Retrieval-Augmented Generation (RAG) is a state-of-the-art technique that
enhances Large Language Models (LLMs) by retrieving relevant knowledge from an
external, non-parametric database. This approach aims to mitigate common LLM
issues such as hallucinations and outdated knowledge. Although existing
research has demonstrated security and privacy vulnerabilities within RAG
systems, making them susceptible to attacks like jailbreaks and prompt
injections, the security of the RAG system's external databases remains largely
underexplored. In this paper, we employ Membership Inference Attacks (MIA) to
determine whether a sample is part of the knowledge database of a RAG system,
using only black-box API access. Our core hypothesis posits that if a sample is
a member, it will exhibit significant similarity to the text generated by the
RAG system. To test this, we compute the cosine similarity and the model's
perplexity to establish a membership score, thereby building robust features.
We then introduce two novel attack strategies: a Threshold-based Attack and a
Machine Learning-based Attack, designed to accurately identify membership.
Experimental validation of our methods has achieved a ROC AUC of 82%.

利用黑盒 API 访问，使用成员推理攻击的方法来确定一份样本是否属于一个 Retrieval-Augmented Generation（RAG）系统的知识数据库，并通过计算余弦相似度和模型的困惑度建立成员评分，提出了两种新的攻击策略：基于阈值的攻击和基于机器学习的攻击。

视可知：针对检索增强生成的黑盒成员推断攻击

Seeing Is Believing: Black-Box Membership Inference Attacks Against  Retrieval Augmented Generation

Retrieval Augmented Generation (RAG) expands the capabilities of modern large
language models (LLMs) in chatbot applications, enabling developers to adapt
and personalize the LLM output without expensive training or fine-tuning. RAG
systems use an external knowledge database to retrieve the most relevant
documents for a given query, providing this context to the LLM generator. While
RAG achieves impressive utility in many applications, its adoption to enable
personalized generative models introduces new security risks. In this work, we
propose new attack surfaces for an adversary to compromise a victim's RAG
system, by injecting a single malicious document in its knowledge database. We
design Phantom, general two-step attack framework against RAG augmented LLMs.
The first step involves crafting a poisoned document designed to be retrieved
by the RAG system within the top-k results only when an adversarial trigger, a
specific sequence of words acting as backdoor, is present in the victim's
queries. In the second step, a specially crafted adversarial string within the
poisoned document triggers various adversarial attacks in the LLM generator,
including denial of service, reputation damage, privacy violations, and harmful
behaviors. We demonstrate our attacks on multiple LLM architectures, including
Gemma, Vicuna, and Llama.

检索增强生成（RAG）通过使用外部知识数据库，扩展现代大型语言模型（LLMs）在聊天机器人应用中的能力，使开发者能够在没有昂贵的训练或微调的情况下调整和个性化 LLM 的输出。本研究提出了针对 RAG 增强 LLMs 的新攻击方式，通过向其知识数据库中注入单个恶意文档来危害受害者的 RAG 系统，从而引发多种针对生成模型的恶意攻击。