{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:01:25Z","timestamp":1775815285348,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":49,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,22]]},"DOI":"10.1145\/3696410.3714756","type":"proceedings-article","created":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T22:47:11Z","timestamp":1745362031000},"page":"2085-2097","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Traceback of Poisoning Attacks to Retrieval-Augmented Generation"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1807-5946","authenticated-orcid":false,"given":"Baolei","family":"Zhang","sequence":"first","affiliation":[{"name":"CCS&amp;CS, DISSec, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-7290-1583","authenticated-orcid":false,"given":"Haoran","family":"Xin","sequence":"additional","affiliation":[{"name":"CCS&amp;CS, DISSec, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1365-3911","authenticated-orcid":false,"given":"Minghong","family":"Fang","sequence":"additional","affiliation":[{"name":"University of Louisville, Louisville, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0146-5101","authenticated-orcid":false,"given":"Zhuqing","family":"Liu","sequence":"additional","affiliation":[{"name":"University of North Texas, Denton, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8347-1953","authenticated-orcid":false,"given":"Biao","family":"Yi","sequence":"additional","affiliation":[{"name":"CCS&amp;CS, DISSec, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3678-8402","authenticated-orcid":false,"given":"Tong","family":"Li","sequence":"additional","affiliation":[{"name":"CCS&amp;CS, DISSec, Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2984-2661","authenticated-orcid":false,"given":"Zheli","family":"Liu","sequence":"additional","affiliation":[{"name":"CCS&amp;CS, DISSec, Nankai University, Tianjin, China"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al.","author":"Achiam Josh","year":"2023","unstructured":"Josh Achiam, Steven Adler, Sandhini Agarwal, Lama Ahmad, Ilge Akkaya, Florencia Leoni Aleman, Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al. 2023. Gpt-4 technical report. arXiv (2023)."},{"key":"e_1_3_2_1_2_1","unstructured":"Rohan Anil Andrew M Dai Orhan Firat Melvin Johnson Dmitry Lepikhin Alexandre Passos Siamak Shakeri Emanuel Taropa Paige Bailey Zhifeng Chen et al. 2023. Palm 2 technical report. arXiv (2023)."},{"key":"e_1_3_2_1_3_1","volume-title":"USENIX Security Symposium.","author":"Bagdasaryan Eugene","year":"2021","unstructured":"Eugene Bagdasaryan and Vitaly Shmatikov. 2021. Blind backdoors in deep learning models. In USENIX Security Symposium."},{"key":"e_1_3_2_1_4_1","unstructured":"Payal Bajaj Daniel Campos Nick Craswell Li Deng Jianfeng Gao Xiaodong Liu Rangan Majumder Andrew McNamara Bhaskar Mitra Tri Nguyen et al. 2016. Ms marco: A human generated machine reading comprehension dataset. arXiv preprint arXiv:1611.09268 (2016)."},{"key":"e_1_3_2_1_5_1","volume-title":"Jean-Baptiste Lespiau, Bogdan Damoc, Aidan Clark, et al.","author":"Borgeaud Sebastian","year":"2022","unstructured":"Sebastian Borgeaud, Arthur Mensch, Jordan Hoffmann, Trevor Cai, Eliza Rutherford, Katie Millican, George Bm Van Den Driessche, Jean-Baptiste Lespiau, Bogdan Damoc, Aidan Clark, et al. 2022. Improving language models by retrieving from trillions of tokens. In ICML."