{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T15:49:06Z","timestamp":1775231346458,"version":"3.50.1"},"publisher-location":"Singapore","reference-count":31,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819691005","type":"print"},{"value":"9789819691012","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-981-96-9101-2_8","type":"book-chapter","created":{"date-parts":[[2025,7,10]],"date-time":"2025-07-10T09:50:20Z","timestamp":1752141020000},"page":"147-166","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["RAGLeak: Membership Inference Attacks on\u00a0RAG-Based Large Language Models"],"prefix":"10.1007","author":[{"given":"Kaiyue","family":"Feng","sequence":"first","affiliation":[]},{"given":"Guangsheng","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Huan","family":"Tian","sequence":"additional","affiliation":[]},{"given":"Heng","family":"Xu","sequence":"additional","affiliation":[]},{"given":"Yanjun","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Tianqing","family":"Zhu","sequence":"additional","affiliation":[]},{"given":"Ming","family":"Ding","sequence":"additional","affiliation":[]},{"given":"Bo","family":"Liu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,7]]},"reference":[{"key":"8_CR1","doi-asserted-by":"crossref","unstructured":"Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308\u2013318 (2016)","DOI":"10.1145\/2976749.2978318"},{"key":"8_CR2","doi-asserted-by":"crossref","unstructured":"Anderson, M., Amit, G., Goldsteen, A.: Is my data in your retrieval database? membership inference attacks against retrieval augmented generation. In: Proceedings of the 11th International Conference on Information Systems Security and Privacy, vol. 2: ICISSP, pp. 474\u2013485. INSTICC, SciTePress (2025)","DOI":"10.5220\/0013108300003899"},{"key":"8_CR3","unstructured":"Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. CoRR arxiv:1409.0473 (2014)"},{"key":"8_CR4","unstructured":"Carlini, N., Liu, C., Erlingsson, U., Kos, J., Song, D.: The secret sharer: evaluating and testing unintended memorization in neural networks. In: Proceedings of the 28th USENIX Conference on Security Symposium, SEC\u201919, pp. 267\u2013284. USENIX Association (2019)"},{"key":"8_CR5","unstructured":"Carlini, N., et\u00a0al.: Extracting training data from large language models. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2633\u20132650 (2021)"},{"key":"8_CR6","doi-asserted-by":"crossref","unstructured":"Deng, G., et al.: Masterkey: automated jailbreaking of large language model chatbots. In: Proceedings of ISOC NDSS (2024)","DOI":"10.14722\/ndss.2024.24188"},{"key":"8_CR7","unstructured":"Douze, M., et al.: The faiss library (2024)"},{"key":"8_CR8","unstructured":"Duan, M., et al.: Do membership inference attacks work on large language models? arXiv preprint arXiv:2402.07841 (2024)"},{"key":"8_CR9","doi-asserted-by":"crossref","unstructured":"Fu, W., Wang, H., Gao, C., Liu, G., Li, Y., Jiang, T.: Membership inference attacks against large language models via self-prompt calibration. In: The Thirty-eighth Annual Conference on Neural Information Processing Systems, Vancouver, Canada (2024)","DOI":"10.52202\/079017-4290"},{"key":"8_CR10","doi-asserted-by":"crossref","unstructured":"Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M.: Not what you\u2019ve signed up for: compromising real-world llm-integrated applications with indirect prompt injection. In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec \u201923, pp. 79\u201390. Association for Computing Machinery, New York (2023)","DOI":"10.1145\/3605764.3623985"},{"key":"8_CR11","doi-asserted-by":"crossref","unstructured":"Hui, B., Yuan, H., Gong, N., Burlina, P., Cao, Y.: Pleak: prompt leaking attacks against large language model applications. In: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS \u201924, pp. 3600\u20133614. Association for Computing Machinery, New York (2024)","DOI":"10.1145\/3658644.3670370"},{"key":"8_CR12","doi-asserted-by":"crossref","unstructured":"Jia, J., Salem, A., Backes, M., Zhang, Y., Gong, N.Z.: Memguard: defending against black-box membership inference attacks via adversarial examples. In: CCS \u201919, pp. 259\u2013274. Association for Computing Machinery, New York (2019)","DOI":"10.1145\/3319535.3363201"},{"key":"8_CR13","unstructured":"Jiao, R., et al.: Exploring backdoor attacks against large language model-based decision making. arXiv preprint arXiv:2405.20774 (2024)"},{"key":"8_CR14","doi-asserted-by":"crossref","unstructured":"Kandpal, N., Pillutla, K., Oprea, A., Kairouz, P., Choquette-Choo, C.A., Xu, Z.: User inference attacks on large language models, pp. 18238\u201318265 (2024)","DOI":"10.18653\/v1\/2024.emnlp-main.1014"},{"key":"8_CR15","doi-asserted-by":"crossref","unstructured":"Li, H., Guo, D., Fan, W., Xu, M., Huang, J., Meng, F., Song, Y.: Multi-step jailbreaking privacy attacks on chatgpt. arXiv preprint arXiv:2304.05197 (2023)","DOI":"10.18653\/v1\/2023.findings-emnlp.272"},{"key":"8_CR16","unstructured":"Li, Y., et al.: Badedit: backdooring large language