Retrieval-augmented generation (RAG) systems integrate document retrieval with large language models and have been widely adopted. However, in privacy-related scenarios, RAG introduces a new privacy risk: adversaries can issue carefully crafted queries to exfiltrate sensitive content from the underlying corpus gradually. Although recent studies have demonstrated multi-turn extraction attacks, they rely on heuristics and fail to perform long-term extraction planning. To address these limitations, we formulate the RAG extraction attack as an adaptive stochastic coverage problem (ASCP). In ASCP, each query is treated as a probabilistic action that aims to maximize conditional marginal gain (CMG), enabling principled long-term planning under uncertainty. However, integrating ASCP with practical RAG attack faces three key challenges: unobservable CMG, intractability in the action space, and feasibility constraints. To overcome these challenges, we maintain a global attacker-side state to guide the attack. Building on this idea, we introduce RAGCRAWLER, which builds a knowledge graph to represent revealed information, uses this global state to estimate CMG, and plans queries in semantic space that target unretrieved regions. In comprehensive experiments across diverse RAG architectures and datasets, our proposed method, RAGCRAWLER, consistently outperforms all baselines. It achieves up to 84.4% corpus coverage within a fixed query budget and deliver an average improvement of 20.7% over the top-performing baseline. It also maintains high semantic fidelity and strong content reconstruction accuracy with low attack cost. Crucially, RAGCRAWLER proves its robustness by maintaining effectiveness against advanced RAG systems employing query rewriting and multi-query retrieval strategies. Our work reveals significant security gaps and highlights the pressing need for stronger safeguards for RAG.

翻译：检索增强生成（RAG）系统将文档检索与大型语言模型相结合，已得到广泛应用。然而，在涉及隐私的场景中，RAG引入了一种新的隐私风险：攻击者可以通过精心构造的查询，逐步从底层语料库中窃取敏感内容。尽管近期研究已展示多轮抽取攻击，但这些方法依赖于启发式策略，未能实现长期抽取规划。为应对这些局限性，我们将RAG抽取攻击形式化为一个自适应随机覆盖问题（ASCP）。在ASCP中，每个查询被视为一个概率性动作，其目标在于最大化条件边际增益（CMG），从而在不确定性下实现有原则的长期规划。然而，将ASCP应用于实际RAG攻击面临三个关键挑战：CMG的不可观测性、动作空间的难处理性以及可行性约束。为克服这些挑战，我们维护一个全局攻击者端状态以引导攻击。基于这一思路，我们提出RAGCRAWLER，该方法构建知识图谱以表示已揭示的信息，利用此全局状态估计CMG，并在语义空间中规划针对未检索区域的查询。在涵盖多种RAG架构和数据集的综合实验中，我们提出的RAGCRAWLER方法始终优于所有基线模型。在固定查询预算内，其语料库覆盖率最高可达84.4%，相比性能最佳的基线模型平均提升20.7%。同时，该方法在保持高语义保真度和强内容重建精度的前提下，实现了较低的攻击成本。尤为关键的是，RAGCRAWLER在面对采用查询重写和多查询检索策略的先进RAG系统时仍保持有效性，证明了其鲁棒性。本研究揭示了RAG系统存在的重大安全漏洞，并凸显了加强RAG安全防护的迫切需求。