},{"key":"e_1_3_2_1_6_1","unstructured":"Tom Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared D Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell et al. 2020. Language models are few-shot learners. In NeurIPS."},{"key":"e_1_3_2_1_7_1","unstructured":"Xiaoyu Cao Minghong Fang Jia Liu and Neil Zhenqiang Gong. 2021. FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping. In NDSS."},{"key":"e_1_3_2_1_8_1","volume-title":"Phantom: General Trigger Attacks on Retrieval Augmented Language Generation. arXiv preprint arXiv:2405.20485","author":"Chaudhari Harsh","year":"2024","unstructured":"Harsh Chaudhari, Giorgio Severi, John Abascal, Matthew Jagielski, Christopher A Choquette-Choo, Milad Nasr, Cristina Nita-Rotaru, and Alina Oprea. 2024. Phantom: General Trigger Attacks on Retrieval Augmented Language Generation. arXiv preprint arXiv:2405.20485 (2024)."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Jiawei Chen Hongyu Lin Xianpei Han and Le Sun. 2024. Benchmarking large language models in retrieval-augmented generation. In AAAI.","DOI":"10.1609\/aaai.v38i16.29728"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3626772.3657834"},{"key":"e_1_3_2_1_11_1","volume-title":"Pandora: Jailbreak gpts by retrieval augmented generation poisoning. arXiv preprint arXiv:2402.08416","author":"Deng Gelei","year":"2024","unstructured":"Gelei Deng, Yi Liu, Kailong Wang, Yuekang Li, Tianwei Zhang, and Yang Liu. 2024. Pandora: Jailbreak gpts by retrieval augmented generation poisoning. arXiv preprint arXiv:2402.08416 (2024)."},{"key":"e_1_3_2_1_12_1","volume-title":"USENIX Security Symposium.","author":"Fang Minghong","year":"2020","unstructured":"Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Gong. 2020. Local model poisoning attacks to Byzantine-robust federated learning. In USENIX Security Symposium."},{"key":"e_1_3_2_1_13_1","volume-title":"Neil Zhenqiang Gong, and Elizabeth S Bentley","author":"Fang Minghong","year":"2022","unstructured":"Minghong Fang, Jia Liu, Neil Zhenqiang Gong, and Elizabeth S Bentley. 2022. Aflguard: Byzantine-robust asynchronous federated learning. In ACSAC."},{"key":"e_1_3_2_1_14_1","volume-title":"Sundararaja Sitharama Iyengar, and Haibo Yang","author":"Fang Minghong","year":"2025","unstructured":"Minghong Fang, Seyedsina Nabavirazavi, Zhuqing Liu, Wei Sun, Sundararaja Sitharama Iyengar, and Haibo Yang. 2025. Do We Really Need to Design New Byzantine-robust Aggregation Rules?. In NDSS."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Minghong Fang Zifan Zhang Prashant Khanduri Jia Liu Songtao Lu Yuchen Liu Neil Gong et al. 2024. Byzantine-robust decentralized federated learning. In CCS.","DOI":"10.1145\/3658644.3670307"},{"key":"e_1_3_2_1_16_1","volume-title":"Retrieval-augmented generation for large language models: A survey. arXiv preprint arXiv:2312.10997","author":"Gao Yunfan","year":"2023","unstructured":"Yunfan Gao, Yun Xiong, Xinyu Gao, Kangxiang Jia, Jinliu Pan, Yuxi Bi, Yi Dai, Jiawei Sun, and Haofen Wang. 2023. Retrieval-augmented generation for large language models: A survey. arXiv preprint arXiv:2312.10997 (2023)."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605764.3623985"},{"key":"e_1_3_2_1_18_1","volume-title":"Unsupervised dense information retrieval with contrastive learning. arXiv preprint arXiv:2112.09118","author":"Izacard Gautier","year":"2021","unstructured":"Gautier Izacard, Mathilde Caron, Lucas Hosseini, Sebastian Riedel, Piotr Bojanowski, Armand Joulin, and Edouard Grave. 2021. Unsupervised dense information retrieval with contrastive learning. arXiv preprint arXiv:2112.09118 (2021)."