GASLITEing the Retrieval: Poisoning Knowledge DBs to Mislead Embedding-based Search

Thanks for the comments! We do our best to address these in the revision and in what follows, and are more than willing to answer any follow-up questions.

WK1. “The novelty of the paper is quite low, and I find it difficult to understand what is the difference between the author's method, and HotFlip.”

Our primary contribution is exploring worst-case behavior of embedding-based retrievers, with GASLITE’s optimization method being a means toward doing so. We updated the revision to highlight this.

GASLITE first introduces a new, interpretable centroid-based objective (Sec. 4.1, App. 2) and critical improvements to the HotFlip-inspired optimization (Sec 4.2.) leading to significant increase in attack success (ablation studies in App. F). Indeed, HotFlip is a strong discrete optimization framework used in many attacks. However, applying vanilla HotFlip or insufficiently improving it, can lead to a false sense of security, due to low attack success (e.g., Sec. 6.2.).

Evidently, GASLITE consistently outperforms previous methods across threat models (Sec. 6) including HotFlip-based optimizers (Fig. 2) and matches a strong hypothetical attack enabled by our new objective (Sec 7.1).

Crucially, offering GASLITE enables us to contribute novel key insights, including that (1) white-box single-query attacks can achieve optimal success (Sec 6.1); (2) cosine similarity leads to more robust retrievers (Sec. 6, Sec. 7.2); and (3) embedding-space geometry correlates with robustness (Sec. 7.2). Importantly, GASLITE provides a reliable tool for evaluating defenses and the insights it enables set the groundwork for improving model robustness.

WK2. “non-standard terminology for standard concepts. For example, they use "embedding-based retrieval" for "dense retrieval", or "knowledge database" for "corpus".”

We appreciate the reviewer’s attention to the terminology, and elaborate on our choices as follows. We also made clarification in the revision to avoid confusion; if reviewers see fit, we are open to making further changes.

We choose knowledge database over corpus, since:

• corpus can be interpreted as the training corpus, which might be misleading as our threat model does not assume (re-)training and as prior work refers to Corpus Poisoning also in the context of poisoning training data [1].
• 'corpus' traditionally connotes text-only data, while we refer to other modalities in the context of retrieval attacks (e.g., [2]).
• ‘knowledge database poisoning’ is consistent with recent related attacks (e.g., [3, 4]).

We use 'embedding-based retrieval' rather than 'dense retrieval' to precisely distinguish embedding-based bi-encoders—which we target—from other dense retrievers like cross-encoders (requiring query and passage to pass simultaneously in the model; [5]).

WK3. “authors emphasize that it is not always the case that SEO attacks have access to user queries...however, all of their threat models have query assumptions…”

We clarify that only Knows All has direct query access. Other threat models (Knows What, Knows Nothing) assume a varying knowledge of their distribution (illustrated in Fig. 1). Crucially, our evaluation uses queries inaccessible to the attacker. We next discuss how the assumption about query-distribution knowledge could be further relaxed.

WK3. “a truly queryless attack would help…”

We thank the reviewer for this proposition, and combine existing and a new study to form a section on query-less attacks (App. H.5). In App. H.5.1, we show that using synthetic (LLM-generated) queries it is possible to achieve comparable results under the Knows What threat model. Additionally, the revision includes a cross-dataset transferability study (App. H.5.2): following Zhong et al.’s [6] results on successfully transferring their attack across datasets, we found GASLITE can leverage queries from one dataset (e.g., MSMARCO) to attack another datasets of different, entirely unknown query distributions.

WK4. “...not compare the performance of their algorithm across different threat models.”

We thank the reviewer for the suggestion. We now add Table 7 summarizing the results across threat models. Note that the comparison should be done while carefully considering the different assumptions of the threat models.

A summary of the table, comparing GASLITE’s median appeared@10 (over models) across threat models:

As discussed in Sec. 7.2, less knowledgeable attackers tackle a more challenging setting.

$>>>$

WK4, Q3. “Evaluate the time requirements of the attack method…”

Thanks for the suggestion; App. H.8 now reports detailed time requirements for different attacks and baselines. In a nutshell, gradient based attacks achieving non-negligible success have roughly the same time requirements (~1 single-GPU hour using 24GB VRAM for crafting a single passage) with GASLITE being significantly more successful (e.g., requiring 10 GPU hours for a successful concept-specific attack; Sec. 6.2). Baselines such as stuffing require negligible time, as they rely on simple string operations. However, these baselines also attain limited success.

Q2. “the paper lacks discussion on defensive strategies and related experiments”

We explore possible defenses in App. G., evaluating several standard baseline defenses, including perplexity-filtering and outlier-detection based on L2-norm, both of which achieve varying levels of success against GASLITE (depending on the attack configuration). The revision now highlights this study in Sec. 6 and discusses defenses in the Ethics Statement.

