Modern sequence-to-sequence relevance models like monoT5 can effectively capture complex textual interactions between queries and documents through cross-encoding. However, the use of natural language tokens in prompts, such as Query, Document, and Relevant for monoT5, opens an attack vector for malicious documents to manipulate their relevance score through prompt injection, e.g., by adding target words such as true. Since such possibilities have not yet been considered in retrieval evaluation, we analyze the impact of query-independent prompt injection via manually constructed templates and LLM-based rewriting of documents on several existing relevance models. Our experiments on the TREC Deep Learning track show that adversarial documents can easily manipulate different sequence-to-sequence relevance models, while BM25 (as a typical lexical model) is not affected. Remarkably, the attacks also affect encoder-only relevance models (which do not rely on natural language prompt tokens), albeit to a lesser extent.

翻译：现代序列到序列相关性模型（如 monoT5）通过交叉编码能够有效捕捉查询与文档之间的复杂文本交互。然而，在提示词中使用自然语言标记（例如 monoT5 中的 Query、Document 和 Relevant）为恶意文档提供了攻击向量，使其能够通过提示注入（如添加 true 等目标词汇）操纵自身的相关性得分。由于检索评估中尚未考虑此类可能性，我们通过手工构建模板和基于大语言模型的文档重写，分析了与查询无关的提示注入对多个现有相关性模型的影响。我们在 TREC Deep Learning 基准上的实验表明：对抗文档能轻易操纵各类序列到序列相关性模型，而 BM25（作为典型词汇模型）则不受影响。值得注意的是，这些攻击同样影响仅编码器结构的相关性模型（不依赖自然语言提示标记），尽管影响程度较轻。