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"e_1_3_2_1_20_1","volume-title":"Baseline defenses for adversarial attacks against aligned language models. arXiv preprint arXiv:2309.00614","author":"Jain Neel","year":"2023","unstructured":"Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein. 2023. Baseline defenses for adversarial attacks against aligned language models. arXiv preprint arXiv:2309.00614 (2023)."},{"key":"e_1_3_2_1_21_1","volume-title":"Andrea Madotto, and Pascale Fung.","author":"Ji Ziwei","year":"2023","unstructured":"Ziwei Ji, Nayeon Lee, Rita Frieske, Tiezheng Yu, Dan Su, Yan Xu, Etsuko Ishii, Ye Jin Bang, Andrea Madotto, and Pascale Fung. 2023. Survey of hallucination in natural language generation. In ACM Computing Surveys."},{"key":"e_1_3_2_1_22_1","volume-title":"Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning. arXiv preprint arXiv:2407.07221","author":"Jia Yuqi","year":"2024","unstructured":"Yuqi Jia, Minghong Fang, Hongbin Liu, Jinghuai Zhang, and Neil Zhenqiang Gong. 2024. Tracing Back the Malicious Clients in Poisoning Attacks to Federated Learning. arXiv preprint arXiv:2407.07221 (2024)."},{"key":"e_1_3_2_1_23_1","volume-title":"Active retrieval augmented generation. arXiv preprint arXiv:2305.06983","author":"Jiang Zhengbao","year":"2023","unstructured":"Zhengbao Jiang, Frank F Xu, Luyu Gao, Zhiqing Sun, Qian Liu, Jane Dwivedi-Yu, Yiming Yang, Jamie Callan, and Graham Neubig. 2023. Active retrieval augmented generation. arXiv preprint arXiv:2305.06983 (2023)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Vladimir Karpukhin Barlas Oguz Sewon Min Patrick Lewis Ledell Wu Sergey Edunov Danqi Chen and Wen-tau Yih. 2020. Dense Passage Retrieval for Open-Domain Question Answering. In EMNLP.","DOI":"10.18653\/v1\/2020.emnlp-main.550"},{"key":"e_1_3_2_1_25_1","unstructured":"Pang Wei Koh Jacob Steinhardt and Percy Liang. 2022. Stronger data poisoning attacks break data sanitization defenses. In Machine Learning."},{"key":"e_1_3_2_1_26_1","volume-title":"Natural Questions: A Benchmark for Question Answering Research. In Transactions of the Association for Computational Linguistics.","author":"Kwiatkowski Tom","year":"2019","unstructured":"Tom Kwiatkowski, Jennimaria Palomaki, Olivia Redfield, Michael Collins, Ankur P. Parikh, Chris Alberti, Danielle Epstein, Illia Polosukhin, Jacob Devlin, Kenton Lee, Kristina Toutanova, Llion Jones, Matthew Kelcey, Ming-Wei Chang, Andrew M. Dai, Jakob Uszkoreit, Quoc V. Le, and Slav Petrov. 2019. Natural Questions: A Benchmark for Question Answering Research. In Transactions of the Association for Computational Linguistics."},{"key":"e_1_3_2_1_27_1","unstructured":"Patrick Lewis Ethan Perez Aleksandra Piktus Fabio Petroni Vladimir Karpukhin Naman Goyal Heinrich K\u00fcttler Mike Lewis Wen-tau Yih Tim Rockt\u00e4schel et al. 2020. Retrieval-augmented generation for knowledge-intensive nlp tasks. In NeurIPS."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833579"},{"key":"e_1_3_2_1_29_1","volume-title":"Reconstruction of Differentially Private Text Sanitization via Large Language Models. arXiv preprint arXiv:2410.12443","author":"Pang Shuchao","year":"2024","unstructured":"Shuchao Pang, Zhigang Lu, Haichen Wang, Peng Fu, Yongbin Zhou, Minhui Xue, and Bo Li. 2024. Reconstruction of Differentially Private Text Sanitization via Large Language Models. arXiv preprint arXiv:2410.12443 (2024)."