ML Security PapersKEPo: Knowledge Evolution Poison on Graph-based Retrieval-Augmented Generation
Qizhi Chen , Chao Qi , Yihong Huang , Muquan Li , Rongzheng Wang , Dongyang Zhang , Ke Qin , Shuang Liang
Published on arXiv
2603.11501
Data Poisoning Attack
OWASP ML Top 10 — ML02
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
KEPo achieves state-of-the-art attack success rates on GraphRAG for both single-target and multi-target scenarios, significantly outperforming prior RAG poisoning methods that fail against GraphRAG's KG abstraction layer.
KEPo (Knowledge Evolution Poison)
Novel technique introduced
Graph-based Retrieval-Augmented Generation (GraphRAG) constructs the Knowledge Graph (KG) from external databases to enhance the timeliness and accuracy of Large Language Model (LLM) generations.However,this reliance on external data introduces new attack surfaces.Attackers can inject poisoned texts into databases to manipulate LLMs into producing harmful target responses for attacker-chosen queries.Existing research primarily focuses on attacking conventional RAG systems.However,such methods are ineffective against GraphRAG.This robustness derives from the KG abstraction of GraphRAG,which reorganizes injected text into a graph before retrieval,thereby enabling the LLM to reason based on the restructured context instead of raw poisoned passages.To expose latent security vulnerabilities in GraphRAG,we propose Knowledge Evolution Poison (KEPo),a novel poisoning attack method specifically designed for GraphRAG.For each target query,KEPo first generates a toxic event containing poisoned knowledge based on the target answer.By fabricating event backgrounds and forging knowledge evolution paths from original facts to the toxic event,it then poisons the KG and misleads the LLM into treating the poisoned knowledge as the final result.In multi-target attack scenarios,KEPo further connects multiple attack corpora,enabling their poisoned knowledge to mutually reinforce while expanding the scale of poisoned communities,thereby amplifying attack effectiveness.Experimental results across multiple datasets demonstrate that KEPo achieves state-of-the-art attack success rates for both single-target and multi-target attacks,significantly outperforming previous methods.
Key Contributions
- KEPo: a novel GraphRAG-specific poisoning attack that fabricates knowledge evolution paths from legitimate facts to toxic events, bypassing GraphRAG's KG-abstraction defense that neutralizes conventional RAG poisoning methods.
- A multi-target attack variant that interconnects multiple poisoned corpora so their injected knowledge communities mutually reinforce each other, amplifying attack scale and effectiveness.
- Empirical demonstration that existing RAG poisoning methods (semantic replacement, prompt injection, RAG-specific adversarial texts) are ineffective against GraphRAG's graph-restructuring layer, while KEPo achieves SOTA success rates.
🛡️ Threat Analysis
KEPo's core mechanism is injecting poisoned text into external databases that GraphRAG ingests, corrupting the knowledge graph construction — a form of data injection/poisoning targeting the data pipeline the model relies on for generation.