Papers
Topics
Authors
Recent
2000 character limit reached

AIP: Subverting Retrieval-Augmented Generation via Adversarial Instructional Prompt (2509.15159v1)

Published 18 Sep 2025 in cs.CV and cs.CL

Abstract: Retrieval-Augmented Generation (RAG) enhances LLMs by retrieving relevant documents from external sources to improve factual accuracy and verifiability. However, this reliance introduces new attack surfaces within the retrieval pipeline, beyond the LLM itself. While prior RAG attacks have exposed such vulnerabilities, they largely rely on manipulating user queries, which is often infeasible in practice due to fixed or protected user inputs. This narrow focus overlooks a more realistic and stealthy vector: instructional prompts, which are widely reused, publicly shared, and rarely audited. Their implicit trust makes them a compelling target for adversaries to manipulate RAG behavior covertly. We introduce a novel attack for Adversarial Instructional Prompt (AIP) that exploits adversarial instructional prompts to manipulate RAG outputs by subtly altering retrieval behavior. By shifting the attack surface to the instructional prompts, AIP reveals how trusted yet seemingly benign interface components can be weaponized to degrade system integrity. The attack is crafted to achieve three goals: (1) naturalness, to evade user detection; (2) utility, to encourage use of prompts; and (3) robustness, to remain effective across diverse query variations. We propose a diverse query generation strategy that simulates realistic linguistic variation in user queries, enabling the discovery of prompts that generalize across paraphrases and rephrasings. Building on this, a genetic algorithm-based joint optimization is developed to evolve adversarial prompts by balancing attack success, clean-task utility, and stealthiness. Experimental results show that AIP achieves up to 95.23% ASR while preserving benign functionality. These findings uncover a critical and previously overlooked vulnerability in RAG systems, emphasizing the need to reassess the shared instructional prompts.

Summary

  • The paper introduces AIP, a novel three-stage attack that exploits instructional prompts to subvert retrieval-augmented generation systems.
  • It employs trigger initialization, diverse query transformation, and genetic algorithm optimization to maintain naturalness while achieving high adversarial success rates.
  • Experimental results across multiple datasets show AIP outperforms baselines, highlighting an urgent need for enhanced RAG security measures.

Adversarial Instructional Prompt: A Novel Attack on Retrieval-Augmented Generation

Introduction

The paper "AIP: Subverting Retrieval-Augmented Generation via Adversarial Instructional Prompt" (2509.15159) articulates a unique and potent vulnerability in Retrieval-Augmented Generation (RAG) systems. This attack vector utilizes adversarial instructional prompts (AIPs) to compromise RAG systems' integrity without altering user queries or retriever internals. Specifically, this study centers on exploiting instructional prompts—widely shared and seldom scrutinized interfaces—as an attack surface, thereby introducing a systematic paradigm shift from user query manipulation to prompt-based subversion strategies.

Attack Methodology

AIP introduces a three-stage attack method designed to maintain naturalness and utility while maximizing robustness across varied queries. The method is engineered to achieve an impressive attack success rate (ASR) while maintaining high adversarial clean accuracy (ACA).

  • Stage I: Prompt and Document Initialization: This stage utilizes a trigger mechanism embedded within instructional prompts and documents. A LLM iteratively refines the triggers to ensure their naturalness and semantic alignment, as determined by intent alignment and fluency scores. This initialization process employs an LLM-guided generator to maintain the coherence and detection resistance of the adversarial prompt and document pair.
  • Stage II: Diverse Query Generation: Here, the method simulates linguistic variations in queries through LLM-generated transformations. By leveraging paraphrasing and lexical substitutions, this stage maximizes the adversarial prompt's robustness against diverse queries while maintaining semantic intent.
  • Stage III: Adversarial Joint Optimization: Utilizing a genetic algorithm, this stage optimizes the adversarial prompt and document with genetic operators to maximize attack efficacy and clean-task performance. Key fitness objectives include maximizing adversarial document alignment with targeted queries and minimizing false retrieval of clean documents. Figure 1

    Figure 1: Illustration of Normal and AIP attack scenarios.

Evaluation and Results

Experimental evaluations demonstrate the efficacy of AIP across three distinct datasets: MedSquad, AmazonQA, and MoviesQA, using metrics such as ASR and ACA. AIP consistently exceeds the performance of baseline methods (e.g., Corpus Poisoning, Prompt Injection) in attack success, with ASR reaching up to 95.23%. This signifies a substantial enhancement over existing RAG attack frameworks, revealing the practicality and stealth of using instructional prompts as an attacking vector. Figure 2

Figure 2: AIP Overview.

AIP's robustness is evident in its compatibility with varying LLMs (e.g., GPT-3.5 Turbo, GPT-4), high ASR across different retrieval settings, and a significant increase in ACA, demonstrating the attack's utility without impairing benign query processing. Moreover, its naturalness is validated using a combination of human-like assessments and NLP metrics, where AIP documents exhibit superior fluency and coherence compared to baselines.

Implications and Future Directions

AIP's implications are significant, necessitating a critical reassessment of instructional prompts' security in RAG systems. The attack delineates a previously uncharted vector wherein attackers can leverage implicitly trusted components—prompts—to introduce subtle yet potent biases in generated outputs. This insight prompts urgent consideration for enhanced defenses, such as multi-stage retrieval mechanisms and cross-verification protocols, to preserve RAG systems' integrity.

In future work, exploring dynamic prompt templating and adaptive security layers could further fortify RAG architectures against adversarial manipulations. Additionally, comprehensive human evaluations will enrich approaches for differentiating adversarial from benign documents, augmenting detection efficacy in real-world applications.

Conclusion

The study decisively highlights a critical yet overlooked vulnerability within RAG systems through the conception of AIP. By strategically targeting instructional prompts, adversaries can spitefully manipulate document retrieval processes covertly and effectively. This research underscores the pivotal need for robust defenses tailored to safeguarding against such prompt-based adversarial exploits in evolving NLP applications.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Whiteboard

Paper to Video (Beta)

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up