models by model editing. arXiv preprint arXiv:2403.13355 (2024)"},{"key":"8_CR17","unstructured":"Liu, Y., et al.: Prompt injection attack against llm-integrated applications. ArXiv arxiv:2306.05499 (2023)"},{"key":"8_CR18","unstructured":"Liu, Y., Jia, Y., Geng, R., Jia, J., Gong, N.Z.: Formalizing and benchmarking prompt injection attacks and defenses. In: 33rd USENIX Security Symposium (USENIX Security 24), pp. 1831\u20131847. USENIX Association, Philadelphia (2024)"},{"key":"8_CR19","doi-asserted-by":"crossref","unstructured":"Mattern, J., Mireshghallah, F., Jin, Z., Schoelkopf, B., Sachan, M., Berg-Kirkpatrick, T.: Membership inference attacks against language models via neighbourhood comparison. In: Rogers, A., Boyd-Graber, J., Okazaki, N. (eds.) Findings of the Association for Computational Linguistics: ACL 2023, pp. 11330\u201311343. Association for Computational Linguistics, Toronto (2023)","DOI":"10.18653\/v1\/2023.findings-acl.719"},{"key":"8_CR20","unstructured":"Perez, F., Ribeiro, I.: Ignore previous prompt: attack techniques for language models (2022)"},{"key":"8_CR21","doi-asserted-by":"crossref","unstructured":"Salem, A., Zhang, Y., Humbert, M., Berrang, P., Fritz, M., Backes, M.: Ml-leaks: model and data independent membership inference attacks and defenses on machine learning models. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS) (2019)","DOI":"10.14722\/ndss.2019.23119"},{"key":"8_CR22","unstructured":"Shi, W., et al.: Detecting pretraining data from large language models (2023)"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 3\u201318. IEEE Computer Society, Los Alamitos (2017)","DOI":"10.1109\/SP.2017.41"},{"key":"8_CR24","doi-asserted-by":"crossref","unstructured":"Shuster, K., Poff, S., Chen, M., Kiela, D., Weston, J.: Retrieval augmentation reduces hallucination in conversation. In: Moens, M.F., Huang, X., Specia, L., Yih, S.W.t. (eds.) Findings of the Association for Computational Linguistics: EMNLP 2021, pp. 3784\u20133803. Association for Computational Linguistics, Punta Cana (2021)","DOI":"10.18653\/v1\/2021.findings-emnlp.320"},{"key":"8_CR25","unstructured":"Wan, A., Wallace, E., Shen, S., Klein, D.: Poisoning language models during instruction tuning. In: Proceedings of the 40th International Conference on Machine Learning. ICML\u201923. JMLR.org (2023)"},{"key":"8_CR26","doi-asserted-by":"crossref","unstructured":"Wei, A., Haghtalab, N., Steinhardt, J.: Jailbroken: how does llm safety training fail? Adv. Neural Inf. Process. Syst. 36 (2024)","DOI":"10.52202\/075280-3508"},{"key":"8_CR27","doi-asserted-by":"crossref","unstructured":"Yan, J., et al.: Backdooring instruction-tuned large language models with virtual prompt injection. In: Duh, K., Gomez, H., Bethard, S. (eds.) Proceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, vol. 1: Long Papers, pp. 6065\u20136086. Association for Computational Linguistics, Mexico City (2024)","DOI":"10.18653\/v1\/2024.naacl-long.337"},{"key":"8_CR28","doi-asserted-by":"crossref","unstructured":"Yao, H., Lou, J., Qin, Z.: Poisonprompt: backdoor attack on prompt-based large language models. In: ICASSP 2024 - 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 7745\u20137749 (2024)","DOI":"10.1109\/ICASSP48485.2024.10446267"},{"key":"8_CR29","doi-asserted-by":"crossref","unstructured":"Yeom, S., Giacomelli, I., Fredrikson, M., Jha, S.: Privacy risk in machine learning: analyzing the connection to overfitting. In: 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 268\u2013282. IEEE (2018)","DOI":"10.1109\/CSF.2018.00027"},{"key":"8_CR30","unstructured":"Zou, A., Wang, Z., Kolter, J.Z., Fredrikson, M.: Universal and transferable adversarial attacks on aligned language models (2023)"},{"key":"8_CR31","unstructured":"Zou, W., Geng, R., Wang, B., Jia, J.: Poisonedrag: knowledge poisoning attacks to retrieval-augmented generation of large language models. arXiv preprint arXiv:2402.07867 (2024)"}],"container-title":["Lecture Notes in Computer Science","Information Security and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-96-9101-2_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T14:55:56Z","timestamp":1775228156000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-96-9101-2_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9789819691005","9789819691012"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-981-96-9101-2_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"7 July 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ACISP","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Australasian Conference on Information Security and Privacy","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Wollongong, NSW","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Australia","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 July 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16 July 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"acisp2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/uow-ic2.github.io\/acisp2025\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}