},{"key":"e_1_3_2_1_30_1","volume-title":"Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:2211.09527","author":"Perez F\u00e1bio","year":"2022","unstructured":"F\u00e1bio Perez and Ian Ribeiro. 2022. Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:2211.09527 (2022)."},{"key":"e_1_3_2_1_31_1","volume-title":"UTrace: Poisoning Forensics for Private Collaborative Learning. arXiv preprint arXiv:2409.15126","author":"Rose Evan","year":"2024","unstructured":"Evan Rose, Hidde Lycklama, Harsh Chaudhari, Anwar Hithnawi, and Alina Oprea. 2024. UTrace: Poisoning Forensics for Private Collaborative Learning. arXiv preprint arXiv:2409.15126 (2024)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"crossref","unstructured":"Alireza Salemi and Hamed Zamani. 2024. Evaluating retrieval quality in retrieval-augmented generation. In SIGIR.","DOI":"10.1145\/3626772.3657957"},{"key":"e_1_3_2_1_33_1","volume-title":"USENIX Security Symposium.","author":"Schuster Roei","year":"2021","unstructured":"Roei Schuster, Congzheng Song, Eran Tromer, and Vitaly Shmatikov. 2021. You autocomplete me: Poisoning vulnerabilities in neural code completion. In USENIX Security Symposium."},{"key":"e_1_3_2_1_34_1","volume-title":"Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. In USENIX Security Symposium.","author":"Severi Giorgio","year":"2021","unstructured":"Giorgio Severi, Jim Meyer, Scott Coull, and Alina Oprea. 2021. Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. In USENIX Security Symposium."},{"key":"e_1_3_2_1_35_1","volume-title":"Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents. arXiv preprint arXiv:2406.05870","author":"Shafran Avital","year":"2024","unstructured":"Avital Shafran, Roei Schuster, and Vitaly Shmatikov. 2024. Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents. arXiv preprint arXiv:2406.05870 (2024)."},{"key":"e_1_3_2_1_36_1","volume-title":"USENIX Security Symposium.","author":"Shan Shawn","year":"2022","unstructured":"Shawn Shan, Arjun Nitin Bhagoji, Haitao Zheng, and Ben Y Zhao. 2022. Poison forensics: Traceback of data poisoning attacks in neural networks. In USENIX Security Symposium."},{"key":"e_1_3_2_1_37_1","volume-title":"Pang Wei W Koh, and Percy S Liang","author":"Steinhardt Jacob","year":"2017","unstructured":"Jacob Steinhardt, Pang Wei W Koh, and Percy S Liang. 2017. Certified defenses for data poisoning attacks. In NeurIPS."},{"key":"e_1_3_2_1_38_1","volume-title":"Glue pizza and eat rocks''--Exploiting Vulnerabilities in Retrieval-Augmented Generative Models. arXiv preprint arXiv:2406.19417","author":"Tan Zhen","year":"2024","unstructured":"Zhen Tan, Chengshuai Zhao, Raha Moraffah, Yifan Li, Song Wang, Jundong Li, Tianlong Chen, and Huan Liu. 2024. '' Glue pizza and eat rocks''--Exploiting Vulnerabilities in Retrieval-Augmented Generative Models. arXiv preprint arXiv:2406.19417 (2024)."},{"key":"e_1_3_2_1_39_1","volume-title":"Jamie Hall, Noam Shazeer, Apoorv Kulshreshtha, Heng-Tze Cheng, Alicia Jin, Taylor Bos, Leslie Baker, Yu Du, et al.","author":"Thoppilan Romal","year":"2022","unstructured":"Romal Thoppilan, Daniel De Freitas, Jamie Hall, Noam Shazeer, Apoorv Kulshreshtha, Heng-Tze Cheng, Alicia Jin, Taylor Bos, Leslie Baker, Yu Du, et al. 2022. Lamda: Language models for dialog applications. arXiv (2022)."},{"key":"e_1_3_2_1_40_1","unstructured":"Hugo Touvron Louis Martin Kevin Stone Peter Albert Amjad Almahairi Yasmine Babaei Nikolay Bashlykov Soumya Batra Prajjwal Bhargava Shruti Bhosale et al. 2023. Llama 2: Open foundation and fine-tuned chat models. arXiv (2023)."