TrojanRAG: Retrieval-Augmented Generation Can Be Backdoor Driver in Large Language Models

1. The paper is hard to follow. There are a lot of confusing parts (i.e., Line 84). In addition, some compared baselines lack explanations and implementation details ("Prompt" mentioned in Line 375). Honest speaking, I am not sure if I understand the paper correctly.

2. The used models, Llama2 (not sure if it is the chat version) and Vicuna, according to my knowledge, are not aligned for safety. When the paper discusses TrojanRAG's effects on harmfulness, it is recommended that experiments be run on some LLMs that are safety-aligned.

1. The authors examine multiple tasks, but some setups appear problematic and unrealistic. Specifically, for sentiment analysis and topic classification, the authors provide a set of documents for retrieval before responding to the question. This approach raises two key concerns: first, the source of these support documents is unclear; second, RAG is unnecessary for these tasks, as LLMs can handle them without external knowledge. Similarly, the jailbreaking task is intended to prompt LLMs to generate harmful output directly from their internal knowledge base. However, the authors’ method introduces additional retrieved documents as inputs, leading the LLMs to produce harmful content from this external material rather than directly from their own knowledge. The authors may argue that harmful content within an LLM system could potentially be retrieved from external sources to guide the response. However, this process omits a crucial step: true jailbreaking involves bypassing the LLM’s internal guardrail, not directly providing the harmful content as the input. Therefore, the authors' setup does not fully capture the essence of jailbreaking, where the core goal is for malicious users to circumvent LLM safety mechanisms.

2. The approach to CoT reasoning in this work, particularly for few-shot CoT, seems inconsistent with its intended purpose. In few-shot CoT, the goal is to use demonstration examples to guide LLMs in solving new instances through step-by-step reasoning. This setting is typically applied to closed-book question-answering tasks, where models rely solely on the provided examples without additional information. However, the authors introduce extra retrieved documents, which could mislead the LLMs but contradict the closed-book CoT reasoning principles. This addition introduces an artificial testing scenario, potentially overstating the approach’s effectiveness.

3. The presentation in Section 3.2 requires improvement to enhance clarity and coherence. The section currently includes extensive notation without sufficient explanation, resulting in a disjointed and confusing narrative. Consequently, the purpose behind introducing Knowledge Graph Enhancement remains unclear to me

4. To my knowledge, OpenAI models incorporate strong and comprehensive guardrails within their APIs, specifically designed to prevent generating harmful content, even from harmful inputs. I tested the examples provided in the appendix on GPT3.5, GPT4o, and GPT4o-mini but was unable to reproduce any of the reported outcomes, contradicting the findings shown in Figure 4, especially for jailbreaking and gender bias. This discrepancy raises questions about the credibility of the study.

5. Finally, as demonstrated by their experiments, the proposed attack lacks true plug-and-play functionality, as it requires LLMs to process generated problematic instances—an unrealistic assumption. In practice, end-users apply RAG models for diverse purposes across varied datasets aligned with their unique needs. Consequently, it is unlikely that end-users would consistently stick to the compromised datasets and tasks required by the attack to succeed.

1. The threat model assumption is overly strong. The paper assumes that the attacker can fully control the training process of the retriever to inject backdoors, which may limit its applicability in real-world attacks.
2. The technical contribution is not clear enough. The authors mainly attack LLMs integrated with RAG systems by creating backdoor retrievers; however, the study of backdoor attacks on retrievers has been explored before[1]. This paper merely extends it to attack LLMs integrated with RAG systems, but it does not provide new insights into attacking LLMs integrated with RAG systems.
3. Lack of baseline. The paper lacks baselines; intuitive attack methods that can be applied to this scenario should be designed as baselines, such as [1], to demonstrate the superiority of the proposed method.
4. The writing is not clear enough, and some claims are exaggerated. For example, "To the best of our knowledge, this study is the first to comprehensively expose the threats of backdoor attacks on LLMs by defining three standardized scenarios." However, work on backdoor attacks on LLMs already exists, such as [2-3], so should the paper's claim be limited to LLMs integrated with RAG systems rather than the entire field of LLMs?

[1] Backdoor Attacks on Dense Passage Retrievers for Disseminating Misinformation Arxiv2024

[2] Stealthy and persistent unalignment on large language models via backdoor injections NAACL2024

[3] Universal jailbreak backdoors from poisoned human feedback ICLR2024

• Lack of Clarity in Attack Design for Bias Scenarios -- This paper describes a mechanism where queries with the same interrogative words (e.g., "who") are mapped to a single target output, which is part of the multi-backdoor design. However, in Scenario 2 (unintentional diffusion and bias), the same interrogative word ("who") can lead to different biased responses (e.g., targeting gender, age, or nationality). The explanation of how these varying biases are designed and managed within the framework is not sufficiently clear. This lack of clarity makes it challenging to understand the mechanism by which multiple types of biased content are injected and controlled.
• Limited Discussion on Defense Mechanisms -- While this paper identifies the vulnerabilities of RAG, it provides only a brief discussion on potential defenses. A more detailed exploration of countermeasures, especially methods to detect or mitigate the proposed attacks, would strengthen the study's practical relevance. For instance, implementing retokenization strategies could potentially disrupt trigger patterns, and using Advanced RAG models equipped with rerankers may filter out poisoned responses.
• Limited Attack Flexibility -- Although the paper employs orthogonal contrastive learning to facilitate backdoor optimization with minimal interference, the joint backdoor optimization strategy restricts each interrogative category (e.g., "who") to a single target output. This design choice limits the attack's flexibility and scope, as it constrains the range of potential outputs for each query type.

1. Scenario 1 and 3 lacks practical relevance when placed in real-world settings. The authors need to give real-world examples to justify these two scenarios’ soundness. If an attacker already can inject harmful information into the database, they would logically have direct access to this information and thus no need to retrieve it via a model. Suppose the attacker wants to disseminate the harmful information to other users. Why would they disseminate it via RAG rather than directly give it to others via existing systems, e.g., emails, instant messages, etc?
2. Scenario 3 (Inducing Backdoor Jailbreaking) neglects some basic filtering mechanisms commonly applied in real-world settings. Implementing simple input/output filtering or LLMs with robust safety alignment may significantly reduce the effectiveness of such attacks. The authors could consider adding GPT-4 or GPT-3.5 experiments to validate these defenses' impact in Scenario 3.
3. The paper requires injecting 1-6% poisoned data. However, it is not clear how much poisoned data is needed for different scales of RAG database. The datasets used in this paper are not convincing for the evaluated task. Are these datasets commonly used for evaluating RAG performance? Can the datasets reflect different scales of RAG database? Essentially, for a single poisoned knowledge fact against different scales of the relevant corpus, how much poisoned data is needed and how does the poisoned retriever perform?
4. Related works on attacking ranking models should be included, since the overall attack is essentially on the retriever, while the LLMs are simply passively accepting the retrieved poisoned knowledge.