LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation

Abstract

Graph-based Retrieval-Augmented Generation (GraphRAG) enhances the reasoning capabilities of Large Language Models (LLMs) by grounding their responses in structured knowledge graphs. Leveraging community detection and relation filtering techniques, GraphRAG systems demonstrate inherent resistance to traditional RAG attacks, such as text poisoning and prompt injection. However, in this paper, we find that the security of GraphRAG systems fundamentally relies on the topological integrity of the underlying graph, which can be undermined by implicitly corrupting the logical connections, without altering surface-level text semantics. To exploit this vulnerability, we propose \textsc{LogicPoison}, a novel attack framework that targets logical reasoning rather than injecting false contents. Specifically, \textsc{LogicPoison} employs a type-preserving entity swapping mechanism to perturb both global logic hubs for disrupting overall graph connectivity and query-specific reasoning bridges for severing essential multi-hop inference paths. This approach effectively reroutes valid reasoning into dead ends while maintaining surface-level textual plausibility. Comprehensive experiments across multiple benchmarks demonstrate that \textsc{LogicPoison} successfully bypasses GraphRAG's defenses, significantly degrading performance and outperforming state-of-the-art baselines in both effectiveness and stealth. Our code is available at \textcolor{blue}https://github.com/Jord8061/logicPoison.

Figures (7)

• Figure 1: Traditional attacks on LLM or RAG are difficult to pose an effective threat to GraphRAG system. This is mainly due to two characteristics. First, the construction process of the knowledge graph naturally filters part of the attack content. Second, the unique retrieval and reasoning mechanism of graph structure further improves the difficulty of attack implementation.
• Figure 2: The overall framework of LogicPoison. The attack pipeline is divided into three stages: I. Strategic Entity Selection, where target entities are identified via a dual-pronged strategy combining global logic hubs and query-centric reasoning bridges into a unified set $\mathcal{R}$. II. Attack Mechanism, which employs a type-preserving cyclic permutation to swap entities within their respective type buckets in the corpus. III. Implicit Graph Corruption, demonstrating how the poisoned corpus subtly rewires the implicit topology of the constructed graph, severing valid reasoning chains ($A \to B \to C$) and re-routing them to incorrect entities ($A \to B' \to C$), leading to wrong answers while maintaining textual plausibility.
• Figure 3: Ablation study of the components on the 2Wiki Dataset. We compare Global-only, Query-Centric-only, and the full LogicPoison strategies with three different LLMs.
• Figure 4: PPL-based detection for LogicPoison.
• Figure 5: Hyperparameter analysis results of LogicPoison.