Security/ rag · security · ai · research

New Benchmark Finds Reworded Poison Docs Beat RAG Defenses

Researchers show attackers can boost RAG hijacking fivefold by rewording poisoned documents, while standard success-rate metrics miss most of the damage.

Varying the wording of planted documents can make retrieval poisoning 5.7 times more effective - and invisible to standard duplicate-detection filters, new research shows.

Researchers released a benchmark targeting what they call "polymorphic sybil poisoning," a coordinated attack on retrieval-augmented generation systems. Where simpler attacks copy the same malicious text into multiple documents - and get caught by near-duplicate filters - polymorphic attacks use different wording each time, all steering toward the same attacker-chosen answer. Under a controlled protocol that strips out retrieval luck, polymorphic variants achieved a 22.8% hijack rate versus 4.0% for the monomorphic baseline: a 5.7x amplification across a benchmark of 3,145 questions and 2,982 sybil groups, tested on five AI readers from 7B to 120B parameters.

RAG - grounding AI answers in fetched documents rather than model memory - underpins most enterprise AI assistants, making retrieval integrity a live security question. The paper also challenges how the field measures these attacks: attack success rate (ASR) counts only outputs matching the attacker's target answer, leaving the 47-66% of outputs that instead shift to abstention or drift entirely unmonitored. Two tested readers at nearly identical ASR scores diverged by 16.5 percentage points on abstention and 17.2 on drift - failure modes that look very different to anyone running these systems in production.

A benchmark that exposes what the standard metric can't see is useful; the harder part is getting security teams to adopt the richer scorecard before the attacks do.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →