Retrieval Augmented Generation (RAG) expands the capabilities of modern large language models (LLMs) in chatbot applications, enabling developers to adapt and personalize the LLM output without expensive training or fine-tuning. RAG systems use an external knowledge database to retrieve the most relevant documents for a given query, providing this context to the LLM generator. While RAG achieves impressive utility in many applications, its adoption to enable personalized generative models introduces new security risks. In this work, we propose new attack surfaces for an adversary to compromise a victim's RAG system, by injecting a single malicious document in its knowledge database. We design Phantom, general two-step attack framework against RAG augmented LLMs. The first step involves crafting a poisoned document designed to be retrieved by the RAG system within the top-k results only when an adversarial trigger, a specific sequence of words acting as backdoor, is present in the victim's queries. In the second step, a specially crafted adversarial string within the poisoned document triggers various adversarial attacks in the LLM generator, including denial of service, reputation damage, privacy violations, and harmful behaviors. We demonstrate our attacks on multiple LLM architectures, including Gemma, Vicuna, and Llama.

翻译：检索增强生成（Retrieval Augmented Generation, RAG）扩展了现代大语言模型（LLMs）在聊天机器人应用中的能力，使开发者无需昂贵训练或微调即可调整和个性化LLM输出。RAG系统利用外部知识数据库检索与给定查询最相关的文档，并将该上下文提供给LLM生成器。尽管RAG在许多应用中展现出卓越的实用性，但其为实现个性化生成模型而采用的机制引入了新的安全风险。本文提出一种新的攻击面：攻击者可通过在受害者的RAG系统知识库中注入单个恶意文档来实施入侵。我们设计了Phantom——一种针对RAG增强型LLMs的通用两步攻击框架。第一步涉及制作投毒文档，该文档仅当受害者查询中包含特定词序列（作为后门的对抗性触发器）时，才会被RAG系统检索至前k个结果中。第二步，投毒文档内特制的对抗性字符串将触发LLM生成器中的多种对抗攻击，包括拒绝服务、声誉损害、隐私侵犯及有害行为生成。我们在Gemma、Vicuna和Llama等多种LLM架构上验证了攻击的有效性。