Stealing attacks pose a persistent threat to the intellectual property of deployed machine-learning systems. Retrieval-augmented generation (RAG) intensifies this risk by extending the attack surface beyond model weights to knowledge base that often contains IP-bearing assets such as proprietary runbooks, curated domain collections, or licensed documents. Recent work shows that multi-turn questioning can gradually steal corpus content from RAG systems, yet existing attacks are largely heuristic and often plateau early. We address this gap by formulating RAG knowledge-base stealing as an adaptive stochastic coverage problem (ASCP), where each query is a stochastic action and the goal is to maximize the conditional expected marginal gain (CMG) in corpus coverage under a query budget. Bridging ASCP to real-world black-box RAG knowledge-base stealing raises three challenges: CMG is unobservable, the natural-language action space is intractably large, and feasibility constraints require stealthy queries that remain effective under diverse architectures. We introduce RAGCrawler, a knowledge graph-guided attacker that maintains a global attacker-side state to estimate coverage gains, schedule high-value semantic anchors, and generate non-redundant natural queries. Across four corpora and four generators with BGE retriever, RAGCrawler achieves 66.8% average coverage (up to 84.4%) within 1,000 queries, improving coverage by 44.90% relative to the strongest baseline. It also reduces the queries needed to reach 70% coverage by at least 4.03x on average and enables surrogate reconstruction with answer similarity up to 0.699. Our attack is also scalable to retriever switching and newer RAG techniques like query rewriting and multi-query retrieval. These results highlight urgent needs to protect RAG knowledge assets.

翻译：窃取攻击对已部署机器学习系统的知识产权构成持续威胁。检索增强生成（RAG）通过将攻击面从模型权重扩展到知识库，加剧了这种风险，因为知识库通常包含承载知识产权的资产，如专有操作手册、精选领域文档集或授权文献。近期研究表明，通过多轮提问可以逐步窃取RAG系统的语料内容，但现有攻击方法大多基于启发式策略，且往往过早达到性能瓶颈。为解决这一问题，我们将RAG知识库窃取问题形式化为自适应随机覆盖问题（ASCP），其中每个查询被视为随机动作，目标是在查询预算约束下最大化语料覆盖的条件期望边际增益（CMG）。将ASCP应用于现实世界黑盒RAG知识库窃取面临三大挑战：CMG不可直接观测、自然语言动作空间规模过大难以处理，以及可行性约束要求查询在保持隐蔽性的同时能在多样化架构下保持有效性。我们提出RAGCrawler——一种知识图谱引导的攻击器，通过维护全局攻击方状态来估计覆盖增益、调度高价值语义锚点并生成非冗余自然查询。在四个语料库和四个生成器（搭配BGE检索器）的测试中，RAGCrawler在1000次查询内实现了66.8%的平均覆盖率（最高达84.4%），相较于最强基线方法覆盖率提升44.90%。该方法将达到70%覆盖率所需的查询量平均减少至少4.03倍，并实现答案相似度高达0.699的代理重建。我们的攻击还能适应检索器切换及新型RAG技术（如查询重写和多查询检索）。这些结果凸显了保护RAG知识资产的紧迫需求。