Keywords: Retrieval Augmented Generation, Robustness Analysis, Emotional Icon (Emoticon)
Abstract: Retrieval-Augmented Generation (RAG) systems are increasingly central to robust AI, enhancing large language model (LLM) faithfulness by incorporating external knowledge. However, our study unveils a critical, overlooked vulnerability: their profound susceptibility to subtle symbolic perturbations, particularly through near-imperceptible emotional icons (e.g., ``(@\_@)'') that can catastrophically mislead retrieval, termed \sys.
We demonstrate that injecting a single emoticon into a query nearly 100\% causes the retrieval of semantically unrelated texts containing the same emoticon.
Our extensive experiment across general QA and code domains, using a range of SOTA retrievers and generators, reveals three key findings: \textit{(I) Single-Emoticon Disaster:} A single emoticon almost 100\% dominates RAG system's output. \textit{(II) Positional Sensitivity:} Placing an emoticon at the beginning of a query can cause severe perturbation, with F1-Scores exceeding 0.92 across all datasets. \textit{(III) Parameter-Scale Vulnerability:} Models with larger parameters exhibit greater vulnerability to the interference.
We provide an in-depth analysis to uncover the underlying mechanisms of these phenomena.
We also challenge the robustness assumption of current RAG systems by outlining a threat scenario in which an adversary exploits this vulnerability. We evaluate standard defenses and find them insufficient against \sys. To address this, we propose targeted defenses, analyzing their strengths and limitations. Finally, we outline directions for building next-generation robust RAG systems.
Archival Status: Non-archival (not included in proceedings)
Submission Number: 29
Loading