},{"key":"e_1_3_2_1_41_1","volume-title":"Denny Zhou, et al.","author":"Wei Jason","year":"2022","unstructured":"Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi, Quoc V Le, Denny Zhou, et al. 2022. Chain-of-thought prompting elicits reasoning in large language models. In NeurIPS."},{"key":"e_1_3_2_1_42_1","volume-title":"Yuanshun Yao, Haitao Zheng, and Ben Y Zhao.","author":"Wenger Emily","year":"2021","unstructured":"Emily Wenger, Josephine Passananti, Arjun Nitin Bhagoji, Yuanshun Yao, Haitao Zheng, and Ben Y Zhao. 2021. Backdoor attacks against deep learning systems in the physical world. In CVPR."},{"key":"e_1_3_2_1_43_1","volume-title":"Certifiably Robust RAG against Retrieval Corruption. arXiv preprint arXiv:2405.15556","author":"Xiang Chong","year":"2024","unstructured":"Chong Xiang, Tong Wu, Zexuan Zhong, David Wagner, Danqi Chen, and Prateek Mittal. 2024. Certifiably Robust RAG against Retrieval Corruption. arXiv preprint arXiv:2405.15556 (2024)."},{"key":"e_1_3_2_1_44_1","volume-title":"BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models. arXiv preprint arXiv:2406.00083","author":"Xue Jiaqi","year":"2024","unstructured":"Jiaqi Xue, Mengxin Zheng, Yebowen Hu, Fei Liu, Xun Chen, and Qian Lou. 2024. BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models. arXiv preprint arXiv:2406.00083 (2024)."},{"key":"e_1_3_2_1_45_1","volume-title":"Manning","author":"Yang Zhilin","year":"2018","unstructured":"Zhilin Yang, Peng Qi, Saizheng Zhang, Yoshua Bengio, William W. Cohen, Ruslan Salakhutdinov, and Christopher D. Manning. 2018. HotpotQA: A Dataset for Diverse, Explainable Multi-hop Question Answering. In EMNLP."},{"key":"e_1_3_2_1_46_1","unstructured":"Yuanshun Yao Huiying Li Haitao Zheng and Ben Y Zhao. 2019. Latent backdoor attacks on deep neural networks. In CCS."},{"key":"e_1_3_2_1_47_1","volume-title":"Poisoning Attacks on Federated Learning-based Wireless Traffic Prediction. In IFIP\/IEEE Networking Conference.","author":"Zhang Zifan","year":"2024","unstructured":"Zifan Zhang, Minghong Fang, Jiayuan Huang, and Yuchen Liu. 2024. Poisoning Attacks on Federated Learning-based Wireless Traffic Prediction. In IFIP\/IEEE Networking Conference."},{"key":"e_1_3_2_1_48_1","volume-title":"Poisoning retrieval corpora by injecting adversarial passages. arXiv preprint arXiv:2310.19156","author":"Zhong Zexuan","year":"2023","unstructured":"Zexuan Zhong, Ziqing Huang, Alexander Wettig, and Danqi Chen. 2023. Poisoning retrieval corpora by injecting adversarial passages. arXiv preprint arXiv:2310.19156 (2023)."},{"key":"e_1_3_2_1_49_1","volume-title":"USENIX Security Symposium.","author":"Zou Wei","year":"2025","unstructured":"Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. 2025. Poisonedrag: Knowledge poisoning attacks to retrieval-augmented generation of large language models. In USENIX Security Symposium."}],"event":{"name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia","acronym":"WWW '25","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714756","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714756","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:41Z","timestamp":1750295921000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714756"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":49,"alternative-id":["10.1145\/3696410.3714756","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714756","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}