References:

[1] Papernot et al. 2016, Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

[2] Zou et al. 2023, Universal and Transferable Adversarial Attacks on Aligned Language Models

[3] Reimers and Gurevych 2019, Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks

[4] Chen et al. 2024, AgentPoison: Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases

[5] Pasquini et al. 2024, Neural Exec: Learning (and Learning from) Execution Triggers for Prompt Injection Attacks

Thanks for the comments! We do our best to address these in the revision and in what follows, and are more than willing to answer any follow-up questions.

WK1. “Can the authors provide more real-world examples to support the hypothesis that attackers have such high-level access?”

A notable example is MeliSearch, a commercial search solution with high-profile customers and open-source codebase that provides an “AI-powered search” that, by default, uses the publicly available BGE-v1.5 embedding model. This model is similar to the ones we target. Another example is the popular OpenInterpreter app, that has code execution capabilities and uses open-source embedding (MiniLM-L6) for file search.

The above examples emphasize the practical implications of our work. Still, we note that these practical implications should not overshadow key intellectual insights contributed by the paper, including the more precise characterization of retrievers’ susceptibility to KDB poisoning and that retrievers’ robustness is tied to the distribution of their representation space (specifically, models with more isotropic representations exhibit higher robustness; Sec. 7).

WK1, Q1. “Design an attack algorithm under black-box or gray-box assumptions and provide the corresponding experimental results”

We thank the reviewer for the suggestion and agree that black-box attacks present an interesting avenue, especially given GASLITE’s strong results in white-box settings compared to established attacks. We next share the results included in the revision (Fig 21 in App. H.7).

Following results in attack transferability [1, 2], we consider the 9 evaluated white-box attacks, and apply each one on target (“black-box”) models, we share here a notable slice of that evaluation (from Fig 21d; Knows What), each cell shows the attack’s appeared@10:

We observe transferring attacks within model families or that share pretrained model (bolded) show different degrees of success. This, while GASLITE was not explicitly optimized for transferability (e.g., via optimizing on multiple source models [2]), a direction for black-box attacks we intend to explore further in the future.

WK2. “The method appears to be somewhat less innovative. How does a poisoning attack on text retrieval differ from other poisoning attacks”

Our primary contribution is exploring worst-case behavior of embedding-based retrievers, with GASLITE’s optimization method being a means toward doing so. We updated the revision to highlight this.

GASLITE first introduces a new, interpretable centroid-based objective (Sec. 4.1, App. 2) and critical improvements to the HotFlip-inspired optimization (Sec 4.2.) leading to significant increase in attack success (ablation studies in App. F). Indeed, HotFlip is a strong discrete optimization framework used in many attacks. However, applying vanilla HotFlip or insufficiently improving it, can lead to a false sense of security, due to low attack success (e.g., Sec. 6.2.).

Evidently, GASLITE consistently outperforms previous methods across threat models (Sec. 6) including HotFlip-based optimizers (Fig. 2) and matches a strong hypothetical attack enabled by our new objective (Sec 7.1).

Crucially, offering GASLITE enables us to contribute novel key insights, including that (1) white-box single-query attacks can achieve optimal success (Sec 6.1); (2) cosine similarity leads to more robust retrievers (Sec. 6, Sec. 7.2); and (3) embedding-space geometry correlates with robustness (Sec. 7.2). Importantly, GASLITE provides a reliable tool for evaluating defenses and the insights it enables set the groundwork for improving model robustness.

WK3. “authors should include more references that closely relate to their methodology”

To our surprise we found little literature focusing on embedding-based retrieval KDB poisoning, with most prior attacks focused on cross-encoders retrievers (requiring query and passage to pass simultaneously in the model; [3]). Following the emergence of RAG, several recent attacks target this pipeline as a whole (albeit retrieval is not as extensively attended as in our work)—we already discuss past work in this domain (Sec. 2), and we will further discuss these, including the most recent work (e.g., [4, 5]) in the next revision. Of course, if the reviewers believe we should discuss other work, we will do our best to include it.

$>>>$

Thanks for the comments! We do our best to address these in the revision and in what follows, and are more than willing to answer any follow-up questions.

WK1. “computational demand could be a barrier for less resource-intensive environments or smaller-scale attacks.”

In our study, we focus on retrievers’ susceptibility to worst-case attacks (e.g., a compute-abundant attacker; Sec. 3), which are also critical for revealing inherent model weaknesses (as done in Sec. 7.2) and can enable “red teaming” to assess future defenses. Finally, GASLITE shows higher success rates in shorter runtime compared to previous attacks (Fig. 2). The revision includes more details on resource usage (App. H.6).

WK2. “If the attacker cannot generate or obtain a representative sample, the attack's effectiveness may be diminished”

We thank the reviewer for raising this concern, and include the next study in the revision (App. H.5.2).

Following the findings of Zhong et al. [1], we show that GASLITE can be used to craft adversarial passages from one dataset (e.g., MSMARCO)—non-representative of the target queries—that successfully attack another target dataset (e.g., FiQA). The following table summarizes the appeared@10 achieved in each variant:

This shows the possibility of transferring attacks crafted using available, source queries to target queries of entirely different distribution. Topic-specific datasets (FIQA and SciFact) show high susceptibility to this method. Moreover, source queries can also be synthetic (LLM-generated), as demonstrated in App. H.5.1.

