Papers
Topics
Authors
Recent
Search
2000 character limit reached

LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation

Published 3 Apr 2026 in cs.CL and cs.AI | (2604.02954v1)

Abstract: Graph-based Retrieval-Augmented Generation (GraphRAG) enhances the reasoning capabilities of LLMs by grounding their responses in structured knowledge graphs. Leveraging community detection and relation filtering techniques, GraphRAG systems demonstrate inherent resistance to traditional RAG attacks, such as text poisoning and prompt injection. However, in this paper, we find that the security of GraphRAG systems fundamentally relies on the topological integrity of the underlying graph, which can be undermined by implicitly corrupting the logical connections, without altering surface-level text semantics. To exploit this vulnerability, we propose \textsc{LogicPoison}, a novel attack framework that targets logical reasoning rather than injecting false contents. Specifically, \textsc{LogicPoison} employs a type-preserving entity swapping mechanism to perturb both global logic hubs for disrupting overall graph connectivity and query-specific reasoning bridges for severing essential multi-hop inference paths. This approach effectively reroutes valid reasoning into dead ends while maintaining surface-level textual plausibility. Comprehensive experiments across multiple benchmarks demonstrate that \textsc{LogicPoison} successfully bypasses GraphRAG's defenses, significantly degrading performance and outperforming state-of-the-art baselines in both effectiveness and stealth. Our code is available at \textcolor{blue}https://github.com/Jord8061/logicPoison.

Summary

  • The paper introduces the LogicPoison framework that strategically perturbs logical graph structures in GraphRAG using a type-preserving entity swapping strategy.
  • The paper demonstrates that LogicPoison significantly outperforms prior methods with over 90% attack success in multi-hop inference across benchmarks such as HotpotQA and MuSiQue.
  • The paper reveals that conventional defenses like paraphrasing and perplexity detection are ineffective, highlighting the need for robust logic-level countermeasures in GraphRAG systems.

LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation

Motivation and Background

Graph-based Retrieval-Augmented Generation (GraphRAG) architectures have recently emerged as a robust means of enhancing multi-hop reasoning in LLMs by embedding external knowledge in graph structures. This topological organization offers substantial advantages over traditional RAG systems, including inherent resilience to prompt injection, corpus poisoning, and retriever attacks due to information filtering and structural reasoning mechanisms.

However, the security posture of these systems, while robust against surface-level and content-based attacks, harbors an underexplored vulnerability: the reliance on logical graph connectivity rather than explicit textual information transfer. Existing attacks either inject detectable adversarial content or disrupt only isolated nodes, but do not strategically undermine the integrity of reasoning paths at the graph level. The LogicPoison framework directly addresses this axis of vulnerability. Figure 1

Figure 1: Traditional attacks against LLMs or RAG are largely neutralized by the graph construction and reasoning mechanisms in GraphRAG architectures.

The LogicPoison Attack Framework

LogicPoison targets GraphRAG systems by perturbing the logical structure of the induced knowledge graph via a novel type-preserving entity swapping strategy. Rather than adding spurious data, it minimally rewrites surface entities in the corpus such that the resultant KB graph is topologically distorted, causing plausible-appearing but logically incorrect inference chains. The framework operates in three phases:

  1. Strategic Entity Selection: The attack identifies target entities by combining global logic hub selection (high-frequency entities critical to graph connectivity) and query-centric bridge identification (entities indispensable for specific reasoning paths).
  2. Type-Preserving Cyclic Permutation: Perturbation is implemented as a strict permuted swap within entity type buckets, preserving grammar and semantic plausibility at the text level and bypassing conventional syntactic or semantic anomaly filters.
  3. Implicit Graph Corruption: On ingestion, the GraphRAG system constructs a corrupted reasoning graph, misrouting inference traversals along dead ends or shortcut paths inconsistent with ground truth logic. Figure 2

    Figure 2: LogicPoison framework: target entities are selected from global hubs and reasoning bridges, swapped within type, and the poisoned corpus induces subtle graph rewiring, breaking valid reasoning.

This approach is fundamentally orthogonal to conventional attacks—it exploits the dynamic logical reasoning basis of GraphRAGs rather than superficial content, representing a shift in attack surface from data-level to topology-level manipulation.

