Papers
Topics
Authors
Recent
Search
2000 character limit reached

CleanBase: Graph-based Defense for RAG

Updated 5 July 2026
  • CleanBase is a graph-based defense mechanism that identifies semantically similar malicious document groups to protect retrieval-augmented generation systems.
  • It embeds documents with Contriever-msmarco, constructs a kNN similarity graph, and applies statistical pruning with a clique detection rule.
  • The approach lowers prompt injection attack success while preserving utility, achieving low false positive rates with fast, offline sanitization.

CleanBase is a graph-based defense for retrieval-augmented generation that detects malicious documents in a knowledge database before deployment. It addresses prompt injection attacks in which an adversary inserts poisoned documents containing attacker-crafted instructions so that, for targeted questions, the retriever returns those documents and the LLM produces attacker-specified answers. The central idea is that malicious documents crafted for the same target question set often remain semantically similar to one another, because they must be jointly retrievable and mutually reinforcing. CleanBase exploits that regularity by embedding the corpus, constructing a similarity graph, pruning it with a statistically chosen threshold, and flagging clique-structured groups of highly similar documents as malicious (Jin et al., 1 May 2026).

1. Problem formulation and threat model

CleanBase assumes a standard RAG pipeline with a knowledge database D={d1,d2,}D=\{d_1,d_2,\dots\}, a retriever composed of an embedding model ff and similarity function ss, and an LLM that answers a user question qq from the retrieved top-NN documents. In the experimental setup, the default retrieval depth is N=5N=5. A malicious document is one inserted into the knowledge database with an injected prompt intended to manipulate generation rather than merely retrieval. The attack model permits the adversary to insert multiple malicious documents for each targeted question set Q1,Q2,,QtQ_1,Q_2,\dots,Q_t, with mm malicious documents per target set in the theoretical analysis (Jin et al., 1 May 2026).

The method is explicitly a knowledge-database defense, not a retrieval-time filter and not a model-side alignment scheme. It is applied offline to sanitize the corpus before the RAG system is served. That design choice matters operationally: once malicious documents are removed, the deployed RAG system incurs no per-query defense overhead. CleanBase also does not require the defender to use the same embedding model as the retriever. The detector uses its own embedding model ff', and the paper emphasizes that ff' need not match the retriever’s ff0.

The motivating hypothesis is collective rather than document-local. Benign documents can certainly be semantically similar, but same-target malicious documents are expected to form unusually tight semantic groups because they are engineered to retrieve together for the same question family and to promote the same attacker-controlled answer. CleanBase therefore treats maliciousness as an emergent graph pattern rather than as a per-document signature.

2. Similarity graph construction and clique-based decision rule

The method has three steps: document embedding and graph construction, statistical pruning, and clique detection. First, each document ff1 is mapped to an embedding ff2. In the default configuration, CleanBase uses Contriever-msmarco as ff3 and cosine similarity as ff4. It then constructs a weighted graph ff5, where each node corresponds to a document and each edge weight is

ff6

Step I uses a ff7-nearest-neighbor graph. The paper studies both mutual ff8NN and either-direction ff9NN, but the default experimental setting uses the either-direction rule: an edge is created if ss0 is among the ss1 most similar documents of ss2, or ss3 is among the ss4 most similar documents of ss5. The default is ss6 (Jin et al., 1 May 2026).

Component Default Function
Embedding model ss7 Contriever-msmarco Detector-side document embedding
Similarity ss8 Cosine similarity Edge weighting
Neighborhood size ss9 Sparse graph construction
Threshold parameter qq0 Statistical pruning
Edge sampling 50% of edges Estimate qq1
Clique algorithm Bron–Kerbosch Detect dense malicious groups
Malicious criterion Clique size qq2 Flag document as malicious

After pruning, CleanBase runs Bron–Kerbosch to find cliques in the pruned graph. A document is classified as malicious if its node belongs to at least one clique of size at least three. All such documents are then removed from the knowledge database. This criterion is deliberately collective: a single suspicious document is not sufficient, and the method instead looks for tightly connected groups that are anomalously coherent under the detector’s semantic representation.

