Query-Efficient Agentic Graph Extraction Attacks on GraphRAG Systems

Graph-based retrieval-augmented generation (GraphRAG) systems construct knowledge graphs over document collections to support multi-hop reasoning. While prior work shows that GraphRAG responses may leak retrieved subgraphs, the feasibility of query-efficient reconstruction of the hidden graph structure remains unexplored under realistic query budgets. We study a budget-constrained black-box setting where an adversary adaptively queries the system to steal its latent entity-relation graph. We propose AGEA (Agentic Graph Extraction Attack), a framework that leverages a novelty-guided exploration-exploitation strategy, external graph memory modules, and a two-stage graph extraction pipeline combining lightweight discovery with LLM-based filtering. We evaluate AGEA on medical, agriculture, and literary datasets across Microsoft-GraphRAG and LightRAG systems. Under identical query budgets, AGEA significantly outperforms prior attack baselines, recovering up to 90% of entities and relationships while maintaining high precision. These results demonstrate that modern GraphRAG systems are highly vulnerable to structured, agentic extraction attacks, even under strict query limits.

Key Contributions

• AGEA framework: a novelty-guided exploration-exploitation strategy with external graph memory to efficiently extract hidden knowledge graphs from GraphRAG systems under strict query budgets
• Two-stage extraction pipeline combining lightweight entity-relation discovery with LLM-based filtering to improve precision
• Empirical demonstration that Microsoft-GraphRAG and LightRAG systems are highly vulnerable, recovering up to 90% of entities and relationships under realistic query limits

🛡️ Threat Analysis

Details

Similar Papers