Experimental Results

Attack Efficacy

LogicPoison is empirically validated across HotpotQA, 2WikiMultihopQA, and MuSiQue, spanning a range of reasoning complexities. The framework significantly outperforms the current state-of-the-art PoisonedRAG in both Attack Success Rate (ASR) and semantic evaluation (ASR-G) across multiple base LLMs and three representative GraphRAG architectures (Microsoft GraphRAG, GFM-RAG, HippoRAG 2). The improvement margin is particularly pronounced in tasks requiring multi-hop inference, with ASR-G typically exceeding 90% even against SOTA defenses.

Efficiency and Stealth

Efficiency analysis demonstrates that LogicPoison is computationally an order of magnitude faster than content-injection baselines, with negligible increases in corpus token count and no introduction of extraneous content. Its perturbations are nearly undetectable using perplexity-based anomaly detection (AUC ≈ 0.57, indistinguishable from random guessing). Figure 3

Figure 3: Perplexity-based detection for LogicPoison yields near-chance performance, evidencing strong stealth properties.

Ablation Analysis

Ablation confirms that both global hub targeting and query-centric bridge targeting are independently potent, but their combination yields maximal attack efficacy. Query-centric targeting is essential for consistent disruption of multi-hop inference chains, while global logic hub corruption amplifies overall reasoning degradation across the graph. Figure 4

Figure 4: Ablation study shows that full LogicPoison (global + query-centric) achieves consistently higher attack success rates than either component alone.

Analysis of Defense Mechanisms

Paraphrasing and Knowledge Referencing

Query paraphrasing defenses, effective against prompt injection and some LLM attacks, are largely ineffective against LogicPoison (ASR delta <1%), since core entity semantics—rather than phrasing—determine attack coverage. LLM internal knowledge referencing is also largely negated by the strict reliance of GraphRAG on external KBs and retrieval constraints.

Poisoning Text Identification

Traditional quality-based filtering via perplexity or shallow data validation does not identify entities involved in LogicPoison’s permutations because the type-preserving mechanism retains semantic fluency and local grammaticality, ensuring evasion of alignment and filtering layers downstream.

Theoretical Implications

LogicPoison exposes a structural vulnerability in graph-centric reasoning engines: sabotage of global or bridge entities, even with imperceptible surface cue, can dismantle the multi-hop inference capacity of the system. This aligns with percolation and spectral graph theory, wherein connectivity disruption at high-centrality nodes induces catastrophic failures in information propagation and network efficiency.

Moreover, the findings contest the prevailing assumption that graph-based retrieval confers robust, general-purpose defense against content-based adversarial strategies. Instead, resilience at the topological level requires explicit robustness to structural logic corruption; as LLM-driven extraction and traversal grow more sophisticated, so too will stealthy, topology-targeted attacks.

Practical Impact and Future Directions

On the practical front, LogicPoison demonstrates that advanced attackers can mount highly efficient, stealthy, and transferable attacks against deployed GraphRAG systems, bypassing current defense postures with minimal resource footprint. The attack’s independence from graph index pre-inspection and its persistence under graph construction variances point toward broad applicability—and heightened risk—in real-world graph-augmented enterprise LLM deployments and knowledge-driven agent frameworks.

On a theoretical axis, efforts must now shift toward robustifying entity linking, KB induction, and reasoning path traversal to detect and remediate topological sabotage. Future advancements could include graph-theoretic verification, algebraic redundancy in inference chains, and dynamic anomaly detection targeting spectral shifts in the reasoning graph. Extension to multilingual and morphologically rich scenarios will challenge entity-swapping concealment and demand language-specific logical integrity guarantees. Figure 5

Figure 5: Hyperparameter sensitivity analysis for LogicPoison’s global entity targeting parameter.

Conclusion

LogicPoison formalizes and exploits a critical class of vulnerabilities in GraphRAG systems by corrupting logical reasoning structures via type-consistent entity permutations. Empirical results substantiate its superiority in efficiency, stealth, and efficacy over prior work, with negligible defensive response from existing countermeasures. The work underscores the imperative for logic-level robustness in future graph-augmented LLM architectures and catalyzes new directions for secure, structurally resilient knowledge-driven AI systems.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We found no open problems mentioned in this paper.

Collections

Sign up for free to add this paper to one or more collections.