SafeRAG: Benchmarking Security in Retrieval-Augmented Generation of Large Language Model
jimi888
Abstract
The indexing-retrieval-generation paradigm of retrieval-augmented generation (RAG) has been highly successful in solving knowledge-intensive tasks by integrating external knowledge into large language models (LLMs). However, the incorporation of external and unverified knowledge increases the vulnerability of LLMs because attackers can perform attack tasks by manipulating knowledge. In this paper, we introduce a benchmark named SafeRAG designed to evaluate the RAG security. First, we classify attack tasks into silver noise, inter-context conflict, soft ad, and white Denial-of-Service. Next, we construct RAG security evaluation dataset (i.e., SafeRAG dataset) primarily manually for each task. We then utilize the SafeRAG dataset to simulate various attack scenarios that RAG may encounter. Experiments conducted on 14 representative RAG components demonstrate that RAG exhibits significant vulnerability to all attack tasks and even the most apparent attack task can easily bypass existing retrievers, filters, or advanced LLMs, resulting in the degradation of RAG service quality. Code is available at: https://github.com/IAAR-Shanghai/SafeRAG.
Community
This paper introduces SafeRAG, a benchmark designed to assess the security vulnerabilities of RAG against data injection attacks. We identified four critical attack surfaces: noise, conflict, toxicity, and DoS, and revealed significant weaknesses across the retriever, filter, and generator components of RAG.
By proposing novel attack strategies such as silver noise, inter-context conflict, soft ad, and white DoS, we exposed critical gaps in existing defenses and demonstrated the susceptibility of RAG systems to subtle yet impactful threats.
The Retrieval-Augmented Generation (RAG) paradigm significantly enhances the capability of large language models (LLMs) in knowledge-intensive tasks. However, it also introduces new security risks—externally retrieved information may be maliciously tampered with, thereby affecting the reliability of generated content. To address this, we propose SafeRAG, the first Chinese RAG security evaluation benchmark, which comprehensively reveals the risks of data injection attacks.
This is an automated message from the Librarian Bot. I found the following papers similar to this paper.
The following papers were recommended by the Semantic Scholar API
- RbFT: Robust Fine-tuning for Retrieval-Augmented Generation against Retrieval Defects (2025)
- Don't Do RAG: When Cache-Augmented Generation is All You Need for Knowledge Tasks (2024)
- RAG-WM: An Efficient Black-Box Watermarking Approach for Retrieval-Augmented Generation of Large Language Models (2025)
- Pirates of the RAG: Adaptively Attacking LLMs to Leak Knowledge Bases (2024)
- XRAG: eXamining the Core - Benchmarking Foundational Components in Advanced Retrieval-Augmented Generation (2024)
- GraphRAG under Fire (2025)
- Retrievals Can Be Detrimental: A Contrastive Backdoor Attack Paradigm on Retrieval-Augmented Diffusion Models (2025)
Please give a thumbs up to this comment if you found it helpful!
If you want recommendations for any Paper on Hugging Face checkout this Space
You can directly ask Librarian Bot for paper recommendations by tagging it in a comment:
@librarian-bot
recommend
Models citing this paper 0
No model linking this paper
Datasets citing this paper 0
No dataset linking this paper
Spaces citing this paper 0
No Space linking this paper
Collections including this paper 0
No Collection including this paper