ML Security PapersMaking Theft Useless: Adulteration-Based Protection of Proprietary Knowledge Graphs in GraphRAG Systems
Weijie Wang 1,2, Peizhuo Lv 3, Yan Wang 1,4, Rujie Dai 1, Guokun Xu 1, Qiujian Lv 1, Hangcheng Liu 3, Weiqing Huang 1, Wei Dong 3, Jiaheng Zhang 2
Published on arXiv
2601.00274
Model Theft
OWASP ML Top 10 — ML05
Key Finding
Degrades unauthorized GraphRAG system accuracy to 5.3% while maintaining 100% fidelity for authorized users, with adulterants surviving 80.2% of sanitization attempts.
AURA (Active Utility Reduction via Adulteration)
Novel technique introduced
Graph Retrieval-Augmented Generation (GraphRAG) has emerged as a key technique for enhancing Large Language Models (LLMs) with proprietary Knowledge Graphs (KGs) in knowledge-intensive applications. As these KGs often represent an organization's highly valuable intellectual property (IP), they face a significant risk of theft for private use. In this scenario, attackers operate in isolated environments. This private-use threat renders passive defenses like watermarking ineffective, as they require output access for detection. Simultaneously, the low-latency demands of GraphRAG make strong encryption which incurs prohibitive overhead impractical. To address these challenges, we propose AURA, a novel framework based on Data Adulteration designed to make any stolen KG unusable to an adversary. Our framework pre-emptively injects plausible but false adulterants into the KG. For an attacker, these adulterants deteriorate the retrieved context and lead to factually incorrect responses. Conversely, for authorized users, a secret key enables the efficient filtering of all adulterants via encrypted metadata tags before they are passed to the LLM, ensuring query results remain completely accurate. Our evaluation demonstrates the effectiveness of this approach: AURA degrades the performance of unauthorized systems to an accuracy of just 5.3%, while maintaining 100% fidelity for authorized users with negligible overhead. Furthermore, AURA proves robust against various sanitization attempts, retaining 80.2% of its adulterants.
Key Contributions
- AURA framework that pre-emptively injects plausible but false adulterants into KGs, degrading stolen copies while authorized users filter them via a secret key
- Hybrid adulterant generation strategy that targets a minimal critical node set for maximum semantic and structural plausibility
- Adversary-impact-based selection of adulterants ensuring robust degradation (5.3% accuracy for attackers vs. 100% fidelity for authorized users) with resistance to sanitization attempts (80.2% adulterant retention)
🛡️ Threat Analysis
The paper's primary threat model is theft of the KG — the core intellectual property powering the GraphRAG system — for private competitive deployment. AURA is a proactive defense analogous to anti-distillation and honeypot techniques in model IP protection: rather than watermarking for post-hoc detection (ineffective in isolated private deployments), it degrades the stolen asset's utility. This parallels ML05 defenses that make model theft economically worthless, applied here to knowledge-base IP.