Retrieval Augmented Generation (RAG) expands the capabilities of modern large language models (LLMs) in chatbot applications, enabling developers to adapt and personalize the LLM output without expensive training or fine-tuning. RAG systems use an external knowledge database to retrieve the most relevant documents for a given query, providing this context to the LLM generator. While RAG achieves impressive utility in many applications, its adoption to enable personalized generative models introduces new security risks. In this work, we propose new attack surfaces for an adversary to compromise a victim's RAG system, by injecting a single malicious document in its knowledge database. We design Phantom, general two-step attack framework against RAG augmented LLMs. The first step involves crafting a poisoned document designed to be retrieved by the RAG system within the top-k results only when an adversarial trigger, a specific sequence of words acting as backdoor, is present in the victim's queries. In the second step, a specially crafted adversarial string within the poisoned document triggers various adversarial attacks in the LLM generator, including denial of service, reputation damage, privacy violations, and harmful behaviors. We demonstrate our attacks on multiple LLM architectures, including Gemma, Vicuna, and Llama.

检索增强生成（RAG）通过使用外部知识数据库，扩展现代大型语言模型（LLMs）在聊天机器人应用中的能力，使开发者能够在没有昂贵的训练或微调的情况下调整和个性化LLM的输出。本研究提出了针对RAG增强LLMs的新攻击方式，通过向其知识数据库中注入单个恶意文档来危害受害者的RAG系统，从而引发多种针对生成模型的恶意攻击。

幻影：检索增强语言生成的一般触发攻击