defense 2025

RAGRank: Using PageRank to Counter Poisoning in CTI LLM Pipelines

Austin Jia , Avaneesh Ramesh , Zain Shamsi , Daniel Zhang , Alex Liu

The University of Texas at Austin

0 citations · 30 references · arXiv
α

Published on arXiv

2510.20768

Data Poisoning Attack

OWASP ML Top 10 — ML02

Training Data Poisoning

OWASP LLM Top 10 — LLM03

Key Finding

RAGRank assigns lower authority scores to malicious injected documents while promoting trusted content, demonstrated quantitatively on MS MARCO and qualitatively on CTI feeds.

RAGRank

Novel technique introduced

Retrieval-Augmented Generation (RAG) has emerged as the dominant architectural pattern to operationalize Large Language Model (LLM) usage in Cyber Threat Intelligence (CTI) systems. However, this design is susceptible to poisoning attacks, and previously proposed defenses can fail for CTI contexts as cyber threat information is often completely new for emerging attacks, and sophisticated threat actors can mimic legitimate formats, terminology, and stylistic conventions. To address this issue, we propose that the robustness of modern RAG defenses can be accelerated by applying source credibility algorithms on corpora, using PageRank as an example. In our experiments, we demonstrate quantitatively that our algorithm applies a lower authority score to malicious documents while promoting trusted content, using the standardized MS MARCO dataset. We also demonstrate proof-of-concept performance of our algorithm on CTI documents and feeds.

Key Contributions

  • RAGRank: a PageRank-derived authority score that suppresses malicious documents and promotes trusted content in RAG corpora
  • Citation network construction using explicit citations, LLM-inferred citations, and claim-level entailment, augmented with time decay and author credibility
  • Quantitative evaluation on MS MARCO showing lower authority scores for injected malicious documents, plus proof-of-concept on CTI feeds

🛡️ Threat Analysis

Data Poisoning Attack

The attack being defended against is injecting malicious documents (falsified threat reports, manipulated IoCs, poisoned mitigation advice) into the RAG retrieval corpus — a data poisoning attack on the knowledge base used at inference time. RAGRank is the proposed defense.

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timedigitalblack_box
Datasets
MS MARCO
Applications
cyber threat intelligencerag pipelinesllm-based security operations
Read PDF arXiv DOI

Similar Papers

defense

From Theory to Practice: Evaluating Data Poisoning Attacks and Defenses in In-Context Learning on Social Media Health Discourse

2025 0 cit.
Data Poisoning Attack
80%
defense

Rendering Data Unlearnable by Exploiting LLM Alignment Mechanisms

2026 0 cit.
Data Poisoning Attack
73%
defense

Antibody: Strengthening Defense Against Harmful Fine-Tuning for Large Language Models via Attenuating Harmful Gradient Influence

2026 0 cit.
Data Poisoning Attack
73%
defense

RAGShield: Provenance-Verified Defense-in-Depth Against Knowledge Base Poisoning in Government Retrieval-Augmented Generation Systems

2026 0 cit.
Data Poisoning Attack
73%
defense

Gradient Surgery for Safe LLM Fine-Tuning

2025 0 cit.
Data Poisoning Attack
67%
defense

Towards Poisoning Robustness Certification for Natural Language Generation

2026 0 cit.
Data Poisoning Attack
62%
tool

Scam2Prompt: A Scalable Framework for Auditing Malicious Scam Endpoints in Production LLMs

2025 0 cit.
Data Poisoning Attack
61%
defense

Detecting Data Poisoning in Code Generation LLMs via Black-Box, Vulnerability-Oriented Scanning

2026 0 cit.
Data Poisoning AttackModel Poisoning
61%