Large language models (LLMs) have raised concerns about potential security
threats despite performing significantly in Natural Language Processing (NLP).
Backdoor attacks initially verified that LLM is doing substantial harm at all
stages, but the cost and robustness have been criticized. Attacking LLMs is
inherently risky in security review, while prohibitively expensive. Besides,
the continuous iteration of LLMs will degrade the robustness of backdoors. In
this paper, we propose TrojanRAG, which employs a joint backdoor attack in the
Retrieval-Augmented Generation, thereby manipulating LLMs in universal attack
scenarios. Specifically, the adversary constructs elaborate target contexts and
trigger sets. Multiple pairs of backdoor shortcuts are orthogonally optimized
by contrastive learning, thus constraining the triggering conditions to a
parameter subspace to improve the matching. To improve the recall of the RAG
for the target contexts, we introduce a knowledge graph to construct structured
data to achieve hard matching at a fine-grained level. Moreover, we normalize
the backdoor scenarios in LLMs to analyze the real harm caused by backdoors
from both attackers' and users' perspectives and further verify whether the
context is a favorable tool for jailbreaking models. Extensive experimental
results on truthfulness, language understanding, and harmfulness show that
TrojanRAG exhibits versatility threats while maintaining retrieval capabilities
on normal queries.

利用 Retrieval-Augmented Generation 进行联合后门攻击，针对大型语言模型（LLMs）的安全威胁进行探讨，通过构建精巧的目标上下文和触发器集合，通过对比学习优化多对后门快捷方式，从而限制触发条件以提高匹配率，并引入知识图谱进行结构化数据构建实现目标上下文的精确匹配，验证后门对 LLMs 的真实伤害以及上下文是否为越狱模型提供有利工具，实验证明 TrojanRAG 在正常查询中保持检索能力同时展示多样化的安全威胁。