GraphRAG advances retrieval-augmented generation (RAG) by structuring external knowledge as multi-scale knowledge graphs, enabling language models to integrate both broad context and granular details in their generation. While GraphRAG has demonstrated success across domains, its security implications remain largely unexplored. To bridge this gap, this work examines GraphRAG's vulnerability to poisoning attacks, uncovering an intriguing security paradox: existing RAG poisoning attacks are less effective under GraphRAG than conventional RAG, due to GraphRAG's graph-based indexing and retrieval; yet, the same features also create new attack surfaces. We present GragPoison, a novel attack that exploits shared relations in the underlying knowledge graph to craft poisoning text capable of compromising multiple queries simultaneously. GragPoison employs three key strategies: (i) relation injection to introduce false knowledge, (ii) relation enhancement to amplify poisoning influence, and (iii) narrative generation to embed malicious content within coherent text. Empirical evaluation across diverse datasets and models shows that GragPoison substantially outperforms existing attacks in terms of effectiveness (up to 98% success rate) and scalability (using less than 68% poisoning text) on multiple variations of GraphRAG. We also explore potential defensive measures and their limitations, identifying promising directions for future research.

翻译：GraphRAG 通过将外部知识构建为多尺度知识图谱来改进检索增强生成（RAG），使语言模型能够在生成过程中整合广泛的上下文和细粒度的细节。尽管 GraphRAG 已在多个领域取得成功，但其安全影响在很大程度上仍未得到探索。为弥补这一空白，本研究考察了 GraphRAG 对投毒攻击的脆弱性，揭示了一个有趣的安全悖论：由于 GraphRAG 基于图的索引和检索机制，现有的 RAG 投毒攻击在 GraphRAG 下的效果不如传统 RAG；然而，这些相同的特性也创造了新的攻击面。我们提出了 GragPoison，一种新颖的攻击方法，它利用底层知识图谱中的共享关系来构造能够同时危害多个查询的投毒文本。GragPoison 采用三种关键策略：（i）关系注入以引入虚假知识，（ii）关系增强以放大投毒影响，以及（iii）叙事生成以将恶意内容嵌入连贯的文本中。在不同数据集和模型上的实证评估表明，在 GraphRAG 的多种变体上，GragPoison 在有效性（成功率高达 98%）和可扩展性（使用少于 68% 的投毒文本）方面均显著优于现有攻击。我们还探讨了潜在的防御措施及其局限性，为未来研究指明了有前景的方向。