Dense embedding-based text retrieval$\unicode{x2013}$retrieval of relevant passages from corpora via deep learning encodings$\unicode{x2013}$has emerged as a powerful method attaining state-of-the-art search results and popularizing Retrieval Augmented Generation (RAG). Still, like other search methods, embedding-based retrieval may be susceptible to search-engine optimization (SEO) attacks, where adversaries promote malicious content by introducing adversarial passages to corpora. Prior work has shown such SEO is feasible, mostly demonstrating attacks against retrieval-integrated systems (e.g., RAG). Yet, these consider relaxed SEO threat models (e.g., targeting single queries), use baseline attack methods, and provide small-scale retrieval evaluation, thus obscuring our comprehensive understanding of retrievers' worst-case behavior. This work aims to faithfully and thoroughly assess retrievers' robustness, paving a path to uncover factors related to their susceptibility to SEO. To this end, we, first, propose the GASLITE attack for generating adversarial passages, that$\unicode{x2013}$without relying on the corpus content or modifying the model$\unicode{x2013}$carry adversary-chosen information while achieving high retrieval ranking, consistently outperforming prior approaches. Second, using GASLITE, we extensively evaluate retrievers' robustness, testing nine advanced models under varied threat models, while focusing on pertinent adversaries targeting queries on a specific concept (e.g., a public figure). Amongst our findings: retrievers are highly vulnerable to SEO against concept-specific queries, even under negligible poisoning rates (e.g., $\geq$0.0001% of the corpus), while generalizing across different corpora and query distributions; single-query SEO is completely solved by GASLITE; adaptive attacks demonstrate bypassing common defenses; [...]

翻译：基于稠密嵌入的文本检索——即通过深度学习编码从语料库中检索相关段落——已成为一种强大的方法，能够获得最先进的搜索结果，并推动了检索增强生成（RAG）的普及。然而，与其他检索方法类似，基于嵌入的检索可能容易受到搜索引擎优化（SEO）攻击，即攻击者通过向语料库中注入对抗性段落来推广恶意内容。先前的研究已表明此类SEO攻击是可行的，但主要展示的是针对检索集成系统（如RAG）的攻击。这些研究通常采用宽松的SEO威胁模型（例如针对单一查询）、使用基线攻击方法，并仅进行小规模检索评估，从而阻碍了我们对检索器在最坏情况下行为的全面理解。本研究旨在忠实且彻底地评估检索器的鲁棒性，为揭示其易受SEO攻击的相关因素铺平道路。为此，我们首先提出了GASLITE攻击方法，用于生成对抗性段落。该方法——不依赖于语料库内容或修改模型——能够携带攻击者指定的信息，同时实现高检索排名，其性能持续优于现有方法。其次，利用GASLITE，我们广泛评估了检索器的鲁棒性，在多种威胁模型下测试了九种先进模型，重点关注针对特定概念（如公众人物）查询的相关攻击者。我们的主要发现包括：检索器对针对概念特定查询的SEO攻击高度脆弱，即使在极低的污染率下（例如语料库的$\geq$0.0001%）也如此，且这种脆弱性在不同语料库和查询分布中具有泛化性；GASLITE完全解决了单一查询的SEO攻击问题；自适应攻击能够绕过常见防御机制；[...]