3. Statistical thresholding and theoretical analysis

The critical pruning rule is

qq3

where qq4 and qq5 are the mean and standard deviation of sampled edge weights from the qq6NN graph. In the experiments, 50% of edges are sampled to estimate these quantities, and the default is qq7. The retained edge set is

qq8

This step is intended to preserve only unusually strong semantic connections. The paper argues that benign edge weights are approximately Gaussian-like, so qq9 isolates statistical outliers.

The theoretical analysis is carried out under the mutual NN0NN assumption. Let NN1 be the number of benign documents, NN2 the number of target question sets, and NN3 the number of malicious documents inserted per target set, so the database contains NN4 documents. Same-target malicious similarities are modeled by a distribution with CDF NN5, and all other pair types by a distribution with CDF NN6. A key quantity is

NN7

the probability that a non-same-target pair exceeds the pruning threshold.

Under those assumptions, CleanBase derives an upper bound on false positive rate:

NN8

with

NN9

For false negatives, assuming N=5N=50, it derives

N=5N=51

where

N=5N=52

and

N=5N=53

The interpretation is straightforward. If thresholding makes N=5N=54 small, benign nodes are unlikely to participate in cliques. If same-target malicious pairs frequently exceed threshold, so that N=5N=55 is large, malicious nodes are likely to form at least a triangle and thus be detected. These are statistical rather than adversarially worst-case guarantees, and they depend on the assumed similarity distributions and mutual-N=5N=56NN construction (Jin et al., 1 May 2026).

4. Empirical evaluation

CleanBase is evaluated on six knowledge bases: NQ, HotpotQA, FiQA, ArguAna, SciFact, and FEVER. Their scales range from 5,183 documents in SciFact to 5,416,568 documents in FEVER. The evaluation covers nine prompt-injection attacks: Naive Attack (NA), Context Ignoring (CI), Fake Completion (FC), Combined Attack (CA), Mixed Attack (MA), PoisonedRAG white-box (PW), PoisonedRAG black-box (PB), GASLITEing (GL), and Phantom (PT). The end-to-end RAG experiments use six open-source LLMs: Llama2-7B, Mistral-7B, Llama3-8B, Qwen2.5-7B, Llama4-17B, and Qwen3-32B, with temperature N=5N=57 and maximum output length N=5N=58 (Jin et al., 1 May 2026).

Detection performance is characterized primarily by low false positives and attack-dependent false negatives. The average FPR of CleanBase is around 1.9% for most attacks and 1.6% for Phantom. Average FNR by attack is 0.0% for NA, 0.3% for CI, 0.8% for FC, 0.0% for CA, 2.0% for MA, 34.2% for PW, 5.7% for PB, 0.0% for GL, and 16.5% for PT. CleanBase is therefore strongest against the direct injection attacks, PoisonedRAG-B, and GASLITEing, and weaker against PoisonedRAG-W and Phantom. Dataset-specific PB examples include NQ with FPR 1.8% and FNR 9.6%, HotpotQA with 4.0% and 1.0%, SciFact with 0.1% and 0.0%, and FEVER with 3.4% and 13.0%.

End-to-end protection is measured by attack success rate and malicious precision in the retrieved set. The paper highlights HotpotQA under PoisonedRAG-B, where ASR drops from 97% to 6% after removing flagged documents. Averaged over attacks and datasets, CleanBase achieves an ASR of 9%, comparable to PromptGuard and TrustRAG, and substantially below MetaSecAlign at 38.5% and DataSentinel at 42.6%. The hardest case remains PW: the average CleanBase ASR there is 29.5%, whereas it is 0.0% for GL and between 5.2 and 11.5 for the remaining non-PW attacks.

Utility preservation is a central empirical claim. On original non-target questions, No Defense reports Hit 66.0, Recall 53.9, and ACC 74.7, while CleanBase reports Hit 65.7, Recall 53.6, and ACC 75.1. On generated questions tied to documents that a defense removed as false positives, No Defense has average Recall/ACC 93.8/83.4 and CleanBase has 85.0/82.8. The utility degradation is therefore limited relative to stronger-removal baselines. Runtime is also favorable: on FiQA, PromptGuard takes 13 minutes, DataSentinel 614 minutes, and CleanBase 1 minute.

