Go to DBLP homepageGenerating Is Believing: Membership Inference Attacks against Retrieval-Augmented Generation
Abstract: Retrieval-Augmented Generation (RAG) is a state-of-the-art technique that mitigates issues such as hallucinations and knowledge staleness in Large Language Models (LLMs) by retrieving relevant knowledge from an external database to assist in content generation. Existing research has demonstrated potential privacy risks associated with the LLMs of RAG. However, the privacy risks posed by the integration of an external database, which often contains sensitive data such as medical records or personal identities, have remained largely unexplored. In this paper, we aim to bridge this gap by focusing on membership privacy of RAG’s external database, with the aim of determining whether a given sample is part of the RAG’s database. Our basic idea is that if a sample is in the external database, it will exhibit a high degree of semantic similarity to the text generated by the RAG system. We present S2MIA, a Membership Inference Attack that utilizes the Semantic Similarity between a given sample and the content generated by the RAG system. With our proposed S2MIA, we demonstrate the potential to breach the membership privacy of the RAG database. Extensive experimental results demonstrate that S2MIA outperforms five existing MIAs, even when the system is protected by three representative defenses.
Loading