ML Security PapersConnect the Dots: Knowledge Graph-Guided Crawler Attack on Retrieval-Augmented Generation Systems
Mengyu Yao 1, Ziqi Zhang 2, Ning Luo 2, Shaofei Li 1, Yifeng Cai 1, Xiangqun Chen 1, Yao Guo 1, Ding Li 1
Published on arXiv
2601.15678
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
RAGCrawler achieves 66.8% average corpus coverage (up to 84.4%) within 1,000 queries, improving coverage by 44.90% over the strongest baseline and reducing queries needed to reach 70% coverage by at least 4.03x on average.
RAGCrawler
Novel technique introduced
Stealing attacks pose a persistent threat to the intellectual property of deployed machine-learning systems. Retrieval-augmented generation (RAG) intensifies this risk by extending the attack surface beyond model weights to knowledge base that often contains IP-bearing assets such as proprietary runbooks, curated domain collections, or licensed documents. Recent work shows that multi-turn questioning can gradually steal corpus content from RAG systems, yet existing attacks are largely heuristic and often plateau early. We address this gap by formulating RAG knowledge-base stealing as an adaptive stochastic coverage problem (ASCP), where each query is a stochastic action and the goal is to maximize the conditional expected marginal gain (CMG) in corpus coverage under a query budget. Bridging ASCP to real-world black-box RAG knowledge-base stealing raises three challenges: CMG is unobservable, the natural-language action space is intractably large, and feasibility constraints require stealthy queries that remain effective under diverse architectures. We introduce RAGCrawler, a knowledge graph-guided attacker that maintains a global attacker-side state to estimate coverage gains, schedule high-value semantic anchors, and generate non-redundant natural queries. Across four corpora and four generators with BGE retriever, RAGCrawler achieves 66.8% average coverage (up to 84.4%) within 1,000 queries, improving coverage by 44.90% relative to the strongest baseline. It also reduces the queries needed to reach 70% coverage by at least 4.03x on average and enables surrogate reconstruction with answer similarity up to 0.699. Our attack is also scalable to retriever switching and newer RAG techniques like query rewriting and multi-query retrieval. These results highlight urgent needs to protect RAG knowledge assets.
Key Contributions
- Formalizes RAG knowledge-base stealing as an adaptive stochastic coverage problem (ASCP) with conditional marginal gain objective, enabling principled long-term extraction planning beyond heuristic approaches
- Introduces RAGCrawler, a knowledge graph-guided attacker that maintains global attacker-side state to estimate coverage gains, schedule semantic anchors, and generate non-redundant natural queries
- Demonstrates 66.8% average corpus coverage (up to 84.4%) within 1,000 queries — a 44.90% relative improvement over the strongest baseline — and surrogate reconstruction with answer similarity up to 0.699, while remaining robust to query rewriting and multi-query retrieval defenses