via Black-box and Query-agnostic Poisoning Attacks

Tailun Chen, Yu He, Yan Wang, Shuo Shao, Haolun Zheng, Zhihao Liu, Jinfeng Li, Yuefeng Chen, Zhixuan Chu, Zhan Qin

TL;DR

This work exposes a practical vulnerability in Retrieval-Augmented Generation by formalizing a fully black-box, query-agnostic poisoning threat and presenting MIRAGE, a three-phase poisoning pipeline. MIRAGE combines Persona-driven query synthesis, Semantic Anchoring, and an adversarial Test-Time Preference Optimization loop to craft a single adversarial document that is both highly retrievable and persuasive to an LLM. Evaluations on long-form domain datasets (BioASQ, FinQA, TiEBe) show MIRAGE outperforms prior attacks in efficacy and stealth, with strong cross-model transferability and limited effectiveness of current defenses. The study highlights urgent needs for robust defenses that account for semantic, long-form content and cross-model generalization in real-world RAG deployments.

Abstract

Retrieval-Augmented Generation (RAG) systems enhance LLMs with external knowledge but introduce a critical attack surface: corpus poisoning. While recent studies have demonstrated the potential of such attacks, they typically rely on impractical assumptions, such as white-box access or known user queries, thereby underestimating the difficulty of real-world exploitation. In this paper, we bridge this gap by proposing MIRAGE, a novel multi-stage poisoning pipeline designed for strict black-box and query-agnostic environments. Operating on surrogate model feedback, MIRAGE functions as an automated optimization framework that integrates three key mechanisms: it utilizes persona-driven query synthesis to approximate latent user search distributions, employs semantic anchoring to imperceptibly embed these intents for high retrieval visibility, and leverages an adversarial variant of Test-Time Preference Optimization (TPO) to maximize persuasion. To rigorously evaluate this threat, we construct a new benchmark derived from three long-form, domain-specific datasets. Extensive experiments demonstrate that MIRAGE significantly outperforms existing baselines in both attack efficacy and stealthiness, exhibiting remarkable transferability across diverse retriever-LLM configurations and highlighting the urgent need for robust defense strategies.

MIRAGE: Misleading Retrieval-Augmented Generation via Black-box and Query-agnostic Poisoning Attacks

TL;DR

This work exposes a practical vulnerability in Retrieval-Augmented Generation by formalizing a fully black-box, query-agnostic poisoning threat and presenting MIRAGE, a three-phase poisoning pipeline. MIRAGE combines Persona-driven query synthesis, Semantic Anchoring, and an adversarial Test-Time Preference Optimization loop to craft a single adversarial document that is both highly retrievable and persuasive to an LLM. Evaluations on long-form domain datasets (BioASQ, FinQA, TiEBe) show MIRAGE outperforms prior attacks in efficacy and stealth, with strong cross-model transferability and limited effectiveness of current defenses. The study highlights urgent needs for robust defenses that account for semantic, long-form content and cross-model generalization in real-world RAG deployments.

Abstract

Retrieval-Augmented Generation (RAG) systems enhance LLMs with external knowledge but introduce a critical attack surface: corpus poisoning. While recent studies have demonstrated the potential of such attacks, they typically rely on impractical assumptions, such as white-box access or known user queries, thereby underestimating the difficulty of real-world exploitation. In this paper, we bridge this gap by proposing MIRAGE, a novel multi-stage poisoning pipeline designed for strict black-box and query-agnostic environments. Operating on surrogate model feedback, MIRAGE functions as an automated optimization framework that integrates three key mechanisms: it utilizes persona-driven query synthesis to approximate latent user search distributions, employs semantic anchoring to imperceptibly embed these intents for high retrieval visibility, and leverages an adversarial variant of Test-Time Preference Optimization (TPO) to maximize persuasion. To rigorously evaluate this threat, we construct a new benchmark derived from three long-form, domain-specific datasets. Extensive experiments demonstrate that MIRAGE significantly outperforms existing baselines in both attack efficacy and stealthiness, exhibiting remarkable transferability across diverse retriever-LLM configurations and highlighting the urgent need for robust defense strategies.

Paper Structure

This paper contains 40 sections, 6 equations, 10 figures, 12 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. RAG Systems
  4. Existing RAG Poisoning Attacks
  5. Threat Model
  6. Methodology
  7. Overview of MIRAGE
  8. Phase : Query Distribution Modeling
  9. Phase : Semantic Anchoring
  10. Phase : Adversarial Alignment
  11. Overview and TPO Framework
  12. Evaluation and Reward Estimation
  13. Optimization Mechanics
  14. Experiments
  15. Experiment Setup
  16. ...and 25 more sections

Figures (10)

  • Figure 1: Visualization of RAG poisoning attack.
  • Figure 2: Overview of the MIRAGE framework. The pipeline operates in three phases: ❶ Query Distribution Modeling approximates latent user intents via Ellis's model; ❷ Semantic Anchoring embeds queries for high retrieval visibility; and ❸ Adversarial Alignment iteratively refines the document for maximum misleading efficacy via TPO.
  • Figure 3: Cross-model transferability on BioASQ. Heatmaps show performance transfer from surrogate to target models.
  • Figure 4: Sensitivity analysis of MIRAGE to key hyperparameters on BioASQ (Fact-Level).
  • Figure 5: Impact of optimizer model scale on attack efficacy on BioASQ (Fact-Level).
  • ...and 5 more figures