5. Comparative position, ablations, and failure modes

CleanBase is positioned against defenses that secure different parts of the RAG stack. MetaSecAlign secures the LLM, TrustRAG and ReliabilityRAG secure the retriever, and PromptGuard and DataSentinel secure the knowledge database. CleanBase differs from PromptGuard and DataSentinel by using collective graph structure rather than document-local prompt-injection classification. It differs from retriever-side defenses by incurring no per-query overhead after sanitization. Its distinctive contribution is to frame malicious-document detection as graph mining over document embeddings (Jin et al., 1 May 2026).

The ablations show that each stage is necessary. Without Step II, FPR exceeds 99%. Without Step I, FiQA FPR rises to about 25–26%, and on NQ the ablation becomes computationally infeasible because the graph becomes too large. Replacing clique detection with a densest-subgraph variant yields similar FPR but worse FNR; for example, on NQ/PB, CleanBase-Dense has FNR 16.6% versus 9.6% for CleanBase, and on NQ/MA, 15.4% versus 4.6%. Mutual N=5N=59NN lowers FPR slightly but raises FNR substantially: averaged over attacks and datasets, CleanBase-Mutual yields FPR 1.5% and FNR 13.4%, compared with the default CleanBase at 1.9% and 6.6%.

Performance is sensitive to the embedding model and similarity function. Contriever-msmarco provides the best balance. ANCE can yield very high FNR, including 92.6% on NQ/PB. Dot product performs poorly as a similarity function, while cosine similarity performs best overall; on NQ/PB, dot product gives FNR 91.4%, Euclidean distance 31.6%, and cosine 9.6%. The hyperparameters Q1,Q2,,QtQ_1,Q_2,\dots,Q_t0 and Q1,Q2,,QtQ_1,Q_2,\dots,Q_t1 control the expected trade-off: increasing Q1,Q2,,QtQ_1,Q_2,\dots,Q_t2 raises FPR and lowers FNR, while increasing Q1,Q2,,QtQ_1,Q_2,\dots,Q_t3 lowers FPR and raises FNR.

The principal limitations are adaptive attacks and low-cardinality poisoning. A black-box adaptive attack can paraphrase malicious documents to reduce their inter-document similarity. A white-box adaptive attack can optimize each malicious document to remain similar to the target query under the retriever embedding Q1,Q2,,QtQ_1,Q_2,\dots,Q_t4 while becoming dissimilar to peers under the detector embedding Q1,Q2,,QtQ_1,Q_2,\dots,Q_t5. Under these conditions, adaptive PoisonedRAG-B yields average FPR 1.9%, FNR 20.3%, and ASR 20.0%, while adaptive PoisonedRAG-W yields average FPR 1.9%, FNR 96.1%, and ASR 37.3%. CleanBase also cannot detect attack groups containing at most two malicious documents per target question, because the decision rule requires cliques of size at least three. The paper nevertheless argues that these evasions impose a success cost on the attacker: on NQ, PoisonedRAG-W ASR drops from 90% to 60% after reducing inter-document similarity, and on FiQA, reducing malicious documents per target from five to two lowers PoisonedRAG-B ASR from 42% to 29%.

6. Scope and relation to broader cleaning research

CleanBase belongs to a broader research landscape in which “cleaning” can refer to several distinct technical problems. A plausible source of confusion is the existence of tabular-data cleaning systems such as BClean, which formulates unsupervised structured-data repair as Bayesian inference over an automatically constructed Bayesian network (Häfner et al., 2023), and TabClean, which compiles LLM reasoning into reusable guarded Python cleaning programs for schema-compatible tabular batches (Wang et al., 24 Jun 2026). Those systems repair cell values in structured data, whereas CleanBase sanitizes RAG knowledge databases against malicious prompt-injection documents.

Within RAG security, CleanBase is best understood as an offline corpus defense with a specific operating assumption: successful attacks frequently require multiple semantically aligned malicious documents per target question set. When that assumption holds, clique detection over a pruned similarity graph is effective, scalable, and utility-preserving. When attackers can diversify poisoned documents aggressively, optimize against the detector’s embedding space, or operate with only one or two malicious documents per target, the method weakens substantially. The resulting picture is neither that CleanBase solves prompt injection in full nor that it is merely heuristic. Rather, it supplies a concrete first-line sanitization layer whose strengths, failure modes, and statistical behavior are precisely articulated in the original formulation (Jin et al., 1 May 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CleanBase.