In recent years, neural ranking models (NRMs) have been shown to substantially outperform their lexical counterparts in text retrieval. In traditional search pipelines, a combination of features leads to well-defined behaviour. However, as neural approaches become increasingly prevalent as the final scoring component of engines or as standalone systems, their robustness to malicious text and, more generally, semantic perturbation needs to be better understood. We posit that the transformer attention mechanism can induce exploitable defects through positional bias in search models, leading to an attack that could generalise beyond a single query or topic. We demonstrate such defects by showing that non-relevant text--such as promotional content--can be easily injected into a document without adversely affecting its position in search results. Unlike previous gradient-based attacks, we demonstrate these biases in a query-agnostic fashion. In doing so, without the knowledge of topicality, we can still reduce the negative effects of non-relevant content injection by controlling injection position. Our experiments are conducted with simulated on-topic promotional text automatically generated by prompting LLMs with topical context from target documents. We find that contextualisation of a non-relevant text further reduces negative effects whilst likely circumventing existing content filtering mechanisms. In contrast, lexical models are found to be more resilient to such content injection attacks. We then investigate a simple yet effective compensation for the weaknesses of the NRMs in search, validating our hypotheses regarding transformer bias.

翻译：近年来，神经排序模型（NRMs）在文本检索中已被证明显著优于传统的词汇匹配模型。在传统搜索流程中，多种特征的组合能够产生明确的行为模式。然而，随着神经方法日益成为搜索引擎最终评分组件或独立系统，其对恶意文本（更广义而言，对语义扰动）的鲁棒性仍需深入理解。我们提出，Transformer注意力机制可能通过位置偏置在搜索模型中诱发可被利用的缺陷，从而产生能够超越单一查询或主题的通用攻击。通过实验证明，非相关文本（如推广内容）可以轻易注入文档，且不会显著影响其在搜索结果中的排位。与以往基于梯度的攻击不同，我们以查询无关的方式验证了这些偏置的存在。在此过程中，即便缺乏主题信息，我们仍能通过控制注入位置来降低非相关内容注入的负面效应。实验采用由目标文档主题上下文提示大语言模型（LLMs）自动生成的模拟主题相关推广文本。我们发现，对非相关文本进行上下文化处理能进一步削弱负面效应，同时可能规避现有内容过滤机制。相比之下，词汇模型对此类内容注入攻击表现出更强的鲁棒性。最后，我们研究了一种简单而有效的补偿方案以缓解NRMs在搜索中的弱点，从而验证了关于Transformer偏置的假设。