Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

KEPo: Knowledge Evolution Poison on Graph-based Retrieval-Augmented Generation

Qizhi Chen, Chao Qi, Yihong Huang, Muquan Li, Rongzheng Wang, Dongyang Zhang, Ke Qin, Shuang Liang

Abstract

Graph-based Retrieval-Augmented Generation (GraphRAG) constructs the Knowledge Graph (KG) from external databases to enhance the timeliness and accuracy of Large Language Model (LLM) generations.However,this reliance on external data introduces new attack surfaces.Attackers can inject poisoned texts into databases to manipulate LLMs into producing harmful target responses for attacker-chosen queries.Existing research primarily focuses on attacking conventional RAG systems.However,such methods are ineffective against GraphRAG.This robustness derives from the KG abstraction of GraphRAG,which reorganizes injected text into a graph before retrieval,thereby enabling the LLM to reason based on the restructured context instead of raw poisoned passages.To expose latent security vulnerabilities in GraphRAG,we propose Knowledge Evolution Poison (KEPo),a novel poisoning attack method specifically designed for GraphRAG.For each target query,KEPo first generates a toxic event containing poisoned knowledge based on the target answer.By fabricating event backgrounds and forging knowledge evolution paths from original facts to the toxic event,it then poisons the KG and misleads the LLM into treating the poisoned knowledge as the final result.In multi-target attack scenarios,KEPo further connects multiple attack corpora,enabling their poisoned knowledge to mutually reinforce while expanding the scale of poisoned communities,thereby amplifying attack effectiveness.Experimental results across multiple datasets demonstrate that KEPo achieves state-of-the-art attack success rates for both single-target and multi-target attacks,significantly outperforming previous methods.

KEPo: Knowledge Evolution Poison on Graph-based Retrieval-Augmented Generation

Abstract

Graph-based Retrieval-Augmented Generation (GraphRAG) constructs the Knowledge Graph (KG) from external databases to enhance the timeliness and accuracy of Large Language Model (LLM) generations.However,this reliance on external data introduces new attack surfaces.Attackers can inject poisoned texts into databases to manipulate LLMs into producing harmful target responses for attacker-chosen queries.Existing research primarily focuses on attacking conventional RAG systems.However,such methods are ineffective against GraphRAG.This robustness derives from the KG abstraction of GraphRAG,which reorganizes injected text into a graph before retrieval,thereby enabling the LLM to reason based on the restructured context instead of raw poisoned passages.To expose latent security vulnerabilities in GraphRAG,we propose Knowledge Evolution Poison (KEPo),a novel poisoning attack method specifically designed for GraphRAG.For each target query,KEPo first generates a toxic event containing poisoned knowledge based on the target answer.By fabricating event backgrounds and forging knowledge evolution paths from original facts to the toxic event,it then poisons the KG and misleads the LLM into treating the poisoned knowledge as the final result.In multi-target attack scenarios,KEPo further connects multiple attack corpora,enabling their poisoned knowledge to mutually reinforce while expanding the scale of poisoned communities,thereby amplifying attack effectiveness.Experimental results across multiple datasets demonstrate that KEPo achieves state-of-the-art attack success rates for both single-target and multi-target attacks,significantly outperforming previous methods.
Paper Structure (30 sections, 15 equations, 5 figures, 12 tables)

This paper contains 30 sections, 15 equations, 5 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Preliminary
  5. Knowledge Evolution Forgery Attack
  6. Multi-target Cross-subgraph Coordinated Attack
  7. Experiments
  8. Experimental Setup
  9. Dataset
  10. Metrics
  11. Baselines
  12. GraphRAG Framework
  13. Result
  14. Main Result (RQ1)
  15. Scale of Poisoned Text (RQ2)
  16. ...and 15 more sections

Figures (5)

  • Figure 1: KG injection results of different attack methods under the GraphRAG framework.
  • Figure 2: Task types in dataset GraphRAG-Bench (left) and comparative performance of conventional attack methods on RAG and GraphRAG systems (right). Semantic is short for Semantic unit replacement.
  • Figure 3: Overview of Knowledge Evolution Poison (KEPo) attack for GraphRAG. KEPo first forges the knowledge evolution path that leads from original facts to poisoned events. It then enhances this path with a credible background. Next, the events are arranged chronologically into an attack corpus with the poisoned knowledge as the final result of the evolution. This corpus can be employed to directly compromise GraphRAG or execute multi‐target attacks by linking key nodes across corpora.
  • Figure 4: Poison ASR on Graph-Story based on GraphRAG with different corpus length and numbers of linked corpora.
  • Figure 5: Example of poisoned corpus.