When Poison Fails After Retrieval: Revisiting Corpus Poisoning under Chunking and Reranking Pipelines

· Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Corpus poisoning attacks, which manipulate Retrieval-Augmented Generation (RAG) system outputs through malicious knowledge injection, often fail in realistic multi-stage retrieval pipelines. Existing poisoning methods, evaluated under simplified settings, substantially degrade after reranking, despite achieving high retrieval-stage relevance. This failure stems from retrieval granularity mismatch, where document-level adversarial signals fragment during chunking, and rerankers prioritize locally coherent passages over global semantic similarity. To address this, a new framework, Chunk-aware and Rerank-Consistent Poisoning (CRCP), is proposed. CRCP jointly optimizes retrieval relevance, reranker consistency, and chunk-boundary robustness by explicitly modeling chunking transformations. Experiments on standard RAG benchmarks with multiple retrievers and rerankers show CRCP achieves substantially higher attack success rates and stronger robustness across varying chunk sizes and reranking strategies, highlighting a realism gap in current RAG security evaluations.

Key takeaway

For AI Security Engineers evaluating Retrieval-Augmented Generation (RAG) system vulnerabilities, you must move beyond simplified retrieval-only attack models. Your assessments should incorporate realistic multi-stage pipelines, including document chunking and reranking, as existing corpus poisoning methods often fail in these complex environments. Focus on designing defenses that ensure consistency across retrieval stages, recognizing that rerankers prioritize local coherence. This approach will yield more accurate security postures and robust RAG deployments.

Key insights

Effective RAG corpus poisoning requires accounting for multi-stage retrieval, particularly chunking and reranking, to maintain attack consistency.

Principles

Method

Chunk-aware and Rerank-Consistent Poisoning (CRCP) jointly optimizes retrieval relevance, reranker consistency, and chunk-boundary robustness. It explicitly models chunking transformations to generate locally self-contained adversarial passages.

In practice

Topics

Best for: AI Architect, Research Scientist, CTO, AI Scientist, AI Security Engineer, Machine Learning Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.