Retrieval-Augmented Generation: Data Privacy Risks through Targeted Queries

Retrieval-Augmented Generation (RAG) has established itself as a promising method for extending the capabilities of large language models (LLMs). By accessing external knowledge databases, LLMs can generate more informed and contextually relevant responses without needing to adjust the model parameters. While this approach avoids the risk of data leaks through model training, it presents new challenges for data privacy.

Current research shows that attackers can infer information about the documents stored in the RAG system through targeted queries. Previous methods for membership inference and data extraction often rely on jailbreaking techniques or unusually phrased queries. However, these approaches are easy to detect and can be thwarted by common paraphrasing techniques in RAG systems.

A new study now presents the so-called "Interrogation Attack" (IA), a more sophisticated method for membership inference. In contrast to previous approaches, the IA uses natural language queries that can only be answered if the target document is present in the RAG system's data store. By formulating such specific questions, attackers can deduce the existence of certain documents with high accuracy without triggering common detection mechanisms.

The researchers were able to show that the IA allows successful inference with only 30 queries per document. At the same time, the attack remains inconspicuous due to the natural language formulation of the queries. Compared to existing methods, the queries generated by the IA are significantly less likely to be classified as suspicious – in some cases, even up to 76 times less often. The success rate of the IA, measured by the True Positive Rate at a False Positive Rate of 1%, surpasses previous attack methods by twofold, and at a cost of less than $0.02 per document inference.

The results of this study underscore the need to strengthen data protection measures in RAG systems. The development of more robust detection mechanisms that can also identify more subtle attacks like the IA is crucial. Furthermore, strategies for anonymization and pseudonymization of data in external knowledge databases should be considered to minimize the risk of data breaches.

Research in this area is still in its early stages, and further investigation is needed to fully understand the security risks of RAG systems and to develop effective protective measures. While the combination of LLMs with external data sources offers enormous potential, it also requires increased awareness of the associated data privacy challenges.

Bibliographie: - https://www.arxiv.org/abs/2502.00306 - https://arxiv.org/html/2502.00306v1 - https://paperreading.club/page?id=281371 - https://github.com/mtuann/llm-updated-papers - https://openreview.net/forum?id=jBXq5UIov4&referrer=%5Bthe%20profile%20of%20Cheng%20Long%5D(%2Fprofile%3Fid%3D~Cheng_Long1) - https://aclanthology.org/volumes/2024.luhme-long/ - https://aaai.org/wp-content/uploads/2025/01/AAAI-25-Poster-Schedule.pdf - https://papers.nips.cc/paper_files/paper/2024 - https://neurips.cc/virtual/2024/calendar - https://jmlr.org/tmlr/papers/