Augmenting Large Language Model's Knowledge Using External Sources Without Finetuning

Kurzfassung

Large Lanuguage Models (LLMs) represent a significant advancement in large-scale and efficient natural language processing, but keeping their knowledge up to date remains a challenge. Finetuning is a costly process, both in monetary and environmental terms, which is essential but prohibitive for many domains. Retrieval Augmented Generation (RAG) augments internal knowledge with a knowledge database that can be updated on a daily routine without having to adjust the model itself. When implementing a RAG pipeline, developers may feel overwhelmed by the almost endless configurations of different retriever and generator models, as well as various advanced RAG techniques. Due to the widespread use of RAG systems, security is becoming increasingly important and new attack vectors are being defined. As part of our research, we implemented 19 different retriever configurations (6+1 models, 3 pipelines) and analyzed them for both performance and security in two attack scenarios. The TruthfulQA and Stanford Question Answering (SQuAD) datasets were used to model the RAG poisoning attack, in which the attacker injects documents with false information into the database and compromises the entire system. It was found that high performance embedding models as retrievers were slightly less likely to rank the adversarial documents high. A causal relationship between the support of query and document prefixes and the vulnerability was not found. In particular, query rewriting reduced the attack success rate, although in our implementation at the expense of performance. The hybrid RAG technique, where the dense embedding vector search is combined with a sparse embedding vector search using algorithms such as the Best Matching 25 (BM25), showed the opposite behavior. It increased both performance and vulnerability. Using a Mixture of Models ensemble, the performance could be increased and the attack success rate decreased. We also found that attacks were more successful with a lower quality document database. In addition, it was shown that generative Artificial Intelligence (AI), with appropriate system prompting, can be used to generate adversarial documents at scale that are likely to be ranked over the original documents by the retriever. The knowledge extraction attack was modeled with the SQuAD dataset, where the attacker extracts sensitive information without specific knowledge of the documents in the database through simple inference processes. We did not find a significant difference for the 13 retriever configurations. We showed that the average cosine similarity of the benign queries to the target documents was about 0.05 units higher than that of the adversarial queries. Although the high variance did not allowed us to define a similarity threshold for recognition purposes, it showed that language models can react differently to the adversarial prompts. Further research could strengthen this property and use it to prevent the attack.