WK3. “tokenization process can affect the attack's success”

Through our evaluation we attack at least 4 different tokenizers (BERT’s, T5’s, MPNet’s, and Qwen2’s). Empirically, we do not find that tokenizers affect attack success.

Q1, Q2. “Why didn't embedding-based retrievers use models such as bge-en-icl 7kM, stella_en_1.5B_v5(1kM), …?”

We thank the reviewer for the suggestion and agree LLM-based retrievers are interesting to explore, albeit not our focus in the paper (Sec. 5). We are currently working on and will add a detailed attack evaluation of stella_en_1.5B_v5 to the next revision (App. H.4), and will do our best to target a 7B LLM-based as well.

Q3. “Do you think there is a better form than info prefix + trigger for Padv?”

We have tested different trigger locations (suffix / prefix / middle) (App. F). In terms of attack performance, placing the trigger as a prefix presents a stronger attack. However, targeting retrieval as part of a realistic attack (e.g., spreading misinformation in search, or injecting a prompt to RAG), we opt the trigger to serve as a suffix. This way, for example, humans exposed to the adversarial passage through search would first read to the misinformation, providing a more effective exposure per the Primacy Effect.

Q4. “How is the metric informativeness measured?”

Per the threat model (Sec. 3), we view informativeness as a binary objective—an attack either contains malicious information or not. Since in all experiments the informative prefix is included in the adversarial passages, all attacks satisfy this goal by design (Sec. 5).

$>>>$

Thank you, once again, for the constructive reviews. We have made our best to address the reviewer feedback in the latest revision. Of course, if any additional questions remain, we would be happy to answer them.

If the reviewers believe we have satisfactorily addressed their concerns, we would kindly request their reconsideration of the rating.

Thanks for the comments! We do our best to address these in the revision and in what follows, and are more than willing to answer any follow-up questions.

WK1. “It would be interesting to analyze how the poison passages found using one model generalizes to others.”

We thank the reviewer for the suggestion and find such a question interesting as well. We updated the revision to include a study on the transferability of GASLITE attacks.

Following results in attack transferability [1, 2], we consider the 9 evaluated white-box attacks, and apply each one on target (“black-box”) models, we share here a notable slice of that evaluation (from Fig 21d; Knows What), each cell shows the attack’s appeared@10:

We observe transferring attacks within model families or that share pretrained model (bolded) show different degrees of success. This, while GASLITE was not explicitly optimized for transferability (e.g., via optimizing on multiple source models [2]), a direction for black-box attacks we intend to explore further in the future.

Still, we note that practical implications of GASLITE should not overshadow key intellectual insights contributed by the paper, including the more precise characterization of retrievers’ susceptibility to KDB poisoning and that retrievers’ robustness is tied to the distribution of their representation space (specifically, models with more isotropic representations exhibit higher robustness; Sec. 7).

Wk2, Q1. “the attackers have limited compute budget as well and hence discussing that aspect would have been helpful…provide some analysis and comparison of time and resources”

We thank the reviewer for their suggestion; App. H.8 now reports detailed time requirements for different attacks and baselines. In a nutshell, gradient based attacks achieving non-negligible success have roughly the same time requirements (~1 single-GPU hour using $<$24GB VRAM for crafting a single passage) with GASLITE being significantly more successful (e.g., requiring 10 GPU hours for a successful concept-specific attack; Sec. 6.2). Baselines such as stuffing require negligible time, as they rely on simple string operations. However, these baselines also attain limited success.

Q2. “share more examples of the generated passages for other concepts”

The revision includes an additional table with concept-specific attack examples (Table 11).

Q3. “How does the method compare with summarizing the top 10 results for all the queries in the set”

We thank the reviewer for this interesting suggestion for an additional baseline, and include it in the revision (App. H.6). We note that we do not assume an attacker's access to knowledge base, hence this baseline deviates from our threat model. Still, we find value in evaluating this attack with the more permissive assumptions.

In an initial attempt to apply this idea we take a specific concept, and for each cluster of queries (out of 10) we ask Claude-Sonnet-3.5 to craft a summarized paragraph, which we use as the adversarial suffix. We repeat evaluation done in Sec. 6.2, and compare to other attacks:

Results on the Potter concept seem to affirm the reviewer’s hypothesis—the proposed attack (Top-Passage-Sum) is more effective than the Info Only and Query-Stuffing baselines, still, it is markedly outperformed by GASLITE.

$>>>$

Thank you, once again, for the constructive reviews. We have made our best to address the reviewer feedback in the latest revision. Of course, if any additional questions remain, we would be happy to answer them.

If the reviewers believe we have satisfactorily addressed their concerns, we would kindly request their reconsideration of the rating.

I would like to thanks the authors for responding to the questions and weaknesses pointed out in the review.

The additional examples and the summarization baseline shows that the model is able to exploit the embedding space and its peculiarities.

It would be helpful for the readers if the authors can dissect and analyze the model results more to understand what makes it work. (Just a helpful suggestion as a reader with no impact to my rating)

I have revised my rating in view of the results.

Thanks and best of luck.