Joint-GCG: Unified Gradient-Based Poisoning Attacks on Retrieval-Augmented Generation Systems (2506.06151v1)

Abstract: Retrieval-Augmented Generation (RAG) systems enhance LLMs by retrieving relevant documents from external corpora before generating responses. This approach significantly expands LLM capabilities by leveraging vast, up-to-date external knowledge. However, this reliance on external knowledge makes RAG systems vulnerable to corpus poisoning attacks that manipulate generated outputs via poisoned document injection. Existing poisoning attack strategies typically treat the retrieval and generation stages as disjointed, limiting their effectiveness. We propose Joint-GCG, the first framework to unify gradient-based attacks across both retriever and generator models through three innovations: (1) Cross-Vocabulary Projection for aligning embedding spaces, (2) Gradient Tokenization Alignment for synchronizing token-level gradient signals, and (3) Adaptive Weighted Fusion for dynamically balancing attacking objectives. Evaluations demonstrate that Joint-GCG achieves at most 25% and an average of 5% higher attack success rate than previous methods across multiple retrievers and generators. While optimized under a white-box assumption, the generated poisons show unprecedented transferability to unseen models. Joint-GCG's innovative unification of gradient-based attacks across retrieval and generation stages fundamentally reshapes our understanding of vulnerabilities within RAG systems. Our code is available at https://github.com/NicerWang/Joint-GCG.

• The paper presents Joint-GCG, a unified gradient-based attack that compromises both the retrieval and generation components in RAG systems.
• It introduces techniques like Cross-Vocabulary Projection and Gradient Tokenization Alignment to align and synchronize gradients across model components.
• Empirical results reveal up to 25% higher attack success rates and impressive transferability, underlining severe vulnerabilities in RAG systems.

Overview of Joint-GCG: Unified Gradient-Based Poisoning Attacks on Retrieval-Augmented Generation Systems

The paper "Joint-GCG: Unified Gradient-Based Poisoning Attacks on Retrieval-Augmented Generation Systems" presents a novel approach to exploiting vulnerabilities inherent in Retrieval-Augmented Generation (RAG) systems. RAG systems, which couple retrieval mechanisms with LLMs, leverage external data to enhance the contextual relevance of generated responses. This integration, however, exposes the systems to corpus poisoning attacks. The authors introduce Joint-GCG, a unified framework for conducting gradient-based poisoning attacks that target both the retrieval and generation components of RAG systems.

Contributions and Methodology

Unification of Gradient Attacks

The research identifies a significant gap in existing poisoning strategies, which typically handle the retriever and generator models independently. This disjointed approach restricts the overall efficacy of such attacks. By unifying the gradient-based attack methodology across both stages, Joint-GCG achieves more potent results. The framework's primary contributions include:

1. Cross-Vocabulary Projection (CVP): This innovation addresses the challenge of aligning embedding spaces between the retriever and generator models. By projecting retriever embeddings into the generator's space, CVP facilitates coherent gradient optimizations that guide the combined attack trajectory.
2. Gradient Tokenization Alignment (GTA): This component tackles synchronization issues arising from different tokenization schemes adopted by retrieval and generation models. By harmonizing gradients at the token level, GTA ensures that optimizations reflect consistent influences across both models.
3. Adaptive Weighted Fusion (AWF): AWF dynamically adjusts the balance between retrieval and generation gradients, considering the stability of document retrieval ranks. This adaptability is critical for maintaining the stealth and efficacy of the poisoned inputs.

Empirical Findings

The empirical evaluation of Joint-GCG demonstrates its superiority over existing techniques like Phantom and LIAR, especially in terms of attack success rates. Specifically, it achieves up to 25% higher success across multiple datasets and models (e.g., Llama3 and Qwen2). For example, Joint-GCG attains near-perfect retrieval attack success rates ($ASR_{ret}$) and significantly boosts the generation attack success rates ($ASR_{gen}$), indicating its robust influence on both model components.

The framework also showcases unprecedented transferability, meaning poisons optimized on one model can effectively attack different, unseen model architectures. This attribute crucially shifts the practical landscape of RAG vulnerabilities, as attackers could deploy successful strategies without comprehensive prior knowledge of the target system's configurations.

Implications and Future Directions

The implications of Joint-GCG are multifaceted. Practically, it underscores the vulnerabilities in current RAG systems as they incorporate open-source components that are more accessible to adversaries. Theoretically, the framework enhances the understanding of how integrated model optimization can influence the fidelity of LLM outputs, providing a basis for developing more robust RAG architectures.

The successful implementation of Joint-GCG raises several crucial questions for future research:

• How might RAG systems be hardened against such unified optimization attacks? Developing defenses that consider the retrieval-generation synergy is paramount.
• Can the methodology of gradient alignment and weighted objective fusion be applied to other hybrid ML systems beyond RAG, such as those combining vision and language tasks?
• Further exploration into adversarial examples that maintain low perplexity could advance detection mechanisms, enhancing the robustness of AI systems against sophisticated poisoning attacks.

In conclusion, this paper paves a significant path towards understanding the exploitable intersections of retrieval and generation in AI, advocating for both a reevaluation of system vulnerabilities and the development of comprehensive defense strategies.