- The paper introduces the LogicPoison framework that strategically perturbs logical graph structures in GraphRAG using a type-preserving entity swapping strategy.
- The paper demonstrates that LogicPoison significantly outperforms prior methods with over 90% attack success in multi-hop inference across benchmarks such as HotpotQA and MuSiQue.
- The paper reveals that conventional defenses like paraphrasing and perplexity detection are ineffective, highlighting the need for robust logic-level countermeasures in GraphRAG systems.
LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation
Motivation and Background
Graph-based Retrieval-Augmented Generation (GraphRAG) architectures have recently emerged as a robust means of enhancing multi-hop reasoning in LLMs by embedding external knowledge in graph structures. This topological organization offers substantial advantages over traditional RAG systems, including inherent resilience to prompt injection, corpus poisoning, and retriever attacks due to information filtering and structural reasoning mechanisms.
However, the security posture of these systems, while robust against surface-level and content-based attacks, harbors an underexplored vulnerability: the reliance on logical graph connectivity rather than explicit textual information transfer. Existing attacks either inject detectable adversarial content or disrupt only isolated nodes, but do not strategically undermine the integrity of reasoning paths at the graph level. The LogicPoison framework directly addresses this axis of vulnerability.
Figure 1: Traditional attacks against LLMs or RAG are largely neutralized by the graph construction and reasoning mechanisms in GraphRAG architectures.
The LogicPoison Attack Framework
LogicPoison targets GraphRAG systems by perturbing the logical structure of the induced knowledge graph via a novel type-preserving entity swapping strategy. Rather than adding spurious data, it minimally rewrites surface entities in the corpus such that the resultant KB graph is topologically distorted, causing plausible-appearing but logically incorrect inference chains. The framework operates in three phases:
- Strategic Entity Selection: The attack identifies target entities by combining global logic hub selection (high-frequency entities critical to graph connectivity) and query-centric bridge identification (entities indispensable for specific reasoning paths).
- Type-Preserving Cyclic Permutation: Perturbation is implemented as a strict permuted swap within entity type buckets, preserving grammar and semantic plausibility at the text level and bypassing conventional syntactic or semantic anomaly filters.
- Implicit Graph Corruption: On ingestion, the GraphRAG system constructs a corrupted reasoning graph, misrouting inference traversals along dead ends or shortcut paths inconsistent with ground truth logic.
Figure 2: LogicPoison framework: target entities are selected from global hubs and reasoning bridges, swapped within type, and the poisoned corpus induces subtle graph rewiring, breaking valid reasoning.
This approach is fundamentally orthogonal to conventional attacks—it exploits the dynamic logical reasoning basis of GraphRAGs rather than superficial content, representing a shift in attack surface from data-level to topology-level manipulation.
Experimental Results
Attack Efficacy
LogicPoison is empirically validated across HotpotQA, 2WikiMultihopQA, and MuSiQue, spanning a range of reasoning complexities. The framework significantly outperforms the current state-of-the-art PoisonedRAG in both Attack Success Rate (ASR) and semantic evaluation (ASR-G) across multiple base LLMs and three representative GraphRAG architectures (Microsoft GraphRAG, GFM-RAG, HippoRAG 2). The improvement margin is particularly pronounced in tasks requiring multi-hop inference, with ASR-G typically exceeding 90% even against SOTA defenses.
Efficiency and Stealth
Efficiency analysis demonstrates that LogicPoison is computationally an order of magnitude faster than content-injection baselines, with negligible increases in corpus token count and no introduction of extraneous content. Its perturbations are nearly undetectable using perplexity-based anomaly detection (AUC ≈ 0.57, indistinguishable from random guessing).
Figure 3: Perplexity-based detection for LogicPoison yields near-chance performance, evidencing strong stealth properties.
Ablation Analysis
Ablation confirms that both global hub targeting and query-centric bridge targeting are independently potent, but their combination yields maximal attack efficacy. Query-centric targeting is essential for consistent disruption of multi-hop inference chains, while global logic hub corruption amplifies overall reasoning degradation across the graph.
Figure 4: Ablation study shows that full LogicPoison (global + query-centric) achieves consistently higher attack success rates than either component alone.
Analysis of Defense Mechanisms
Paraphrasing and Knowledge Referencing
Query paraphrasing defenses, effective against prompt injection and some LLM attacks, are largely ineffective against LogicPoison (ASR delta <1%), since core entity semantics—rather than phrasing—determine attack coverage. LLM internal knowledge referencing is also largely negated by the strict reliance of GraphRAG on external KBs and retrieval constraints.
Poisoning Text Identification
Traditional quality-based filtering via perplexity or shallow data validation does not identify entities involved in LogicPoison’s permutations because the type-preserving mechanism retains semantic fluency and local grammaticality, ensuring evasion of alignment and filtering layers downstream.
Theoretical Implications
LogicPoison exposes a structural vulnerability in graph-centric reasoning engines: sabotage of global or bridge entities, even with imperceptible surface cue, can dismantle the multi-hop inference capacity of the system. This aligns with percolation and spectral graph theory, wherein connectivity disruption at high-centrality nodes induces catastrophic failures in information propagation and network efficiency.
Moreover, the findings contest the prevailing assumption that graph-based retrieval confers robust, general-purpose defense against content-based adversarial strategies. Instead, resilience at the topological level requires explicit robustness to structural logic corruption; as LLM-driven extraction and traversal grow more sophisticated, so too will stealthy, topology-targeted attacks.
Practical Impact and Future Directions
On the practical front, LogicPoison demonstrates that advanced attackers can mount highly efficient, stealthy, and transferable attacks against deployed GraphRAG systems, bypassing current defense postures with minimal resource footprint. The attack’s independence from graph index pre-inspection and its persistence under graph construction variances point toward broad applicability—and heightened risk—in real-world graph-augmented enterprise LLM deployments and knowledge-driven agent frameworks.
On a theoretical axis, efforts must now shift toward robustifying entity linking, KB induction, and reasoning path traversal to detect and remediate topological sabotage. Future advancements could include graph-theoretic verification, algebraic redundancy in inference chains, and dynamic anomaly detection targeting spectral shifts in the reasoning graph. Extension to multilingual and morphologically rich scenarios will challenge entity-swapping concealment and demand language-specific logical integrity guarantees.
Figure 5: Hyperparameter sensitivity analysis for LogicPoison’s global entity targeting parameter.
Conclusion
LogicPoison formalizes and exploits a critical class of vulnerabilities in GraphRAG systems by corrupting logical reasoning structures via type-consistent entity permutations. Empirical results substantiate its superiority in efficiency, stealth, and efficacy over prior work, with negligible defensive response from existing countermeasures. The work underscores the imperative for logic-level robustness in future graph-augmented LLM architectures and catalyzes new directions for secure, structurally resilient knowledge-driven AI systems.