RAGFort: Dual-Path Defense Against Proprietary Knowledge Base Extraction in Retrieval-Augmented Generation

Retrieval-Augmented Generation (RAG) systems deployed over proprietary knowledge bases face growing threats from reconstruction attacks that aggregate model responses to replicate knowledge bases. Such attacks exploit both intra-class and inter-class paths, progressively extracting fine-grained knowledge within topics and diffusing it across semantically related ones, thereby enabling comprehensive extraction of the original knowledge base. However, existing defenses target only one path, leaving the other unprotected. We conduct a systematic exploration to assess the impact of protecting each path independently and find that joint protection is essential for effective defense. Based on this, we propose RAGFort, a structure-aware dual-module defense combining "contrastive reindexing" for inter-class isolation and "constrained cascade generation" for intra-class protection. Experiments across security, performance, and robustness confirm that RAGFort significantly reduces reconstruction success while preserving answer quality, offering comprehensive defense against knowledge base extraction attacks.

Key Contributions

• Systematic analysis showing that defending only one extraction path (intra-class or inter-class) is insufficient, and joint protection is essential
• Contrastive reindexing module that reorganizes the dense retrieval index using HDBSCAN clustering to enforce semantic separation between topic classes, preventing inter-class extraction
• Constrained cascade generation module for intra-class protection that reduces fine-grained content leakage within individual topics while preserving answer quality

🛡️ Threat Analysis

Details

Similar Papers