defense 2025

SeCon-RAG: A Two-Stage Semantic Filtering and Conflict-Free Framework for Trustworthy RAG

Xiaonan Si 1, Meilin Zhu 1,2, Simeng Qin 3, Lijia Yu 4, Lijun Zhang 1, Shuaitong Liu 5, Xinfeng Li 6, Ranjie Duan 7, Yang Liu 6, Xiaojun Jia 6

1 Institute of Software, Chinese Academy of Sciences

2 University of Chinese Academy of Sciences

3 Northeast University

4 Institute of Ai For industries

5 Southwest University

6 Nanyang Technological University

7 Alibaba

2 citations · 55 references · arXiv
α

Published on arXiv

2510.09710

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

SeCon-RAG markedly outperforms state-of-the-art RAG defense methods across various LLMs and datasets under corpus poisoning and contamination attacks while preserving generation quality.

SeCon-RAG

Novel technique introduced

Retrieval-augmented generation (RAG) systems enhance large language models (LLMs) with external knowledge but are vulnerable to corpus poisoning and contamination attacks, which can compromise output integrity. Existing defenses often apply aggressive filtering, leading to unnecessary loss of valuable information and reduced reliability in generation. To address this problem, we propose a two-stage semantic filtering and conflict-free framework for trustworthy RAG. In the first stage, we perform a joint filter with semantic and cluster-based filtering which is guided by the Entity-intent-relation extractor (EIRE). EIRE extracts entities, latent objectives, and entity relations from both the user query and filtered documents, scores their semantic relevance, and selectively adds valuable documents into the clean retrieval database. In the second stage, we proposed an EIRE-guided conflict-aware filtering module, which analyzes semantic consistency between the query, candidate answers, and retrieved knowledge before final answer generation, filtering out internal and external contradictions that could mislead the model. Through this two-stage process, SeCon-RAG effectively preserves useful knowledge while mitigating conflict contamination, achieving significant improvements in both generation robustness and output trustworthiness. Extensive experiments across various LLMs and datasets demonstrate that the proposed SeCon-RAG markedly outperforms state-of-the-art defense methods.

Key Contributions

  • EIRE (Entity-intent-relation extractor) that extracts entities, latent objectives, and entity relations from queries and documents to guide semantic relevance scoring and filtering
  • Two-stage RAG defense: (1) joint semantic and cluster-based filtering to build a clean retrieval database, and (2) conflict-aware filtering that detects internal and external contradictions before final answer generation
  • SeCon-RAG framework that outperforms state-of-the-art defenses across multiple LLMs and datasets on both robustness and generation quality under corpus poisoning

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
inference_timeblack_box
Applications
retrieval-augmented generationquestion answeringknowledge-grounded llm systems
Read PDF arXiv DOI

Similar Papers

defense

Beyond Surface-Level Detection: Towards Cognitive-Driven Defense Against Jailbreak Attacks via Meta-Operations Reasoning

2025 0 cit.
100%
defense

TRYLOCK: Defense-in-Depth Against LLM Jailbreaks via Layered Preference and Representation Engineering

2026 0 cit.
100%
defense

Securing AI Agents Against Prompt Injection Attacks

2025 3 cit.
100%
defense

Adversarial Distilled Retrieval-Augmented Guarding Model for Online Malicious Intent Detection

2025 0 cit.
100%
defense

From static to adaptive: immune memory-based jailbreak detection for large language models

2025 0 cit.
100%
defense

Efficient and Adaptable Detection of Malicious LLM Prompts via Bootstrap Aggregation

2026 0 cit.
100%
defense

Think Twice, Generate Once: Safeguarding by Progressive Self-Reflection

2025 1 cit.
100%
defense

PIShield: Detecting Prompt Injection Attacks via Intrinsic LLM Features

2025 0 cit.
100%